第二单元 高级网络配置
一、网络桥接
网络桥接用网络桥实现共享上网主机和客户机除了利用软件外,还可以用系统自带的网络桥建立连接用双网卡的机器做主机
二、网络桥接的配置
1.vim /etc/sysconfig/network-scripts/ifcfg-eth0
- BRIDGE=br0
2.vim /etc/sysconfig/network-scripts/ifcfg-br0
– TYPE=Bridge
3.示例:
[[email protected] Desktop]# vim /etc/sysconfig/network-scripts/ifcfg-Ethernet_connection_1
[[email protected] Desktop]# cat /etc/sysconfig/network-scripts/ifcfg-Ethernet_connection_1
BOOTPROTO=none
NAME=Ethernet_connection_1
DEVICE=enp2s0
ONBOOT=yes
BRIDGE=br0
[[email protected] Desktop]# cat /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
BOOTPROTO=none
TYPE=Bridge
IPADDR=172.25.254.62
PREFIX=24
ONBOOT=yes
[[email protected] Desktop]# systemctl stop NetworkManager.service
[[email protected] Desktop]# systemctl start NetworkManager.service
[[email protected] Desktop]# systemctl restart network
[[email protected] Desktop]# ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.62 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::221a:6ff:fe41:a67b prefixlen 64 scopeid 0x20<link>
ether 20:1a:06:41:a6:7b txqueuelen 0 (Ethernet)
RX packets 15924 bytes 19653370 (18.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9172 bytes 907110 (885.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::221a:6ff:fe41:a67b prefixlen 64 scopeid 0x20<link>
ether 20:1a:06:41:a6:7b txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 190918 bytes 65213384 (62.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 190918 bytes 65213384 (62.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:31:4d:69 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 52:54:00:a7:5b:84 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::fc54:ff:fe00:3e0a prefixlen 64 scopeid 0x20<link>
ether fe:54:00:00:3e:0a txqueuelen 500 (Ethernet)
RX packets 85 bytes 16565 (16.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 576 bytes 62758 (61.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vnet1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::fc54:ff:fe4e:4873 prefixlen 64 scopeid 0x20<link>
ether fe:54:00:4e:48:73 txqueuelen 500 (Ethernet)
RX packets 69 bytes 6594 (6.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 457 bytes 45275 (44.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[[email protected] Desktop]#
三、网络桥接的管理命令
1.brctl ### 桥接管理命令
– show ### 显示
– addbr ### 添加网桥
– delbr ### 删除网桥
– addif ### 添加网桥连接
– delif ### 删除网桥连接
2.示例:
[[email protected] Desktop]# nm-connection-editor
[[email protected] Desktop]# systemctl restart network
[[email protected] Desktop]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 52:54:00:00:3e:0a txqueuelen 1000 (Ethernet)
RX packets 22675 bytes 50616240 (48.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13482 bytes 908420 (887.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 148 bytes 12616 (12.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 148 bytes 12616 (12.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[[email protected] Desktop]# brctl show
bridge name bridge id STP enabled interfaces
[[email protected] Desktop]# brctl addbr br0
[[email protected] Desktop]# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000000000000 no
[[email protected] Desktop]# brctl addif br0 eth0
[[email protected] Desktop]# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.525400003e0a no eth0
[[email protected] Desktop]# ifconfig br0 172.25.254.162 netmask 255.255.255.0
[[email protected] Desktop]# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.525400003e0a no eth0
[[email protected] Desktop]# ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.162 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::244d:28ff:fece:16ee prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:3e:0a txqueuelen 0 (Ethernet)
RX packets 31667 bytes 71292998 (67.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 19456 bytes 1299837 (1.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 52:54:00:00:3e:0a txqueuelen 1000 (Ethernet)
RX packets 54419 bytes 122365787 (116.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 32930 bytes 2207597 (2.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 276 bytes 23496 (22.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 276 bytes 23496 (22.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[[email protected] Desktop]# ping 172.25.254.250
PING 172.25.254.250 (172.25.254.250) 56(84) bytes of data.
