Linux防火墙基础

SElinux配置

[[email protected] ~]# getenforce

Enforcing

[[email protected] ~]# setenforce 0

[[email protected] ~]# getenforce

Permissive

[[email protected] ~]# setenforce 1

[[email protected] ~]# getenforce

Enforcing

######################################################################################

配置聚合链路

[[email protected] ~]# man teamd.conf     /example 查找相关命令

1.添加聚合连接team0                 #加队取名定模式

[[email protected] ~]# nmcli connection add type team con-name team0 ifname team0 config ‘{ "runner": {"name": "activebackup"}}‘

Connection ‘team0‘ (3d3cdab0-e8aa-4db0-90de-7863c6d9f798) successfully added.

[[email protected] ~]# cat /etc/sysconfig/network-scripts/ifcfg-team0

DEVICE=team0

TEAM_CONFIG="{ \"runner\": {\"name\": \"activebackup\"}}"

DEVICETYPE=Team

BOOTPROTO=dhcp

DEFROUTE=yes

PEERDNS=yes

PEERROUTES=yes

IPV4_FAILURE_FATAL=no

IPV6INIT=yes

IPV6_AUTOCONF=yes

IPV6_DEFROUTE=yes

IPV6_PEERDNS=yes

IPV6_PEERROUTES=yes

IPV6_FAILURE_FATAL=no

NAME=team0

UUID=3d3cdab0-e8aa-4db0-90de-7863c6d9f798

ONBOOT=yes

[[email protected] ~]# ifconfig

team0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

ether 6a:1f:d4:35:9f:2b  txqueuelen 0  (Ethernet)

RX packets 0  bytes 0 (0.0 B)

RX errors 0  dropped 0  overruns 0  frame 0

TX packets 0  bytes 0 (0.0 B)

TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2.team0中添加网卡     #slave  奴隶    添加奴隶 选卡

[[email protected] ~]# nmcli connection add type team-slave ifname eth1 master team0

Connection ‘team-slave-eth1‘ (e0deb3ce-ed1b-4001-9616-bf483e3240f7) successfully added.

[[email protected] ~]# nmcli connection add type team-slave ifname eth2 master team0

Connection ‘team-slave-eth2‘ (275238d8-df7a-4761-8635-0815a6510b6f) successfully added.

3.配置team0的IP地址

[[email protected] ~]# nmcli connection modify team0 ipv4.method manual ipv4.addresses 192.168.1.1/24 connection.autoconnect yes

4.激活team0和各个网卡

[[email protected] ~]# nmcli connection up team-slave-eth1

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)

[[email protected] ~]# nmcli connection up team-slave-eth2

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/5)

[[email protected] ~]# nmcli connection up team0

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)

5.验证

[[email protected] ~]# teamdctl team0 state

setup:

runner: activebackup

ports:

eth2

link watches:

link summary: up

instance[link_watch_0]:

name: ethtool

link: up

eth1

link watches:

link summary: up

instance[link_watch_0]:

name: ethtool

link: up

runner:

active port: eth2

删除相关设置

nmcli connection delete team-slave-eth1

nmcli connection delete team-slave-eth2

nmcli connection delete team0

####################################################################################

自定义命令

[[email protected] ~]# vim /root/.bashrc             #影响root文件

alias hello=‘echo hello‘

[[email protected] ~]# vim /home/student/.bashrc     #影响student文件

alias hi=‘echo hi‘

[[email protected] ~]# vim /etc/bashrc               #影响全局配置

alias xixi=‘echo xixi‘

退出远程连接重新登陆

[[email protected] ~]# exit

登出

[[email protected] 桌面]# s

Last login: Wed Nov  1 08:33:41 2017 from 172.25.0.250

验证

[[email protected] ~]# hello

hello

[[email protected] ~]# xixi

xixi

[[email protected] ~]# hi

bash: hi: 未找到命令...

换到用户student验证

[[email protected] root]$ hi

hi

[[email protected] root]$ xixi

xixi

[[email protected] root]$ hello

bash: hello: 未找到命令...

