Firewalld--02 端口访问/转发、服务访问、源地址管理

目录

  • 防火墙端口访问/转发、服务访问、源地址管理

    • 1. 防火墙端口访问策略
    • 2. 防火墙服务访问策略
    • 3.防火墙接口管理
    • 4.防火墙源地址管理
    • 5. 防火墙端口转发策略

防火墙端口访问/转发、服务访问、源地址管理

1. 防火墙端口访问策略

使用Firewalld允许客户请求的服务器的80/tcp端口,仅临时生效,如添加--permanent重启后则永久生效

1). 临时添加允许放行单个端口

[[email protected] ~]# firewall-cmd --add-port=80/tcp
success
[[email protected] ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 80/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

2). 临时添加放行多个端口

[[email protected] ~]# firewall-cmd --add-port={443/tcp,3306/tcp}
success
[[email protected] ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 80/tcp 443/tcp 3306/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

3). 永久添加多个端口,需要添加--permanent,并且需要重载Firewalld

[[email protected] ~]# firewall-cmd --add-port={80/tcp,443/tcp} --permanent
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

4). 通过--list-ports检查端口放行情况

[[email protected] ~]# firewall-cmd --list-ports
80/tcp 443/tcp

5). 移除临时添加的端口规则

[[email protected] ~]# firewall-cmd --remove-port={80/tcp,443/tcp}
success
[[email protected] ~]# firewall-cmd --list-ports
[[email protected] ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[[email protected] ~]# firewall-cmd --reload
success
#重启之后又回来了,因为之前设置了永久
[[email protected] ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

2. 防火墙服务访问策略

使用Firewalld允许客户请求服务器的http https协议,仅临时生效,如添加--permanent重启后则永久生效

1). 临时添加允许放行单个服务

[[email protected] ~]# firewall-cmd --add-service=http
success
[[email protected] ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

2). 临时添加放行多个服务

[[email protected] ~]# firewall-cmd --add-service={http,https,mysql}
Warning: ALREADY_ENABLED: 'http' already in 'public'
success
[[email protected] ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https mysql
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

3). 永久添加多个服务,需要添加--permanent,并且需要重Fiirewalld

[[email protected] ~]# firewall-cmd --add-service={http,https} --permanent
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

4).通过--list-services检查端口放行情况

[[email protected] ~]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client http https

5). 移除临时添加的http、https协议

[[email protected] ~]# firewall-cmd --remove-service={http,https}
success
[[email protected] ~]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client
[[email protected] ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[[email protected] ~]# firewall-cmd --reload
success
#重启之后,设置又回来了
[[email protected] ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

#永久移除
[[email protected] ~]# firewall-cmd --remove-service={http,https} --permanent
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

6).如何添加一个自定义端口,转其为对应的服务

#1.拷贝相应的xml文件
[[email protected] ~]# cd /usr/lib/firewalld/services/
[[email protected] /usr/lib/firewalld/services]# cp http.xml test.xml
#2.修改端口为11211
[[email protected] /usr/lib/firewalld/services]# cat test.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>WWW (test)</short>
<description>test is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
<port protocol="tcp" port="11211"/>
</service>

#3.防火墙增加规则
[[email protected] ~]# firewall-cmd --permanent --add-service=test
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --list-services
ssh dhcpv6-client test

#4.安装memcached, 并监听11211端口
[[email protected] ~]# systemctl start memcached
[[email protected] ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 9911/memcached

#5.测试验证
[C:\~]$ telnet 10.0.0.6 11211
Connecting to 10.0.0.6:11211...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

3.防火墙接口管理

#查看接口在哪个zone下面

[[email protected] ~]# firewall-cmd   --get-zone-of-interface=eth0
public
[[email protected] ~]# firewall-cmd   --get-zone-of-interface=eth1
public

#移除eth1接口
[[email protected] ~]# firewall-cmd  --remove-interface=eth1
success

[[email protected] ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules: 