64 bytes from 172.25.254.250: icmp_seq=1 ttl=64 time=1.43 ms
64 bytes from 172.25.254.250: icmp_seq=2 ttl=64 time=0.823 ms
64 bytes from 172.25.254.250: icmp_seq=3 ttl=64 time=0.781 ms
^C
--- 172.25.254.250 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.781/1.011/1.430/0.297 ms
[[email protected] Desktop]# ifconfig br0 down
[[email protected] Desktop]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 52:54:00:00:3e:0a txqueuelen 1000 (Ethernet)
RX packets 60767 bytes 136736524 (130.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 36882 bytes 2472314 (2.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 276 bytes 23496 (22.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 276 bytes 23496 (22.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[[email protected] Desktop]# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.525400003e0a no eth0
[[email protected] Desktop]# brctl delif br0 eth0
[[email protected] Desktop]# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000000000000 no
[[email protected] Desktop]# brctl delbr br0
[[email protected] Desktop]# brctl show
bridge name bridge id STP enabled interfaces
[[email protected] Desktop]#
四、bond 网络
Red Hat Enterprise Linux 允许管理员使用bonding 内核模块和称为通道绑定接口的特殊网络接口将多个网络接口绑定到一个通道。根据选择的绑定模式 , 通道绑定使两个或更多个网络接口作为一个网络接口 , 从而增加带宽和 / 提供冗余性
五、选择 Linux 以太网绑定模式
1.模式 0 ( 平衡轮循 ) - 轮循策略 , 所有接口都使用采用轮循方式在所有 Slave 中传输封包 ; 任何Slave 都可以接收
2.模式 1 ( 主动备份 ) - 容错。一次只能使用一个Slave 接口 , 但是如果该接口出现故障 , 另一个Slave 将 接替它
3.模式 3 ( 广播 ) - 容错。所有封包都通过所有Slave 接口广播
六、利用 nmcli 命令管理 bond
1.nmcli con add type bond con-name bond0 ifname bond0 mode active-backup
2.nmcli con mod bond0 ipv4.addresses 1.2.3.4/24
3.nmcli con add type bond-slave ifname eth0 master bond0 con-name bond0-eth1
4.nmcli con add type bond-slave ifname eth1 master bond0 con-name bond0-eth2
5.示例:
[[email protected] Desktop]# nm-connection-editor
[[email protected] Desktop]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 52:54:00:00:3e:0a txqueuelen 1000 (Ethernet)
RX packets 115 bytes 9747 (9.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 52:54:00:4e:48:73 txqueuelen 1000 (Ethernet)
RX packets 115 bytes 9747 (9.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 392 bytes 30892 (30.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 392 bytes 30892 (30.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[[email protected] Desktop]# nmcli connection add con-name bond0 ifname bond0 type bond mode active-backup ip4 172.25.254.162/24
Connection ‘bond0‘ (513011e8-9326-4542-b4bc-21df6d38fa56) successfully added.
[[email protected] Desktop]# nmcli connection add con-name eth0 ifname eth0 type bond-slave master bond0
Connection ‘eth0‘ (89f6b8db-90e2-4571-b67d-807fcac04f65) successfully added.
[[email protected] Desktop]# nmcli connection add con-name eth1 ifname eth1 type bond-slave master bond0
Connection ‘eth1‘ (1d5f4488-b1bf-4da9-8820-1d15c1425e7c) successfully added.
[[email protected] Desktop]# ping 172.25.254.250
[[email protected] Desktop]# watch -n 1 cat /proc/net/bonding/bond0
[[email protected] Desktop]# ifconfig eth0 down
[[email protected] Desktop]# ifconfig eth1 down
[[email protected] Desktop]# ifconfig eth0 up
七、主动备份配置示例
1.建立绑定接口 bond0 配置文件 :
/etc/sysconfig/network-scripts/ifcfg-bond0
– DEVICE="bond0"
– BOOTPROTO="none"
– IPADDR="10.1.1.250"
– PREFIX=”24”
– ONBOOT="yes"
– BONDING_OPTS=”mode=1 miimon=50”
2.建立 Slave 接口 eth0 配置文件 :
/etc/sysconfig/network-scripts/ifcfg-eth0
– DEVICE="eth0"
– BOOTPROTO="none"
– ONBOOT="yes"
– MASTER="bond0"
– SLAVE="yes“
3.建立 Slave 接口 eth1 配置文件 :
/etc/sysconfig/network-scripts/ifcfg-eth1
– DEVICE="eth1"
– BOOTPROTO="none"
– ONBOOT="yes"
– MASTER="bond0"
– SLAVE="yes“
4.配置系统加载 binding 模块 :
/etc/modprobe.d/bonding.conf
– alias bond0 bonding
5.ifenslave bond0 eth0 eth1
6.查看 bonding 状态
– cat /proc/net/bonding/bond0
八、Team 接口
1.Team 和 bond0 功能类似
2.Team 不需要手动加载相应内核模块
3.Team 有更强的拓展性
– 支持 8 快网卡
九、Team 的种类
1.broadcast 广播容错
2.roundrobin 轮询
3.activebackup 主备
4.loadbalance 负载均衡
十、同过 nmcli 设定 team
1.nmcli con add type team con-name team0 ifname team0 config ‘{"runner": {"name": "loadbalance"}}‘
2.nmcli con mod team0 ipv4.addresses 1.2.3.4/24
3.nmcli con mod team0 ipv4.method manual
4.nmcli con add type team-slave ifname eth0 master team0 con-name team0-eth1
5.nmcli con add type team-slave ifname eth1 master team0 con-name team0-eth2
6.示例:
[[email protected] Desktop]# nm-connection-editor
[[email protected] Desktop]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 52:54:00:00:3e:0a txqueuelen 1000 (Ethernet)
RX packets 1843 bytes 200147 (195.4 KiB)
RX errors 0 dropped 15 overruns 0 frame 0
TX packets 84 bytes 16499 (16.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 52:54:00:4e:48:73 txqueuelen 1000 (Ethernet)
RX packets 961 bytes 104199 (101.7 KiB)
RX errors 0 dropped 48 overruns 0 frame 0
TX packets 68 bytes 6496 (6.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 1172 bytes 92824 (90.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1172 bytes 92824 (90.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[[email protected] Desktop]# teamdctl team0 state
Device "team0" does not exist
[[email protected] Desktop]# nmcli connection add con-name team0 ifname team0 type team config ‘{"runner":{"name":"activebackup"}}‘ ip4 172.25.254.162/24
Connection ‘team0‘ (f433063f-f60d-4e34-a681-b5ddc14eb8b2) successfully added.
