防火墙富规则、备份恢复、开启内部上网

1. 防火墙富规则策略

​ Firewalld中的富规则表示更细致、更详细的防火墙策略配置,它可以针对系统服务、端口号、源地址和目标地址等诸多信息进行更有针对性的策略配置, 优先级在所有的防火墙策略中也是最高的。下面为Firewalld富规则帮助手册.

[root@web01 ~]# man firewalld                #Firewalld帮助手册

[root@web01 ~]# man firewalld.richlanguage    #Firewalld富规则手册

rule

[source]

[destination]

service|port|protocol|icmp-block|masquerade|forward-port

[log]

[audit]

[accept|reject|drop]

rule [family="ipv4|ipv6"]

source address="address[/mask]" [invert="True"]

destination address="address[/mask]" invert="True"

service name="service name"

port port="port value" protocol="tcp|udp"

protocol value="protocol value"

forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"

log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]

accept | reject [type="reject type"] | drop

#富规则相关命令

--add-rich-rule='<RULE>' #在指定的区添加一条富规则

--remove-rich-rule='<RULE>' #在指定的区删除一条富规则

--query-rich-rule='<RULE>' #找到规则返回0 ,找不到返回1

--list-rich-rules #列出指定区里的所有富规则

1). 比如允许10.0.0.1主机能够访问http服务,允许172.16.1.0/24能访问11211端口

[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=http accept'

success

[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 port port="11211" protocol="tcp" accept'

success

[root@firewalld ~]# firewall-cmd --list-all

public

target: default

icmp-block-inversion: no

interfaces:

sources:

services: ssh dhcpv6-client test

ports: 80/tcp 443/tcp

protocols:

masquerade: yes

forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7

source-ports:

icmp-blocks:

rich rules:

    rule family="ipv4" source address="10.0.0.1/32" service name="http" accept

    rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept

#验证测试

[C:\~]$ telnet 10.0.0.6 80

Connecting to 10.0.0.6:80...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

[root@web01 ~]# telnet 10.0.0.6 80

Trying 10.0.0.6...

telnet: connect to address 10.0.0.6: No route to host

[C:\~]$ telnet 10.0.0.6 11211

Connecting to 10.0.0.6:11211...

Canceled.

[root@web01 ~]# telnet 172.16.1.6 11211

Trying 172.16.1.6...

Connected to 172.16.1.6.

Escape character is '^]'.

2). 默认public区域对外开放所有人能通过ssh服务连接,但拒绝172.16.1.0/24网段通过ssh连接服务器

[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 service name="ssh" drop'

success

#验证测试

[root@web01 ~]# ssh root@10.0.0.6

root@10.0.0.6's password:

[root@web01 ~]# ssh root@172.16.1.6

^C

3). 使Firewalld允许所有人能访问http,https服务,但只有10.0.0.1主机可以访问ssh服务

[root@firewalld ~]# firewall-cmd --zone=public --add-service={http,https}

success

[root@firewalld ~]# firewall-cmd --list-all

public

target: default

icmp-block-inversion: no

interfaces:

sources:

services: ssh dhcpv6-client http https

ports: 443/tcp

protocols:

masquerade: yes

forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7

source-ports:

icmp-blocks:

rich rules:

    rule family="ipv4" source address="10.0.0.1/32" service name="http" accept

    rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept

    rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop

[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=ssh accept'

success

[root@firewalld ~]# firewall-cmd --remove-service=ssh

success

[root@firewalld ~]# firewall-cmd --list-all

public

target: default

icmp-block-inversion: no

interfaces:

sources:

services: dhcpv6-client http https

ports: 443/tcp

protocols:

masquerade: yes

forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7

source-ports:

icmp-blocks:

rich rules:

    rule family="ipv4" source address="10.0.0.1/32" service name="http" accept

    rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept

    rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop

    rule family="ipv4" source address="10.0.0.1/32" service name="ssh" accept

#验证测试

[root@web01 ~]# telnet 10.0.0.6 80

Trying 10.0.0.6...

Connected to 10.0.0.6.

Escape character is '^]'.

^]

telnet> Connection closed.

[root@web01 ~]# ssh root@10.0.0.6

ssh: connect to host 10.0.0.6 port 22: No route to host

[C:\~]$ ssh root@10.0.0.6

Connecting to 10.0.0.6:22...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

4). 当用户来源IP地址是10.0.0.1主机,则将用户请求的5555端口转发至后端172.16.1.7的22端口

[root@firewalld ~]# firewall-cmd --list-all

public

target: default

icmp-block-inversion: no

interfaces:

sources:

services: ssh dhcpv6-client test

ports: 80/tcp 443/tcp

protocols:

masquerade: yes

forward-ports:

source-ports:

icmp-blocks:

rich rules:

#开启地址转发

[root@firewalld ~]# firewall-cmd --add-masquerade

Warning: ALREADY_ENABLED: masquerade already enabled in 'public'

success

[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 forward-port port=5555 protocol="tcp" to-port="22" to-addr=172.16.1.7'

success

[root@firewalld ~]# firewall-cmd --list-all

public

target: default

icmp-block-inversion: no

interfaces:

sources:

services: ssh dhcpv6-client test

ports: 80/tcp 443/tcp

protocols:

masquerade: yes

forward-ports:

source-ports:

icmp-blocks:

rich rules:

    rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="172.16.1.7"

#验证测试

[C:\~]$ ssh root@10.0.0.6 5555

Connecting to 10.0.0.6:5555...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

Last failed login: Sun Dec 8 20:12:23 CST 2019 from 10.0.0.100 on ssh:notty

There was 1 failed login attempt since the last successful login.