#添加一个接口
[[email protected] ~]# firewall-cmd   --add-interface=eth0
success
[[email protected] ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules: 

[[email protected] ~]# firewall-cmd --get-zone-of-interface=eth1
no zone

#将接口跟zone进行相关联
[[email protected] ~]# firewall-cmd  --change-interface=eth0   --zone=public
success
[[email protected] ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

4.防火墙源地址管理

#禁用一个ip地址的所有访问

[[email protected] ~]# firewall-cmd   --add-source=10.0.0.8/32   --zone=drop
success

[[email protected] ~]# firewall-cmd  --get-active-zone
drop
  sources: 10.0.0.8/32
public
  interfaces: eth0

#禁用一个网段

[[email protected] ~]# firewall-cmd  --add-source=10.0.0.0/24  --zone=drop
success

[[email protected] ~]# firewall-cmd  --get-active-zone
drop
  sources: 10.0.0.8/32 10.0.0.0/24
public
  interfaces: eth0

#允许一个ip地址访问所有

[[email protected] ~]# firewall-cmd   --add-source=10.0.0.8/32  --zone=trusted
success
[[email protected] ~]# firewall-cmd   --get-active-zone
public
  interfaces: eth0
trusted
  sources: 10.0.0.8/32

#移除ip地址

[[email protected] ~]# firewall-cmd  --remove-source=10.0.0.8/32  --zone=trusted
success
[[email protected] ~]# firewall-cmd   --get-active-zone
public
  interfaces: eth0

5. 防火墙端口转发策略

端口转发是指传统的目标地址映射,实现外网访问内网资源,流量转发命令格式为:

firewall-cmd --permanent --zone=<区域> --add-forward-port=port=<源端口号>:proto=<协议>:toport=<目标端口号>:toaddr=<目标IP地址>

如果需要将本地的10.0.0.61:5555端口转发至后端172.16.1.9:22端口

1. 开启masquerade,实现地址转换
[[email protected] ~]# firewall-cmd --add-masquerade --permanent
success

2. 配置转发规则
[[email protected] ~]# firewall-cmd --permanent --zone=public --add-forward-port=port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
success
[[email protected] ~]# firewall-cmd --reload
success

3. 验证测试
[C:\~]$ ssh [email protected] 5555

Connecting to 10.0.0.6:5555...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Last failed login: Sun Dec 8 18:59:01 CST 2019 from 10.0.0.100 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Dec 8 17:21:54 2019 from 10.0.0.1
[root[email protected] ~]# ip a s eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:2a:a7:17 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.7/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe2a:a717/64 scope link
valid_lft forever preferred_lft forever

原文地址:https://www.cnblogs.com/gongjingyun123--/p/12015908.html

时间: 2024-08-02 17:58:46

Firewalld--02 端口访问/转发、服务访问、源地址管理的相关文章

iptables 端口转发 实现访问内网的httpd服务

上篇文章写到通过dhcp实现客户机上网功能,由于公网地址只有一个,我想把内部服务发布到外网就需要通过 "端口转发" 来实现 1.公网服务器: eth0:公网IP eth1:内网IP - 192.168.1.1 2.HTTPD服务器: eth0:内网IP -192.168.1.100 3.实现方法: 通过访问公网IP的8080端口来实现到内网MYSQL服务器的3306端口的访问 4.在公网服务器上: iptables -t nat -A PREROUTING -p tcp --dport

Linux通过端口转发来访问内网服务(端口转发访问阿里云Redis数据库等服务)

# 安装rinetd wget http://www.boutell.com/rinetd/http/rinetd.tar.gz&&tar -xvf rinetd.tar.gz&&cd rinetd sed -i 's/65536/65535/g' rinetd.c (修改端口范围) mkdir /usr/man&&make&&make install 说明:IP的端口是双字节,也就是256*256-1, 256*256对计算机来说就是0,因