[[email protected] Desktop]# nmcli connection add con-name eth0 ifname eth0 type team-slave master team0
Connection ‘eth0‘ (9e6d19b5-a0d7-41d3-b593-d1aa5a648fce) successfully added.
[[email protected] Desktop]# watch -n 1 teamdctl team0 state
[[email protected] Desktop]# ping 172.25.254.250
PING 172.25.254.250 (172.25.254.250) 56(84) bytes of data.
64 bytes from 172.25.254.250: icmp_seq=1 ttl=64 time=1.02 ms
64 bytes from 172.25.254.250: icmp_seq=2 ttl=64 time=0.835 ms
^C
--- 172.25.254.250 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.835/0.927/1.020/0.097 ms
[[email protected] Desktop]# nmcli connection add con-name eth1 ifname eth1 type team-slave master team0
Connection ‘eth1‘ (5c96c8be-f0dc-4b43-8a5a-387c80ba4077) successfully added.
[[email protected] Desktop]# ifconfig eth0 down
[[email protected] Desktop]# ifconfig eth0 up
[[email protected] Desktop]# ifconfig eth1 down
[[email protected] Desktop]#
第十单元 网络端口安全
一、Firewalld概述
1.动态防火墙后台程序 firewalld 提供了一个 动态管理的防火墙,用以支持网络 “ zones” ,以分配对一个网络及其相关链接和界面一定程度的信任。它具备对 IP v4 和 IP v6 防火墙设置的支持。它支持以太网桥,并有分离运行时间和永久性配置选择。它还具备一个通向服务或者应用程序以直接增加防火墙规则的接口。
2.系统提供了图像化的配置工具firewall-config、system-config-firewall, 提供命令行客户端firewall-cmd, 用于配置 firewalld永久性或非永久性运行时间的改变:它依次用iptables工具与执行数据包筛选的内核中的 Netfilter通信。
3.firewalld和iptables service 之间最本质的不同是:
1)iptables service 在 /etc/sysconfig/iptables 中储存配置,而 firewalld将配置储存在/usr/lib/firewalld/ 和 /etc/firewalld/ 中的各种XML文件里.
2)使用 iptables service每一个单独更改意味着清除所有旧有的规则和从/etc/sysconfig/iptables里读取所有新的规则,然而使用 firewalld却不会再创建任何新的规则;仅仅运行规则中的不同之处。因此,firewalld可以在运行时间内,改变设置而不丢失现行连接。
4.基于用户对网络中设备和交通所给与的信任程度,防火墙可以用来将网络分割成不同的区域。NetworkManager通知firewalld一个接口归属某个区域,新加入的接口被分配到默认区域。
网络区名称 默认配置
trusted( 信任 ) 可接受所有的网络连接
home( 家庭 ) 用于家庭网络,仅接受ssh、mdns、ipp-client、samba-client、或dhcpv6-client服务连接
internal( 内部 ) 用于内部网络,仅接受ssh、mdns、ipp-client、samba-client、dhcpv6-client服务连接
work( 工作 ) 用于工作区,仅接受ssh、ipp-client或dhcpv6-client服务连接
public( 公共 ) 在公共区域内使用,仅接受ssh或dhcpv6-client服务连接,为firewalld的默认区域
external( 外部 ) 出去的ipv4网络连接通过此区域伪装和转发,仅接受ssh服务连接
dmz( 非军事区 ) 仅接受ssh服务接连
block( 限制 ) 拒绝所有网络连接
drop( 丢弃 ) 任何接收的网络数据包都被丢弃,没有任何回复
5.示例:
服务端:
[[email protected] network-scripts]# ls
ifcfg-eth0 ifdown-post ifup-bnep ifup-routes
ifcfg-eth1 ifdown-ppp ifup-eth ifup-sit
ifcfg-lo ifdown-routes ifup-ippp ifup-Team
ifdown ifdown-sit ifup-ipv6 ifup-TeamPort
ifdown-bnep ifdown-Team ifup-isdn ifup-tunnel
ifdown-eth ifdown-TeamPort ifup-plip ifup-wireless
ifdown-ippp ifdown-tunnel ifup-plusb init.ipv6-global
ifdown-ipv6 ifup ifup-post network-functions
ifdown-isdn ifup-aliases ifup-ppp network-functions-ipv6
[[email protected] network-scripts]# vim ifcfg-eth0
[[email protected] network-scripts]# cat ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
IPADDR=172.25.254.162
NETMASK=255.255.255.0
[[email protected] network-scripts]# cat ifcfg-eth1
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
IPADDR=172.25.42.10
NETMASK=255.255.255.0
[[email protected] network-scripts]# vim ifcfg-eth1
[[email protected] network-scripts]# cat ifcfg-eth1
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
IPADDR=172.25.62.10
NETMASK=255.255.255.0
[[email protected] network-scripts]# systemctl restart network
[[email protected] network-scripts]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.162 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe00:3e0a prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:3e:0a txqueuelen 1000 (Ethernet)
RX packets 888 bytes 126779 (123.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 83 bytes 11850 (11.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.62.10 netmask 255.255.255.0 broadcast 172.25.62.255
