Linux firewalld使用教程+rhce课程实验
--timeout= 设置规则生效300秒
调试阶段使用,防止规则设置错误导致无法远程连接
实验:
在server0机器上部署httpd服务,通过添加富规则,只允许172.25.0.10/32访问,并且记录日志,日志级别为notice,日志前注为"NEW HTTP",限制每秒3个并发,要求持久化生效
1、在server0上执行
yum install httpd -y
systemctl start httpd
systemctl enable httpd
[root@server0 zones]# yum install httpd -y
[root@server0 zones]# systemctl start httpd
[root@server0 zones]# systemctl enable httpd
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
[root@server0 zones]# lsof -i:80 -n
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 8386 root 4u IPv6 44433 0t0 TCP *:http (LISTEN)
httpd 8387 apache 4u IPv6 44433 0t0 TCP *:http (LISTEN)
httpd 8388 apache 4u IPv6 44433 0t0 TCP *:http (LISTEN)
httpd 8389 apache 4u IPv6 44433 0t0 TCP *:http (LISTEN)
httpd 8390 apache 4u IPv6 44433 0t0 TCP *:http (LISTEN)
httpd 8391 apache 4u IPv6 44433 0t0 TCP *:http (LISTEN)
httpd 8392 apache 4u IPv6 44433 0t0 TCP *:http (LISTEN)
此时desktop机器是无法访问网页,但是server0机器可以看到网页
[root@desktop0 ~]# curl http://server0
curl: (7) Failed connect to server0:80; No route to host [root@server0 ~]# curl localhost
hello world
因为firewalld中并没有允许http协议的连接连进来
[root@server0 ~]# firewall-cmd --list-all
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'ROL' (see --get-active-zones)
You most likely need to use --zone=ROL option. public (default)
interfaces:
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
所有的zones都没有允许,所以外部访问会被拦截 [root@server0 ~]# firewall-cmd --get-default-zone
public
[root@server0 ~]# firewall-cmd --list-all-zones
ROL
interfaces:
sources: 172.25.0.252/32
services: ssh vnc-server
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules: block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules: dmz
interfaces:
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules: drop
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules: external
interfaces:
sources:
services: ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules: home
interfaces:
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules: internal
interfaces:
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules: public (default)
interfaces:
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules: trusted
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules: work
interfaces:
sources:
services: dhcpv6-client ipp-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
我们设置一下防火墙的规则
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule=' rule family=ipv4 source address="172.25.0.10/32" service name="http" log prefix="NEW HTTP " level=notice limit value="3/s" accept '
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'ROL' (see --get-active-zones)
You most likely need to use --zone=ROL option.
success
重新加载 一下
[root@server0 ~]# firewall-cmd --reload
success
查看规则,已经可以看到刚才添加的规则已生效
[root@server0 ~]# firewall-cmd --list-all
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'ROL' (see --get-active-zones)
You most likely need to use --zone=ROL option
public (default)
interfaces:
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.25.0.10/32" service name="http" log prefix="NEW HTTP " level="notice" limit value="3/s" accept
查看firewalld xml文件
[root@server0 ~]# cat /usr/lib/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
</zone>
[root@server0 ~]#
重新进行页面访问,发现已经可以访问了
[root@desktop0 ~]# curl http://172.25.0.11
hello world
[root@desktop0 ~]#
查看日志,日志中已经记载出来了
[root@server0 ~]# cat /var/log/messages | tail -n 1
Dec 23 18:22:37 localhost kernel: NEW HTTP IN=eth0 OUT= MAC=52:54:00:00:00:0b:52:54:00:00:00:0a:08:00 SRC=172.25.0.10 DST=172.25.0.11 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8704 DF PROTO=TCP SPT=48464 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
[root@server0 ~]#
附加:拒绝另一个地址链接,并且记录日志
添加一条规则,并且重新加载
[root@server0 ~]# firewall-cmd --permanent --add-rich-rule=' rule family=ipv4 source address="172.25.0.1/24" service name=http log level=notice prefix="HARD_LOG " reject '
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'ROL' (see --get-active-zones)
You most likely need to use --zone=ROL option. success [root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]# firewall-cmd --list-all
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'ROL' (see --get-active-zones)
You most likely need to use --zone=ROL option. public (default)
interfaces:
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.25.0.1/24" service name="http" log prefix="HARD_LOG " level="notice" reject
rule family="ipv4" source address="172.25.0.10/32" service name="http" log prefix="NEW HTTP " level="notice" limit value="3/s" accept
[root@server0 ~]#
另一个地址进行访问,但是没有访问进来,查看日志,可以看到访问记录
[root@server0 ~]# cat /var/log/messages | grep HARD_LOG
Dec 23 18:40:51 localhost kernel: HARD_LOG IN=eth0 OUT= MAC=52:54:00:00:00:0b:00:50:56:c0:00:01:08:00 SRC=172.25.0.1 DST=172.25.0.11 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=27789 DF PROTO=TCP SPT=56158 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Linux firewalld使用教程+rhce课程实验的更多相关文章
- 《Java程序设计》课程实验要求
目录 <Java程序设计>课程实验要求 注册实验楼账号 实验一 Java开发环境的熟悉 实验二<Java面向对象程序设计> 实验三 <敏捷开发与XP实践> 实验四 ...