关于Centos7 firewalld防火墙开放端口后仍不能访问ftp和nginx的问题解决

我在阿里轻量应用服务器搭建ftp服务器这篇博客中把防火墙换为iptables,因为当时无论我怎么设置firewalld,就是无法访问ftp服务器,今天在翻看其他博客的时候,突然发现firewalld有打开服务这么一个命令,然后我就找到了解决的办法.查看当前开了哪些端口其实一个服务对应一个端口,每个服务对应/usr/lib/firewalld/services下面一个xml文件. firewall-cmd --list-services1通过这个命令我们查看当前打开了那些服务,比如下面这个 我开启

设置端口转发来访问Virtualbox里linux中的网站

上一篇中我们讲到怎么设置virtuabox来通过SSH登录机器. 同样,我们也可以按照上一篇内容中的介绍,设置端口转发,来访问虚拟linux系统已经搭建的网站: 1.设置端口转发: 我们设置本地的8888端口来转发给虚拟机的80端口. 虚拟机中的网站简单结构如下: [email protected]:/var/www/php# ll /var/www/php/test.php -rw-rw-r-- 1 zhiguo zhiguo 217 Apr 12 20:59 /var/www/php/tes

CentOS7 FTP服务搭建(虚拟用户访问FTP服务)

概述 最近在搞Oracle在Linux系统下集群,针对Linux系统,笔人也是一片空白.Liunx外部文件的传输,避免不了使用FTP服务,所以现在就整理下,CentOS7环境下,FTP服务的搭建.FTP服务器需要安装vsftp服务端软件.我们知道,在建立vsftpd用户时,我们一般是在linux下建立用户useradd的方式来访问ftp,但有时我们只想提供ftp服务,而避免用户用ftp的帐号去登录linux,采用一般的方式只能是限制该用户的访问权限,但还是避免不了用户登录进linux系统,所以比

WinServer 之 内网发布网站后端口映射外网访问

内网IP只能在内网局域网访问连接,在外网是不能认识内网IP不能访问的.如有路由权限,且路由有固定公网IP,可以通过路由的端口映射,实现外网访问内网.如无路由,或路由无公网IP,需要用到第三方开放的花生壳端口映射网络辅助实现外网访问内网. 一.通过路由端口映射 1.Tp-link路由器的端口映射设置方法: 登录到路由器的管理界面(认管理地址为http://192.168.0.1,账号admin密码admin),点击路由器的“ 转发规则—虚拟服务器—添加新条目成 ”,如图: 端口映射设置如下:服务端

nginx 获取源IP 获取经过N层Nginx转发的访问来源真实IP

1. nginx 配置文件中获取源IP的配置项 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; #一般的web服务器用这个 X-Real-IP 来获取源IP proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; #如果nginx 服务器是作为反向代理服务器的,则这个配置项是必须的:否则看不到源IP 2. nginx 代理服务器的模块ngi

创建ACL语句使真机访问虚拟服务器的web服务并禁止访问FTP服务详解

创建ACL语句使真机访问虚拟服务器的web服务并禁止访问FTP服务 首先创建拓扑,然后规划好IP地址并连接拓扑线 配置理念是先配置简单的最后配置复杂的. 首先需要保证网络拓扑的互联互通:具体配置如下 R1上面的配置 SW3上面的配置 SW2上面的配置 SW1上面的配置 设置宿主机上的IP地址 打开虚拟机server 2008配置IP地址 给server 2008服务器 添加web服务和FTP服务 点击添加角色之后,再点击下一步,进入这个页面 再点击两次下一步,就会进入这个页面 后面根据提示点击下

iptables 添加80端口后,无法访问网站

服务器被攻击, 攻击情况如下,不断尝试破解密码: 之前的环境: 只通过hosts.allow 和hosts.deny 来限制IP登录,但是仍然出现以上问题. 环境: 服务器服务: devicot postfix  nginx  tomcat 处理方法:外网只能访问 80 端口,不能访问其他端口. 执行方法: http://www.cnblogs.com/JemBai/archive/2009/03/19/1416364.html iptables 添加80端口后,无法访问网站,布布扣,bubuk