linux系統firewalld火牆優化策略
一、firewalld
防火牆指的是一個由軟件和硬件設備組合而成、在內部網和外部網之間、專用網與公共網之間的界面上構造的保護屏障.是一種獲取安全性方法的形象說法,它是一種計算機硬件和軟件的結合,使Internet與Intranet之間建立起一個安全網關(Security
Gateway),從而保護內部網免受非法用戶的侵入,防火牆主要由服務訪問規則、驗證工具、包過濾和應用網關4個部分組成,防火牆就是一個位於計算機和它所連接的網絡之間的軟件或硬件。該計算機流入流出的所有網絡通信和數據包均要經過此防火牆。在網絡中,所謂「防火牆」,是指一種將內部網和公衆訪問網(如Internet)分開的方法,它實際上是一種隔離技術。防火牆是在兩個網絡通訊時執行的一種訪問控制尺度,它能允許你「同意」的人和數據進入你的網絡,同時將你「不同意」的人和數據拒之門外,最大限度地阻止網絡中的黑客來訪問你的網絡。換句話說,如果不通過防火牆,公司內部的人就無法訪問Internet,Internet上的人也無法和公司內部的人進行通信。
firewalld和iptables的關係
firewalld自身並不具備防火牆的功能,而是和iptables一樣需要通過內核的netfilter來實現,也就是說firewalld和iptables一樣,他們的作用都是用於維護規則,而真正使用規則幹活的是內核的netfilter,只不過firewalld和iptables的結構以及使用方法不一樣罷了。
firewalld的配置模式
firewalld的配置文件以xml格式爲主(主配置文件firewalld.conf例外),有兩個存儲位置
1、/etc/firewalld/ 用戶配置文件
2、/usr/lib/firewalld/ 系統配置文件,預置文件
對於一個接受到的請求具體使用哪個zone,firewalld是通過三種方法來判斷的:
1、source,也就是源地址 優先級最高
2、interface,接收請求的網卡 優先級第二
3、firewalld.conf中配置的默認zone 優先級最低
[[email protected] ~]# yum install firewall-config -y
[[email protected] ~]# firewall-config
[[email protected] ~]# yum search iptables
[[email protected] ~]# yum list iptables-services.x86_64
開啓 firewalld
[ [email protected] ~]# systemctl stop iptables.service[ [email protected] ~]# systemctl disable iptables.service
rm '/etc/systemd/system/basic.target.wants/iptables.service'
[ [email protected] ~]# systemctl start firewalld
[ [email protected] ~]# systemctl enable firewalld
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.service'
查看火牆
firewall-cmd –state #查看火牆當前生效的域
firewall-cmd –get-active-zones #查看默認的域
firewall-cmd –get-default-zone #查看所有的域
firewall-cmd –get-zones #查看public域裏面的信息
firewall-cmd –zone=public –list-all #查看block域裏面的信息
firewall-cmd –zone=block –list-all #查看所有域的狀態
firewall-cmd –list-all-zones #列出所有域的規則
firewall-cmd –list-all #列出系統當中用名稱代表的服務
firewall-cmd –get-services #打開防火牆界面
firewall-config
測試:
[ [email protected] ~]# firewall-cmd --staterunning
[ [email protected] ~]# firewall-cmd --get-active-zones
ROL
sources: 172.25.0.252/32
public
interfaces: eth0
[ [email protected] ~]# firewall-cmd --get-default-zone
public
[ [email protected] ~]# firewall-cmd --zone=public --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[ [email protected] ~]# firewall-cmd --zone=block --list-all
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[ [email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
修改 firewalld 域
修改默認的域爲trusted域
firewall-cmd –set-default-zone=trusted
代表可以接收所有網絡訪問
[ [email protected] ~]# yum install httpd -y
[ [email protected] ~]# systemctl start httpd
[[email protected] ~]# echo westos> /var/www/html/index.html
瀏覽器測試:
172.25.254.102
查看不到,因爲firewalld域爲public
[ [email protected] ~]# systemctl restart network
[ [email protected] ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.102 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe00:20a prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:02:0a txqueuelen 1000 (Ethernet)
RX packets 46197 bytes 325308296 (310.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 29997 bytes 200042107 (190.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.202 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe03:6514 prefixlen 64 scopeid 0x20<link>
ether 52:54:00:03:65:14 txqueuelen 1000 (Ethernet)
RX packets 10521 bytes 1144837 (1.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 25 bytes 3837 (3.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[ [email protected] ~]# firewall-cmd --set-default-zone=trusted #修改firewalld域爲yrusted
success
[ [email protected] ~]# firewall-cmd --get-default-zone
trusted
[ [email protected] ~]# firewall-cmd --get-active-zone
ROL
sources: 172.25.0.252/32
trusted
interfaces: eth0 eth1
[ [email protected] ~]# firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openv*n pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
[ [email protected] ~]# firewall-cmd --list-all
trusted (default, active)
interfaces: eth0 eth1
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
瀏覽器測試:
172.25.254.102
可以看到
使用命令行配置防火牆
設置域爲public:
[[email protected] ~]# firewall-cmd --set-default-zone=public
success[ [email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
真機瀏覽器:172.25.254.102 :看不到
添加指定ip爲trusted:
success
只有本機和真機可以看到
[ [email protected] Desktop]# elinks http://172.25.254.102
修改設備狀態:
eth0 eth1
[ [email protected] ~]# firewall-cmd --get-zone-of-interface=eth1