inet6 fe80::5054:ff:fe4e:4873 prefixlen 64 scopeid 0x20<link>
ether 52:54:00:4e:48:73 txqueuelen 1000 (Ethernet)
RX packets 913 bytes 130588 (127.5 KiB)
RX errors 0 dropped 140 overruns 0 frame 0
TX packets 51 bytes 7487 (7.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 668 bytes 53216 (51.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 668 bytes 53216 (51.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[[email protected] network-scripts]# ping 172.25.254.250
PING 172.25.254.250 (172.25.254.250) 56(84) bytes of data.
64 bytes from 172.25.254.250: icmp_seq=1 ttl=64 time=1.51 ms
64 bytes from 172.25.254.250: icmp_seq=2 ttl=64 time=0.782 ms
^C
--- 172.25.254.250 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.782/1.148/1.515/0.368 ms
[[email protected] network-scripts]# ping 172.25.62.11
PING 172.25.62.11 (172.25.62.11) 56(84) bytes of data.
64 bytes from 172.25.62.11: icmp_seq=1 ttl=64 time=0.463 ms
64 bytes from 172.25.62.11: icmp_seq=2 ttl=64 time=0.358 ms
^C
--- 172.25.62.11 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.358/0.410/0.463/0.056 ms
[[email protected] network-scripts]#
客户端:
[[email protected] Desktop]# cd /etc/sysconfig/network-scripts/
[[email protected] network-scripts]# ls
ifcfg-eth0 ifdown-ppp ifup-eth ifup-sit
ifcfg-lo ifdown-routes ifup-ippp ifup-Team
ifdown ifdown-sit ifup-ipv6 ifup-TeamPort
ifdown-bnep ifdown-Team ifup-isdn ifup-tunnel
ifdown-eth ifdown-TeamPort ifup-plip ifup-wireless
ifdown-ippp ifdown-tunnel ifup-plusb init.ipv6-global
ifdown-ipv6 ifup ifup-post network-functions
ifdown-isdn ifup-aliases ifup-ppp network-functions-ipv6
ifdown-post ifup-bnep ifup-routes
[[email protected] network-scripts]# vim ifcfg-eth0
[[email protected] network-scripts]# cat ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
IPADDR=172.25.62.11
NETMASK=255.255.255.0
ONBOOT=yes
TYPE=Ethernet
USERCTL=yes
PEERDNS=yes
IPV6INIT=no
PERSISTENT_DHCLIENT=1
[[email protected] network-scripts]# systemctl restart network
[[email protected] network-scripts]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.62.11 netmask 255.255.255.0 broadcast 172.25.62.255
inet6 fe80::5054:ff:fe00:3e0b prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:3e:0b txqueuelen 1000 (Ethernet)
RX packets 302175 bytes 683599064 (651.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 187198 bytes 12496615 (11.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 23 bytes 2100 (2.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 23 bytes 2100 (2.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[[email protected] network-scripts]# ping 172.25.62.10
PING 172.25.62.10 (172.25.62.10) 56(84) bytes of data.
64 bytes from 172.25.62.10: icmp_seq=1 ttl=64 time=0.366 ms
64 bytes from 172.25.62.10: icmp_seq=2 ttl=64 time=0.374 ms
^C
--- 172.25.62.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.366/0.370/0.374/0.004 ms
[[email protected] network-scripts]#
二、管理防火墙
1.安装防火墙软件:
# yum install -y firewalld firewall-config
2.启动和禁用防火墙:
# systemctl start firewalld ; systemctl enable firewalld
# systemctl disable firewalld ; systemctl stop firewalld
3.使用iptables服务:
# yum install -y iptables-services
# systemctl start iptables ; systemctl start ip6tables
# systemctl enable iptables ; systemctl enable ip6tables
4.推荐使用firewalld服务
5.示例:
[[email protected] yum.repos.d]# systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Wed 2017-05-03 01:59:09 EDT; 43min ago
Main PID: 470 (firewalld)
CGroup: /system.slice/firewalld.service
└─470 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
May 03 01:59:09 localhost systemd[1]: Started firewalld - dynamic firewall ...n.