- 《嵌入式Linux开发实用教程》
<嵌入式Linux开发实用教程> 基本信息 作者: 朱兆祺 李强 袁晋蓉 出版社:人民邮电出版社 ISBN:9787115334831 上架时间:2014-2-13 出版日期: ...
- CTF必备技能丨Linux Pwn入门教程——PIE与bypass思路
Linux Pwn入门教程系列分享如约而至,本套课程是作者依据i春秋Pwn入门课程中的技术分类,并结合近几年赛事中出现的题目和文章整理出一份相对完整的Linux Pwn教程. 教程仅针对i386/am ...
- CTF必备技能丨Linux Pwn入门教程——格式化字符串漏洞
Linux Pwn入门教程系列分享如约而至,本套课程是作者依据i春秋Pwn入门课程中的技术分类,并结合近几年赛事中出现的题目和文章整理出一份相对完整的Linux Pwn教程. 教程仅针对i386/am ...
- CTF必备技能丨Linux Pwn入门教程——ROP技术(上)
Linux Pwn入门教程系列分享如约而至,本套课程是作者依据i春秋Pwn入门课程中的技术分类,并结合近几年赛事中出现的题目和文章整理出一份相对完整的Linux Pwn教程. 教程仅针对i386/am ...
- CTF必备技能丨Linux Pwn入门教程——环境配置
说在前面 这是一套Linux Pwn入门教程系列,作者依据Atum师傅在i春秋上的Pwn入门课程中的技术分类,并结合近几年赛事中出现的一些题目和文章整理出一份相对完整的Linux Pwn教程. 问:为 ...
- linux 第七周 总结及实验
姬梦馨 原创作品 <Linux内核分析>MOOC课程http://mooc.study.163.com/course/USTC-1000029000 第七周 Linux内核如何装载和启动一 ...
- Linux Capabilities 入门教程:基础实战篇
该系列文章总共分为三篇: Linux Capabilities 入门教程:概念篇 Linux Capabilities 入门教程:基础实战篇 待续... 上篇文章介绍了 Linux capabilit ...
- CTF丨Linux Pwn入门教程:针对函数重定位流程的相关测试(下)
Linux Pwn入门教程系列分享已接近尾声,本套课程是作者依据i春秋Pwn入门课程中的技术分类,并结合近几年赛事中出现的题目和文章整理出一份相对完整的Linux Pwn教程. 教程仅针对i386/a ...
随机推荐
- SQL 优化经历
一次非常有趣的 SQL 优化经历 阅读本文大概需要 6 分钟. 前言 在网上刷到一篇数据库优化的文章,自己也来研究一波. 场景 数据库版本:5.7.25 ,运行在虚拟机中. 课程表 #课程表 cr ...
- CVE-2017-12615和CVE-2017-12616
Tomcat代码执行漏洞分析测试 1. 漏洞花絮 2017年9月19日,Apache Tomcat官方确认并修复了两个高危漏洞,漏洞CVE编号:CVE-2017-12615和CVE-20 ...
- 无旋treap
#ifndef FHQTREAP_H_INCLUDED #define FHQTREAP_H_INCLUDED //author Eterna #define Hello The_Cruel_Worl ...
- PythonStudy——字符串常用操作 String common operations
# 1.字符串的索引取值: 字符串[index]# 正向取值从0编号,反向取值从-1编号 s1 = '123abc呵呵' t_s = ' # 取出c print(s1[5], s1[-3]) # 2. ...
- Qt对`vtable的未定义引用
错误描述:Qt在linux系统编译时,遇到一个错误大致如下形式 在 xxxxx函数中 对‘vtable for xxxxx未定义的引用 网上找了很多,各种情况都有,大多数是虚函数未实现导致的, 但也有 ...
- 【Python】hasattr() getattr() setattr() 使用方法详解
本文转自 https://www.cnblogs.com/cenyu/p/5713686.html hasattr(object, name)判断一个对象里面是否有name属性或者name方法,返回B ...
- kafuka资料学习
http://blog.csdn.net/hmsiwtv/article/details/46960053
- rpm软件包、yum软件仓库、systemd初始化进程
rpm软件包.yum软件仓库.systemd初始化进程 作者:Eric 微信:loveoracle11g 红帽软件包管理器rpm (Redhat Package Manager) RPM会建立统一的数 ...
- 1、根"/"目录结构
1.目录结构 FSH [root@localhost /]# tree -L . ├── bin -> usr/bin #普通用户使用的命令 ├── boot #存放系统启动相关文件,例如ker ...
- FlexItem 多行测试
flex: <!doctype html> <html> <head> <meta charset="utf-8"> <tit ...