public
[ [email protected] ~]# firewall-cmd --get-zone-of-interface=eth0
public
[ [email protected] ~]# firewall-cmd --change-interface=eth0 --zone=trusted
success
[ [email protected] ~]# firewall-cmd --get-zone-of-interface=eth0
trusted
[ [email protected] ~]# firewall-cmd --remove-interface=eth0
success
[ [email protected] ~]# firewall-cmd --get-zone-of-interface=eth0
no zone
[ [email protected] ~]# firewall-cmd --change-interface=eth0 --zone=public
success
[ [email protected] ~]# firewall-cmd --get-zone-of-interface=eth0
public
永久添加主機域,重啓後不會消失:
success
[ [email protected] ~]# firewall-cmd --reload
success
[ [email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.2
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
添加指定服務
[[email protected] ~]# cd /etc/firewalld
[ [email protected] firewalld]# lsfirewalld.conf firewalld.conf.old icmptypes lockdown-whitelist.xml services zones
[ [email protected] firewalld]# cd zones
[ [email protected] zones]# ls
public.xml public.xml.old ROL.xml
[ [email protected] zones]# vim public.xml #編輯firewalld規則文件
8 <service name="http"/> #添加http服務
[ [email protected] zones]# systemctl restart firewalld
[ [email protected] zones]# firewall-cmd --list
usage: see firewall-cmd man page
firewall-cmd: error: ambiguous option: --list could match --list-lockdown-whitelist-contexts, --list-all, --list-lockdown-whitelist-uids, --list-ports, --list-forward-ports, --list-icmp-blocks, --list-interfaces, --list-rich-rules, --list-services, --list-lockdown-whitelist-commands, --list-all-zones, --list-sources, --list-lockdown-whitelist-users
[ [email protected] zones]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.2
services: dhcpv6-client http ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[ [email protected] zones]# cd /usr/lib/firewalld
[r [email protected]ient firewalld]# ls
icmptypes services zones
[ [email protected] firewalld]# cd services
[ [email protected] services]# vim http.xml
修改端口:
[ [email protected] ~]# firewall-cmd --add-port=8080/tcp --zone=public
success
[ [email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.2
services: dhcpv6-client http ssh
ports: 8080/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
臨時移除防火牆允許服務:
[ [email protected] ~]# firewall-cmd --remove-service=sshsuccess
[ [email protected] Desktop]# ssh [email protected] #無法連接虛擬機
ssh: connect to host 172.25.254.102 port 22: No route to host
恢復:
[ [email protected] ~]# firewall-cmd --add-port=8080/tcp --zone=public
success
[ [email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.2
services: dhcpv6-client http ssh
ports: 8080/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
永久移除防火牆允許服務:
[ [email protected] ~]# firewall-cmd --remove-service=ssh
success
[ [email protected] ~]# firewall-cmd --reload
success
[ [email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.2
services: dhcpv6-client http ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[ [email protected] ~]# firewall-cmd --permanent --remove-service=ssh
success
[ [email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.2
services: dhcpv6-client http ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] ~]# firewall-cmd --complete-reload
當永久刪除firewlld允許的ssh服務時 firewall-cmd –reload 與firewall-cmd –complete-reload 重新加載的區別:
在真機連接到服務主機之後使用 firewall-cmd –reload 重新加載時,不會斷開連接,可以進行操作
使用 firewall-cmd –complete-reload 重新加載時,會中斷連接,不能進行操作
Direct Rules
三表:filter:訪問本機數據,過濾,防火牆(包含input、output、forword)
nat:從本機經過的數據,網絡地址轉換(包含output、prerouting、postrouting)
mangle:(包含input、output、postrouting、prerouting、forward)
五鏈:
input:目的地址爲本機
output:原地址爲本機,向外發送
forward:實現轉發
postrouting:數據包進入路由之後
prerouting;數據包進入路由之前三表:
filter:訪問本機數據,過濾,防火牆(包含input、output、forword)
nat:從本機經過的數據,網絡地址轉換(包含output、prerouting、postrouting)
mangle:(包含input、output、postrouting、prerouting、forward)
五鏈:
input:目的地址爲本機
output:原地址爲本機,向外發送
forward:實現轉發
postrouting:數據包進入路由之後
prerouting;數據包進入路由之前三表:
filter:訪問本機數據,過濾,防火牆(包含input、output、forword)
nat:從本機經過的數據,網絡地址轉換(包含output、prerouting、postrouting)
mangle:(包含input、output、postrouting、prerouting、forward)
五鏈:
input:目的地址爲本機
output:原地址爲本機,向外發送
forward:實現轉發
postrouting:數據包進入路由之後
prerouting;數據包進入路由之前
當http加入firewalld允許訪問的列表裏面,所有主機都可以訪問,這是不安全的,應該對個別主機設定訪問權限,以保證安全
1.允許指定ip訪問指定服務
[[email protected] ~]# firewall-cmd --list-all #查看火牆的設定信息
[[email protected] ~]# yum install httpd -y