Hint: Some lines were ellipsized, use -l to show in full.
[[email protected] yum.repos.d]# systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
Active: inactive (dead)
[[email protected] yum.repos.d]# systemctl start iptables.service
[[email protected] yum.repos.d]# systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
Active: active (exited) since Wed 2017-05-03 02:43:09 EDT; 2s ago
Process: 4247 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 4247 (code=exited, status=0/SUCCESS)
May 03 02:43:09 localhost systemd[1]: Starting IPv4 firewall with iptables...
May 03 02:43:09 localhost iptables.init[4247]: iptables: Applying firewall r...]
May 03 02:43:09 localhost systemd[1]: Started IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.
[[email protected] yum.repos.d]# systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: inactive (dead) since Wed 2017-05-03 02:43:09 EDT; 7s ago
Process: 470 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 470 (code=exited, status=0/SUCCESS)
May 03 01:59:09 localhost systemd[1]: Started firewalld - dynamic firewall ...n.
May 03 02:43:09 localhost systemd[1]: Stopping firewalld - dynamic firewall.....
May 03 02:43:09 localhost systemd[1]: Stopped firewalld - dynamic firewall ...n.
Hint: Some lines were ellipsized, use -l to show in full.
[[email protected] yum.repos.d]# systemctl stop iptables.service
[[email protected] yum.repos.d]# systemctl start firewalld.service
[[email protected] yum.repos.d]# systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Wed 2017-05-03 02:43:50 EDT; 5s ago
Main PID: 4508 (firewalld)
CGroup: /system.slice/firewalld.service
└─4508 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
May 03 02:43:50 localhost systemd[1]: Starting firewalld - dynamic firewall.....
May 03 02:43:50 localhost systemd[1]: Started firewalld - dynamic firewall ...n.
Hint: Some lines were ellipsized, use -l to show in full.
三、使用命令行接口配置防火墙
1.查看firewalld的状态:
# firewall-cmd --state
2.查看当前活动的区域,并附带一个目前分配给它们的接口列表:
# firewall-cmd --get-active-zones
3.查看默认区域:
# firewall-cmd --get-default-zone
4.查看所有可用区域:
# firewall-cmd --get-zones
5.列出指定域的所有设置:
# firewall-cmd --zone=public --list-all
6.列出所有预设服务:
# firewall-cmd --get-services
(这样将列出 /usr/lib/firewalld/services/ 中的服务器名称。注意:配置文件是以服务本身命名的service-name. xml)
7.列出所有区域的设置:
# firewall-cmd --list-all-zones
8.设置默认区域:
# firewall-cmd --set-default-zone=dmz
9.设置网络地址到指定的区域:
# firewall-cmd --permanent --zone=internal --add-source=172.25.0.0/24
(--permanent参数表示永久生效设置,如果没有指定--zone参数,那么会加入默认区域)
10.删除指定区域中的网路地址:
# firewall-cmd --permanent --zone=internal --remove-source=172.25.0.0/24
11.添加、改变、删除网络接口:
# firewall-cmd --permanent --zone=internal --add-interface=eth0
# firewall-cmd --permanent --zone=internal --change-interface=eth0
# firewall-cmd --permanent --zone=internal --remove-interface=eth0
12.添加、删除服务:
# firewall-cmd --permanent --zone=public --add-service=smtp
# firewall-cmd --permanent --zone=public --remove-service=smtp
www.westos.org
13.列出、添加、删除端口:
# firewall-cmd --zone=public --list-ports
# firewall-cmd --permanent --zone=public --add-port=8080/tcp
# firewall-cmd --permanent --zone=public --remove-port=8080/tcp
14.重载防火墙:
# firewall-cmd --reload (注意:这并不会中断已经建立的连接,如果打算中断,可以使用 --complete-reload选项)
15.firewalld的规则被保存在/etc/firewalld目录下的文件中,你也可以直接编辑这些文件达到配置防火墙的目的。/usr/lib/firewalld目录下的内容是不可以被编辑的,但可以用做默认模板。
16.示例:
[[email protected] yum.repos.d]# firewall-config
[[email protected] yum.repos.d]# firewall-cmd --state
running
[[email protected] yum.repos.d]# systemctl stop firewalld.service
[[email protected] yum.repos.d]# firewall-cmd --state
not running
[[email protected] yum.repos.d]# systemctl start firewalld.service
[[email protected] yum.repos.d]# firewall-cmd --get-active-zones
ROL
sources: 172.25.0.252/32
public
interfaces: eth0 eth1
[[email protected] yum.repos.d]# firewall-cmd --get-zones
ROL block dmz drop external home internal public trusted work
[[email protected] yum.repos.d]# firewall-cmd --zone=public --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] yum.repos.d]# yum install httpd
[[email protected] yum.repos.d]# systemctl start httpd