Last login: Sun Dec 8 18:59:02 2019 from 10.0.0.100

[root@web02 ~]# ssh root@10.0.0.6 5555

root@10.0.0.6's password:

bash: 5555: command not found

5).查看设定的规则,如果没有添加--permanent参数则重启Firewalld会失效。富规则按先后顺序匹配,优先匹配到的规则生效

[root@firewalld ~]# firewall-cmd --list-rich-rules

rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="10.0.0.7"

2.Firewalld备份恢复

#我们所有针对public区域编写的永久添加的规则都会写入备份文件(--permanent)

[root@firewalld ~]# cat /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>

<zone>

<short>Public</short>

<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

<service name="ssh"/>

<service name="dhcpv6-client"/>

<service name="test"/>

<port protocol="tcp" port="80"/>

<port protocol="tcp" port="443"/>

<masquerade/>

</zone>

备份的时候只需要把配置文件进行拷贝就行了,导入之后,重启生效。

[root@web01 ~]# firewall-cmd   --zone=public   --add-service=http  --permanent

success

[root@web01 ~]# firewall-cmd   --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: eth0

  sources:

  services: ssh dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules: 

[root@web01 ~]# firewall-cmd   --reload

success

[root@web01 ~]# firewall-cmd   --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: eth0

  sources:

  services: ssh dhcpv6-client http

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules: 

[root@web01 ~]# firewall-cmd  --zone=public  --remove-service=http  --permanent

success

[root@web01 ~]# firewall-cmd  --reload

success

[root@web01 ~]# firewall-cmd   --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: eth0

  sources:

  services: ssh dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules: 

#备份配置文件

#只保存永久添加的规则

[root@web01 ~]# ll  /etc/firewalld/zones/public.xml		#公共区的配置文件

[root@web01 ~]# ll /etc/firewalld/zones/		#区域的配置规则文件都在这个区中

3. 防火墙开启内部上网

在指定的带有公网IP的实例上启动Firewalld防火墙的NAT地址转换,以此达到内部主机上网。

1. Firewalld防火墙开启masquerade,实现地址转换

1. Firewalld防火墙开启masquerade,实现地址转换

[root@firewalld ~]# firewall-cmd --add-masquerade --permanent

success

[root@firewalld ~]# firewall-cmd --list-rich-rules

rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="10.0.0.7" --permanent

[root@firewalld ~]# firewall-cmd --reload

success

[root@firewalld ~]# firewall-cmd --list-all

public

target: default

icmp-block-inversion: no

interfaces:

sources:

services: ssh dhcpv6-client test

ports: 80/tcp 443/tcp

protocols:

masquerade: yes

forward-ports:

source-ports:

icmp-blocks:

rich rules:

2. 客户端将网关指向Firewalld服务器,将所有网络请求交给Firewalld

[root@web01 ~]# tail -1 /etc/sysconfig/network-scripts/ifcfg-eth1

GATEWAY=172.16.1.6

3. 客户端还需配置dns服务器

[root@web01 ~]# cat /etc/resolv.conf

# Generated by NetworkManager

nameserver 223.5.5.5

4. 关闭eth0网卡,重启eth1,使其配置生效

[root@web01 ~]# systemctl restart network && ifdown eth0

5. 测试后端web的网络是否正常

[C:\~]$ ssh root@10.0.0.7 5555

Connecting to 10.0.0.7:5555...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

Last failed login: Sun Dec 8 20:38:58 CST 2019 from gateway on ssh:notty

There was 1 failed login attempt since the last successful login.

Last login: Sun Dec 8 20:12:25 2019 from 10.0.0.100

[root@web01 ~]# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000

link/ether 00:0c:29:2a:a7:17 brd ff:ff:ff:ff:ff:ff

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

link/ether 00:0c:29:2a:a7:21 brd ff:ff:ff:ff:ff:ff

inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1

valid_lft forever preferred_lft forever

inet6 fe80::20c:29ff:fe2a:a721/64 scope link

valid_lft forever preferred_lft forever

[root@web02 ~]# ping baidu.com

ping: baidu.com: Name or service not known

#重启eth1

[root@web02 ~]# ifdown eth1 && ifup eth1

Device 'eth1' successfully disconnected.

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/10)

[root@web01 ~]# ping baidu.com

PING baidu.com (220.181.38.148) 56(84) bytes of data.