[[email protected] ~]# systemctl start httpd
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] ~]# firewall-cmd --permanent --add-service=http #永久允許訪問http服務
success
[[email protected] ~]# firewall-cmd --reload #刷新
success
[[email protected] ~]# firewall-cmd --list-all #查看已加入
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client http ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
在真機和server瀏覽器:
172.25.254.102
可以看到http測試界面
2、對個別主機設定訪問權限
測試:
[[email protected] ~]# firewall-cmd --permanent --remove-service=http #永久禁止訪問http服務
success
[[email protected] ~]# firewall-cmd --reload
success
刷新瀏覽器,兩個都不能查看
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
實驗:
[[email protected] ~]# iptables -nL #查看filter表信息
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
禁止訪問應該設置input
[[email protected] ~]# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -p tcp --dport 80 -s 172.25.254.202 -j ACCEPT
success
#--direct 添加規則 ipv4 協議方式 filter 表 INPUT 鏈 -p 鏈 --dport 目的地 -s 數據來源 -j 動作(REJECT 有迴應的拒絕,DROP 拒絕後沒有回顯,ACCEPT 接收 )
拒絕一般用REJECT
[[email protected] ~]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -p tcp --dport 80 -s 172.25.254.202 -j ACCEPT
瀏覽器測試:
真機無法查看,server可以
端口轉發
當別人訪問這臺主機時,卻連接的是另一臺主機
測試:
[[email protected] Desktop]$ ssh [email protected] -X
[email protected]'s password:
Last login: Fri Jun 8 21:20:55 2018 from 172.25.254.2
[[email protected] ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.102 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe00:20a prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:02:0a txqueuelen 1000 (Ethernet)
RX packets 27767 bytes 8748266 (8.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1911 bytes 261245 (255.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
實驗:
[[email protected] ~]# firewall-cmd --permanent --add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.202
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.254.202
icmp-blocks:
rich rules:
[[email protected] ~]# firewall-cmd --permanent --add-masquerade #永久開啓masquerade服務
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.254.202
icmp-blocks:
rich rules:
測試:
[[email protected] Desktop]$ ssh [email protected]
[email protected]'s password:
Last login: Fri Jun 8 23:02:19 2018 from 172.25.254.102
[[email protected] ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.202 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe00:20b prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:02:0b txqueuelen 1000 (Ethernet)
RX packets 66175 bytes 579744521 (552.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38019 bytes 2666875 (2.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
訪問172.25.254.102,卻連接的是172.25.254.202這臺主機
地址僞裝
在添加地址僞裝的主機添加兩塊網卡並設置不同網段的ip
在desktop虛擬機添加另一個網段的ip:
[[email protected] ~]# cd /etc/sysconfig/network-scripts/
[[email protected] network-scripts]# ls
ifcfg-eth0 ifdown-ppp ifup-eth ifup-sit
ifcfg-lo ifdown-routes ifup-ippp ifup-Team
ifdown ifdown-sit ifup-ipv6 ifup-TeamPort
ifdown-bnep ifdown-Team ifup-isdn ifup-tunnel
ifdown-eth ifdown-TeamPort ifup-plip ifup-wireless
ifdown-ippp ifdown-tunnel ifup-plusb init.ipv6-global
ifdown-ipv6 ifup ifup-post network-functions
ifdown-isdn ifup-aliases ifup-ppp network-functions-ipv6
ifdown-post ifup-bnep ifup-routes
[[email protected] network-scripts]# cp ifcfg-eth0 ifcfg-eth1
[[email protected] network-scripts]# vim ifcfg-eth1
DEVICE=eth1
TYPE=Ethernet
BOOTPROTO=none
IPADDR0=172.25.0.102
NETMASK=255.255.255.0
USERCTL=yes
PEERDNS=yes
IPV6INIT=no
ONBOOT=yes
PERSISTENT_DHCLIENT=1
[[email protected] network-scripts]# systemctl restart network
將server虛擬機ip設置爲與desktop虛擬機eth1同網段,網關設置爲desktop虛擬機eth1的ip
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
BOOTPROTO=none
IPADDR0=172.25.0.202
GATEWAY=172.25.0.102
NETMASK=255.255.255.0
USERCTL=yes
PEERDNS=yes
IPV6INIT=no
ONBOOT=yes
PERSISTENT_DHCLIENT=1
[[email protected] ~]# systemctl restart network
在desktop虛擬機:
[[email protected] network-scripts]#firewalld-cmd --permanent --remove-forward-port=port=22:proto=22:toaddr=172.25.254.102
#永久刪除僞裝的ip端口
[[email protected] network-scripts]# sysctl -a |grep ip_forward
net.ipv4.ip_forward = 0
[[email protected] network-scripts]# vim /etc/sysctl.conf
5 net.ipv4.ip_forward = 1
[[email protected] network-scripts]# sysctl -p #加載文件參數net.ipv4.ip_forward = 1