[[email protected] yum.repos.d]# vim /var/www/html/index.html
[[email protected] yum.repos.d]# firewall-cmd --set-default-zone=trusted
success
[[email protected] yum.repos.d]# firewall-cmd --get-active-zones
ROL
sources: 172.25.0.252/32
trusted
interfaces: eth0 eth1
[[email protected] yum.repos.d]# firewall-cmd --set-default-zone=public
success
[[email protected] yum.repos.d]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] yum.repos.d]# firewall-cmd --get-default-zone
public
[[email protected] yum.repos.d]# firewall-cmd --get-active-zones
ROL
sources: 172.25.0.252/32
public
interfaces: eth0 eth1
[[email protected] yum.repos.d]# firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
[[email protected] yum.repos.d]# firewall-cmd --list-all-zones
ROL
interfaces:
sources: 172.25.0.252/32
services: ssh vnc-server
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
dmz
interfaces:
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
drop
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
external
interfaces:
sources:
services: ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
home
interfaces:
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
internal
interfaces:
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
trusted
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
work
interfaces:
sources:
services: dhcpv6-client ipp-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] yum.repos.d]# firewall-cmd --permanent --zone=public --add-service=http
success
[[email protected] yum.repos.d]# firewall-cmd --reload
success
[[email protected] yum.repos.d]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client http ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] yum.repos.d]# firewall-cmd --permanent --remove-service=http
success
[[email protected] yum.repos.d]# firewall-cmd --reload
success
[[email protected] yum.repos.d]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] yum.repos.d]# firewall-cmd --zone=internal --add-source=172.25.254.62
success
[[email protected] yum.repos.d]# firewall-cmd --zone=internal --remove--source=172.25.254.62
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments: --remove--source=172.25.254.62
[[email protected] yum.repos.d]# firewall-cmd --zone=internal --list-all
internal
interfaces:
sources: 172.25.254.62
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] yum.repos.d]# firewall-cmd --zone=internal --remove-source=172.25.254.62
success
[[email protected] yum.repos.d]# firewall-cmd --zone=internal --list-all
internal
interfaces:
sources:
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] yum.repos.d]# firewall-cmd --zone=trusted --add-source=172.25.254.62
success
[[email protected] yum.repos.d]# firewall-cmd --zone=trusted --list-all
trusted
interfaces:
sources: 172.25.254.62
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] yum.repos.d]# firewall-cmd --zone=trusted --remove-source=172.25.254.62
success
[[email protected] yum.repos.d]# firewall-cmd --zone=trusted --list-all
trusted
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] yum.repos.d]# firewall-cmd --zone=public --remove-interface=eth1
success
[[email protected] yum.repos.d]# firewall-cmd --zone=public --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] yum.repos.d]# firewall-cmd --zone=trusted --add-interface=eth1
success
[[email protected] yum.repos.d]# firewall-cmd --zone=trusted --list-all
trusted (active)
interfaces: eth1
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] yum.repos.d]# firewall-cmd --add-port=80/tcp --zone=public
success
[[email protected] yum.repos.d]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 80/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] yum.repos.d]# firewall-cmd --remove-port=80/tcp --zone=public
success
[[email protected] yum.repos.d]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
四、Direct Rules
通过 firewall-cmd 工具,可以使用 --direct 选项在运行时间里增加或者移除链。如果不熟悉 iptables ,使用直接接口非常危险,因为您可能无意间导致防火墙被入侵。直接端口模式适用于服务或者程序,以便在运行时间内增加特定的防火墙规则。直接端口模式添加的规则优先应用。
1.添加规则:
# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow 0 -p tcp --dport 80 -j
ACCEPT
2.删除规则:
# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow 10 -p tcp --dport 80 -j