64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=127 time=32.6 ms

^C

--- baidu.com ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 32.653/32.653/32.653/0.000 ms

Firewalld--03 富规则、备份恢复、开启内部上网的更多相关文章

  1. iptables规则备份和恢复 firewalld的9个zone firewalld关于zone的操作 firewalld关于service的操作

    iptables规则备份和恢复 保存和备份iptables规则Service iptables save //会把规则保存到/etc/sysconfig/iptables把iptables规则备份到m ...

  2. iptables规则备份和恢复、firewalld的9个zone、以及firewalld关于zone和service的操作 使用介绍

    第7周第5次课(5月11日) 课程内容: 10.19 iptables规则备份和恢复10.20 firewalld的9个zone10.21 firewalld关于zone的操作10.22 firewa ...

  3. Linux centosVMware iptables规则备份和恢复、firewalld的9个zone、firewalld关于zone的操作、firewalld关于service的操作

    一.iptables规则备份和恢复 保存和备份iptables规则 service iptables save //会把规则保存到 /etc/sysconfig/iptables 把iptables规 ...

  4. 删库到跑路?还得看这篇Redis数据库持久化与企业容灾备份恢复实战指南

    本章目录 0x00 数据持久化 1.RDB 方式 2.AOF 方式 如何抉择 RDB OR AOF? 0x01 备份容灾 一.备份 1.手动备份redis数据库 2.迁移Redis指定db-数据库 3 ...

  5. mongodb集群配置及备份恢复

    Mongodb安装: 编辑/etc/yum.repos.d/mongodb.repo,添加以下: [MongoDB] name=MongoDB Repository baseurl=https://r ...

  6. (转)解锁MySQL备份恢复的4种正确姿势

    本文根据DBAplus社群第104期线上分享整理而成. 原文:http://dbaplus.cn/news-11-1267-1.html 讲师介绍   冯帅 点融网高级DBA 获有Oracle OCM ...

  7. (转)Db2 备份恢复性能问题诊断与调优

    原文:https://www.ibm.com/developerworks/cn/analytics/library/ba-lo-backup-restore-performance-issue-ju ...

  8. MySQL 备份恢复(导入导出)单个 innodb表

    MySQL 备份恢复单个innodb表呢,对于这种恢复我们我们很多朋友都不怎么了解了,下面一起来看一篇关于MySQL 备份恢复单个innodb表的教程 在实际环境中,时不时需要备份恢复单个或多个表(注 ...

  9. SYSTEM 表空间管理及备份恢复

    标签: systemoraclesqldatabasefile数据库 2010-11-28 18:14 12689人阅读 评论(0) 收藏 举报 分类: -----Oracle备份恢复(16) 版权声 ...

随机推荐

  1. [BZOJ3236][AHOI2013]作业:树套树/莫队+分块

    分析 第一问随便搞,直接说第二问. 令原数列为\(seq\),\(pre_i\)为\(seq_i\)这个值上一个出现的位置,于是可以简化询问条件为: \(l \leq i \leq r\) \(a \ ...

  2. python-之基本语法

    模块一些函数和类的集合文件,并实现一定的功能,当我们需要使用这些功能的时候,可以直接把相应的模块导入到我们的程序中 import import mode    #导入mode模块 即导入mode模块后 ...

  3. swiper(轮播)组件

    swiper是一个非常强大的组件 但是需要swiper-item这个标签来实现他想显示的内容 swiper-item标签有个item-id的属性,属性值:字符串 是swiper-item的标识符: 一 ...

  4. (转)C#_WinForm接收命令行参数

    本文转载自:http://blog.csdn.net/lysc_forever/article/details/38356007 首先,我要仔细的声明下,本文讲的是接受命令行参数,让程序启动.而不是启 ...

  5. scrapy-splash常用设置

    # Splash服务器地址 SPLASH_URL = 'http://localhost:8050' # 开启Splash的两个下载中间件并调整HttpCompressionMiddleware的次序 ...

  6. jenkins执行 pod install 报错 CocoaPods requires your terminal to be using UTF-8 encoding. Consider adding the following to ~/.profile:

    错误提示是: CocoaPods 需要终端使用utf-8编码 解决办法

  7. 【服务器】一次对Close_Wait 状态故障的排查经历

    最近接连听说一台线上服务器总是不响应客户端请求. 登录服务器后查询iis状态,发现应用程序池状态变为已停止. 按经验想,重启后应该就ok,第一次遇到也确实起了作用,当时完全没在意,以为是其他人无意把服 ...

  8. OpenResty json 删除转义符

    OpenResty 中删除 json 中的转义符 cjson 在 encode 时  “/” 会自动添加转义符 “\”: 在 decode 时也会自动将转义符去掉.工作中有个特殊需求,需要手工删除转义 ...

  9. centos6.5搭建禅道

    linux用一键安装包 简介:本文介绍如何在linux下面使用禅道一键安装包搭建禅道的运行环境. 一.安装 二.如何访问数据库 linux一键安装包内置了XXD.apache, php, mysql这 ...

  10. Jmeter的中英文互换

    1.jmeter的中英文互换:为了更深入的了解Jmeter,一般使用英文版的jmeter. 旧版本下载的默认中文较多.新版本5.1的下载后默认英文比较的多. 方法一: 选项->选择一种语言,但是 ...