[[email protected] root]$

#######################################################################################

防火墙策略管理

搭建基本的web服务

服务端  Apache    httpd

1 安装httpd软件

yum -y install httpd

2 重启httpd服务  设置开机自启

[[email protected] ~]# systemctl restart httpd

[[email protected] ~]# systemctl enable httpd

3 设计简单网页

[[email protected] ~]# vim /var/www/html/index.html

<marquee><font color=green><h1>hahahahahahahahaha

[[email protected] ~]# firefox 172.25.0.11

4 FTP服务的搭建                         #FTP做文件传输服务

[[email protected] ~]# yum -y install vsftpd

[[email protected] ~]# systemctl restart vsftpd

[[email protected] ~]# systemctl enable vsftpd

5 测试

[[email protected] ~]# firefox ftp://172.25.0.11

防火墙

查看防火墙状态

[[email protected] ~]# systemctl status firewalld.service

firewalld.service - firewalld - dynamic firewall daemon

Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)

Active: active (running) since 三 2017-11-01 08:28:25 CST; 7h ago

Main PID: 481 (firewalld)

CGroup: /system.slice/firewalld.service

└─481 /usr/bin/python -Es /usr/sbin/firewalld --nofork --...

11月 01 08:28:25 localhost systemd[1]: Started firewalld - dynamic....

Hint: Some lines were ellipsized, use -l to show in full.

预设安全区域

public

trusted

block

drop

##################################################################################

防火墙判断的规则：匹配及停止

1.首先看请求（客户端）当中的源IP地址，所有区域中是否有对于改IP地址的策略，如果有则该请求进入该区域

2.进入默认区域

虚拟机desktop0:

# firefox http://172.25.0.11  #访问失败

# firefox ftp://172.25.0.11   #访问失败

虚拟机server0:

# firewall-cmd --get-default-zone        #查看默认区域

# firewall-cmd --zone=public --list-all

# firewall-cmd --zone=public --add-service=http #添加服务

# firewall-cmd --zone=public --list-all   #查看区域规则信息

虚拟机desktop0:

# firefox http://172.25.0.11  #访问成功

# firefox ftp://172.25.0.11   #访问失败

虚拟机server0:

# firewall-cmd --zone=public --add-service=ftp

# firewall-cmd --zone=public --list-all

虚拟机desktop0:

# firefox ftp://172.25.0.11   #访问成功

#####################################################

--permanent选项：实现永久设置

虚拟机server0：

# firewall-cmd --reload   #重新加载防火墙

# firewall-cmd --zone=public --list-all

# firewall-cmd --permanent --zone=public  --add-service=ftp

# firewall-cmd --permanent --zone=public --add-service=http

# firewall-cmd --reload   #重新加载防火墙

# firewall-cmd --zone=public --list-all

####################################################

修改默认的区域,不需要加上--permanent

虚拟机desktop0：

# ping 172.25.0.11     #可以通信

虚拟机server0：

# firewall-cmd --set-default-zone=block   #修改默认区域

# firewall-cmd --get-default-zone         #查看默认区域

虚拟机desktop0：

# ping 172.25.0.11   #不可以通信

虚拟机server0：

# firewall-cmd --set-default-zone=drop

# firewall-cmd --get-default-zone

虚拟机desktop0：

# ping 172.25.0.11   #通信无反馈

######################################################

虚拟机server0：

# firewall-cmd --permanent --zone=public --add-source=172.25.0.10

# firewall-cmd --zone=public --list-all

# firewall-cmd --reload

# firewall-cmd --zone=public --list-all

虚拟机desktop0：

# firefox http://172.25.0.11

##################################################

实现本机的端口映射

本地应用的端口重定向(端口1 --> 端口2)

– 从客户机访问 端口1 的请求,自动映射到本机 端口2

– 比如,访问以下两个地址可以看到相同的页面:

虚拟机desktop0：

# firefox http://172.25.0.11:5423-------》172.25.0.11：80

虚拟机server0：

# firewall-cmd --permanent --zone=public

--add-forward-port=port=5423:proto=tcp:toport=80

# firewall-cmd --reload

# firewall-cmd --zone=public --list-all

虚拟机desktop0：

# firefox http://172.25.0.11:5423