ACCEPT
3.列出规则:
# firewall-cmd --direct --get-all-rules
4.示例:
[[email protected] yum.repos.d]# firewall-cmd --direct --get-all-rules
[[email protected] yum.repos.d]# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 80 -s 172.25.254.62 -j REJECT
success
[[email protected] yum.repos.d]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p tcp --dport 80 -s 172.25.254.62 -j REJECT
[[email protected] yum.repos.d]# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 80 -s 172.25.254.62 -j ACCEPT
success
[[email protected] yum.repos.d]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p tcp --dport 80 -s 172.25.254.62 -j REJECT
ipv4 filter INPUT 0 -p tcp --dport 80 -s 172.25.254.62 -j ACCEPT
[[email protected] yum.repos.d]# firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -p tcp --dport 80 -s 172.25.254.62 -j REJECT
success
[[email protected] yum.repos.d]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p tcp --dport 80 -s 172.25.254.62 -j ACCEPT
[[email protected] yum.repos.d]#
五、Rich Rules
通过“ rich language”语法,可以用比直接接口方式更易理解的方法建立复杂防火墙规则。此外,还能永久保留设置。这种语言使用关键词值,是 iptables 工具的抽象表示。这种语言可以用来配置分区,也仍然支持现行的配置方式。
1.source
指定源地址,可以是一个ipv4/ipv6的地址或网段,不支持使用主机名。
2.destination
指定目的地址,用法和source相同。
3.service
服务名称是 f irewalld 提供的其中一种服务。要获得被支持的服务的列表,输入以下命令:firewall-cmd --get-services 。命令为以下形式:service name= service_name
4.port
端口既可以是一个独立端口数字,又或者端口范围,例如,5060-5062。协议可以指定为 tcp 或udp 。命令为以下形式:port port= number_or_range protocol= protocol
5.protocol
协议值可以是一个协议 ID 数字,或者一个协议名。预知可用协议,请查阅 /etc/protocols。命令为以下形式:protocol value= protocol_name_or_ID
6.icmp-block
用这个命令阻绝一个或多个ICMP类型。IC MP 类型是 firewalld支持的ICMP类型之一。要获得被支持的ICMP类型列表,输入以下命令: firewall-cmd --get-icmptypes icmp-block在内部使用 reject 动作,因此不允许指定动作。命令为以下形式:icmp-block name= icmptype_name
7.masquerade
打开规则里的 IP 伪装。用源地址而不是目的地址来把伪装限制在这个区域内。不允许指定动作。
8.forward-port
从一个带有指定为 tcp 或 udp 协议的本地端口转发数据包到另一个本地端口,或另一台机器,或另一台机器上的另一个端口。port 和 to-port 可以是一个单独的端口数字,或一个端口范围。而目的地址是一个简单的 IP 地址。不允许指定动作,命令使用内部动作accept 。命令为以下形式:forward-port port= number_or_range protocol= protocol /to-port= number_or_range to-addr= address
9.log
注册含有内核记录的新连接请求到规则中,比如系统记录。你可以定义一个前缀文本,记录等级可以是 emerg、alert、crit、error、warning、notice、info 或者 debug 中的一个。命令形式:
log [prefix= prefix text ] [level= log level ] limit value= rate/duration(等级用正的自然数 [1, ..] 表达,持续时间的单位为 s 、 m 、 h 、 d 。 s 表示秒, m 表示分钟, h表示小时, d 表示天。最大限定值是 1/d ,意为每天最多有一条日志进入。)
10.audit
审核为发送到 aud i td 服务的审核记录来注册提供了另一种方法。审核类型可以是ACCEPT、REJECT或DROP中的一种,但不能在 audit命令后指定,因为审核类型将会从规则动作中自动收集。审核不包含自身参数,但可以选择性地增加限制。审核的使用是可选择的。选择 accept 所有新的连接请求都会被允许。选择 reject ,连接将被拒绝,连接来源将接到一个拒绝信息。拒绝的类型可以被设定为使用另一种值。选择 drop , 所有数据包会被丢弃,并且不会向来源地发送任何信息。
11.多语言命令的格式 :
在这个部分,所有命令都必须以 root 用户身份运行。增加一项规则的命令格式如下:firewall-cmd [--zone=zone] --add -rich-rule=‘rule‘ [--timeout=seconds]
这样将为 zone 分区增加一项多语言规则 rule 。这个选项可以多次指定。如果分区被省略,将使用默认分区。如果出现超时,规则将在指定的秒数内被激活,并在之后被自动移除
12.移除一项规则:
firewall-cmd [--zone=zone] --remove-rich-rule=‘rule‘
13.检查一项规则是否存在:
firewall-cmd [--zone=zone] --query-rich-rule=‘rule‘
这将复查是否已经为区域增加一个多语言规则 。如果可用,屏幕会显示 yes,退出状态为0; 否则,屏幕显示 no ,退出状态为 1。如果省略 zone,默认区域将被使用。
14.列出所有多语言规则:
firewall-cmd --list-rich-rules
15.添加规则:
# firewall-cmd --add-rich-rule=‘rule family="ipv4" source address="172.25.0.10" accept‘
允许172.25.0.10主机所有连接。
# firewall-cmd --add-rich-rule=‘rule service name=ftp limit value=2/m accept‘
每分钟允许2个新连接访问ftp服务。
# firewall-cmd --add-rich-rule=‘rule service name=ftp log limit value="1/m" audit accept‘
同意新的 IP v4 和 IP v6 连接 FT P ,并使用审核每分钟登录一次。
# firewall-cmd --add-rich-rule=‘rule family="ipv4" source address="172.25.0.0/24" service name=ssh log prefix="ssh" level="notice" limit value="3/m" accept‘
允许来自172.25.0.0/24地址的新 IPv4连接连接TFTP服务,并且每分钟记录一次。
# firewall-cmd --permanent --add-rich-rule=‘rule protocol value=icmp drop‘
丢弃所有icmp包
# firewall-cmd --add-rich-rule=‘rule family=ipv4 source address=172.25.0.0/24 reject‘ --timeout=10
当使用source和destination指定地址时,必须有family参数指定ipv4或ipv6。如果指定超时,规则将在指定的秒数内被激活,并在之后被自动移除。
# firewall-cmd --add-rich-rule=‘rule family=ipv6 source address="2001:db8::/64" service name="dns" audit limit value="1/h" reject‘ --timeout=300
拒绝所有来自2001:db8::/64子网的主机访问dns服务,并且每小时只审核记录1次日志。
# firewall-cmd --permanent --add-rich-rule=‘rule family=ipv4 source address=172.25.0.0/24 service name=ftp accept‘
允许172.25.0.0/24网段中的主机访问ftp服务
# firewall-cmd --add-rich-rule=‘rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"‘
转发来自ipv6地址1:2:3:4:6::TCP端口4011,到1:2:3:4:7的TCP端口4012
六、伪装和端口转发
1.伪装:
# firewall-cmd --permanent --zone=< ZONE > --add-masquerade
# firewall-cmd --permanent --zone=< ZONE > --add-rich-rule=‘rule family=ipv4 source
addres=172.25.0.0/24 masquerade‘
示例:
[[email protected] yum.repos.d]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] yum.repos.d]# firewall-cmd --zone=public --add-masquerade
success
[[email protected] yum.repos.d]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
[[email protected] yum.repos.d]# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.41
success
[[email protected] yum.repos.d]# ssh [email protected]
The authenticity of host ‘172.25.254.162 (172.25.254.162)‘ can‘t be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.25.254.162‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
Last failed login: Wed May 3 04:36:43 EDT 2017 from 172.25.254.162 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Wed May 3 02:00:05 2017
[[email protected] ~]# exit
logout
Connection to 172.25.254.162 closed.
2.端口转发:
# firewall-cmd --permanent --zone=< ZONE > --add-forward-port=
port=80:proto=tcp:toport=8080:toaddr=172.25.0.10
# firewall-cmd --permanent --zone=< ZONE > --add-rich-rule=‘rule family=ipv4 source
address=172.25.0.0/24 forward-port port=80 protocol=tcp to-port=8080‘
示例:
[[email protected] yum.repos.d]# firewall-cmd --zone=public --add-rich-rule=‘rule family=ipv4 source address=172.25.254.162 masquerade‘
success
[[email protected] network-scripts]# ping 172.25.254.250connect: Network is unreachable
[[email protected] network-scripts]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
[[email protected] network-scripts]# systemctl restart network[[email protected] network-scripts]# ping 172.25.254.250PING 172.25.254.250 (172.25.254.250) 56(84) bytes of data.
64 bytes from 172.25.254.250: icmp_seq=1 ttl=63 time=0.774 ms
64 bytes from 172.25.254.250: icmp_seq=2 ttl=63 time=1.01 ms
^C
--- 172.25.254.250 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.774/0.896/1.019/0.126 ms
[[email protected] network-scripts]# ssh [email protected]
The authenticity of host ‘172.25.254.162 (172.25.254.162)‘ can‘t be established.
ECDSA key fingerprint is 0a:3f:c1:93:d3:8e:1c:70:c5:61:f6:4a:e6:db:10:87.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.25.254.162‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password:
Last failed login: Wed May 3 16:43:35 CST 2017 from 172.25.254.162 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Wed May 3 16:35:53 2017 from 172.25.254.162
[[email protected] ~]# exit
logout
Connection to 172.25.254.162 closed.
[[email protected] network-scripts]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.25.62.10 0.0.0.0 UG 1024 0 0 eth0
172.25.62.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
[[email protected] network-scripts]# w
04:45:16 up 2:46, 2 users, load average: 0.04, 0.08, 0.07
USER TTY [email protected] IDLE JCPU PCPU WHAT
root :0 02:06 ?xdm? 1:48 0.12s gdm-session-worker [pam/gdm-pas
root pts/0 02:06 4.00s 0.14s 1.61s /usr/libexec/gnome-terminal-ser
[[email protected] network-scripts]# ssh [email protected]
[email protected]‘s password:
Last login: Wed May 3 16:43:39 2017 from 172.25.254.162
[[email protected] ~]# w
16:46:29 up 6:14, 4 users, load average: 0.12, 0.12, 0.16
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
kiosk :0 :0 10:32 ?xdm? 41:40 0.14s gdm-session-wor
kiosk pts/0 :0 10:32 1:09 1.00s 23.68s /usr/libexec/gn
kiosk pts/1 :0 16:31 5:57 0.04s 0.04s bash
root pts/4 172.25.254.162 16:46 2.00s 0.03s 0.00s w
[[email protected] ~]# exit
logout
Connection to 172.25.254.162 closed.
[[email protected] network-scripts]#
七、管理SELinux端口标签
1.列出端口标签:
# semanage port -l
2.添加端口标签:
# semanage port -a -t http_port_t -p tcp 82
3.删除端口标签:
# semanage port -d -t http_port_t -p tcp 82
4.Lab:
1)reset serverX and desktopX
2)运行脚本设置serverX: lab selinuxport setup
3)在serverX上派错后,在desktopX上运行脚本测试: lab selinuxport grade