Firewalld服务

一、安全知识体系

来自外部的安全攻击相对较少,内部造成的故障几率高达80%;
如果考虑安全,就需要牺牲性能;如果追求性能就无法兼顾安全

1、 硬件层面

  • 硬件层面:物理机安全,UPS,保持机房温度,防盗等
  • 系统层面:防止系统入侵,内核升级(打补丁),防病毒,避免弱口令,调整SSH端口
  • 站点安全: 防止DDOS(高防),网站防病毒(WAF),放注入(WAF),防挂马(WAF),防劫持(HTTPs);

2.云架构层面

  • 网络层面:不接入公网IP
  • 系统层面:防漏洞注入->安骑士(系统层面的应用入侵防护软件[Aliyun])
  • 网站层面
    • 防止SQL注入-> WAF(Web Application Firewall),进行url规则匹配,过滤;拦截异常流量。
    • 防止DDOS攻击->高防
  • HTTPs:防止网页篡改

3.云安全厂商

3.云安全架构拓扑

二、Firewalld

1.概述

  • 概念:Firewalld属于四层防火墙只能做tcp/udp规则;

  • 区域:firewalld预先准备了几套防火墙策略集合(策略模版),用户可以根据不同场景而选择不同的策略模板,从而实现防火墙策略之间的快速切换
一个网卡只能绑定一个区域,但一个区域可以绑定多个网卡
可以根据来源的地址设定不同的规则
区域 默认规则策略
trusted 允许所有的数据包流入与流出
home 拒绝流入的流量,除非与流出的流量相关;如果流量与ssh、mdns、ipp-client、amba-client与dhcpv6-clientf服务相关,则允许流量
internal 等同于home区域
work 拒绝流入的流量,除非与流出的流量相关;如果流量与ssh、ipp-client与dhcpv6-client服务相关,则允许流量
public 拒绝流入的流量,除非与流出的流量相关;如果流量与ssh与dhcpv6-client服务相关,则允许流量
external 拒绝流入的流量,除非与流出的流量相关;如果流量与ssh服务相关,则允许流量
dmz 拒绝流入的流量,除非与流出的流量相关;如果流量与ssh服务相关,则允许流量
block 拒绝流入的流量,除非与流出的流量相关
drop 拒绝流入的流量,除非与流出的流量相关

2.管理Firewalld

  • 开启firewalld服务
systemctl start firewalld
[root@m01 ~]# systemctl start firewalld.service 
  • 关闭firewalld服务
systemctl stop firewalld
[root@m01 ~]# systemctl stop firewalld.service 
  • 重启firewalld服务
systemctl restart firewalld
[root@m01 ~]# systemctl restart firewalld.service 
  • 查看firewalld服务状态
systemctl status firewalld
[root@m01 ~]# systemctl status firewalld.service 
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-08-11 12:25:39 CST; 3s ago
     Docs: man:firewalld(1)
 Main PID: 21022 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─21022 /usr/bin/python -Es /usr/sbin/firewalld --nofork -...

Aug 11 12:25:38 m01 systemd[1]: Starting firewalld - dynamic firewal....
Aug 11 12:25:39 m01 systemd[1]: Started firewalld - dynamic firewall....
Hint: Some lines were ellipsized, use -l to show in full.
  • 开机自启动firewalld服务
systemctl enable firewalld
[root@m01 ~]# systemctl enable firewalld.service 
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
  • 禁用firewalld服务
systemctl disable firewalld
[root@m01 ~]# systemctl disable firewalld.service 
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

3.Firewalld配置

  1. 配置状态(参数)
  • runtime-临时有效,即时生效;(默认)
  • permanent-永久有效,重启生效;
    带permanent参数的规则会写入到Firewalld配置文件(/etc/firewalld/zones/public.xml)
[root@m01 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
</zone>

[root@m01 ~]# firewall-cmd --add-service={http,https} --permanent
success

[root@m01 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="http"/>
  <service name="https"/>
</zone>
  1. firewall-cmd指令
  • 查看firewalld默认区域规则明细
    firewalld开启默认拒绝所有流量流入(ssh与dhcpv6-client除外),但允许流量流出
firewall-cmd --list-all
[root@m01 ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  • 查看Firewall默认区域
firewall-cmd --get-default-zone
[root@m01 ~]# firewall-cmd --get-default-zone 
public
  • 查看Firewall激活区域(默认没有激活区域)
firewall-cmd --get-active-zones
[root@m01 ~]# firewall-cmd --get-active-zones 
[root@m01 ~]# firewall-cmd --add-interface=eth0 --zone=public
success
[root@m01 ~]# firewall-cmd --add-interface=eth1 --zone=trusted
success
[root@m01 ~]# firewall-cmd --get-active-zones 
public
  interfaces: eth0
trusted
  interfaces: eth1
[root@m01 ~]# systemctl restart firewalld.service 
[root@m01 ~]# firewall-cmd --get-active-zones 
  • 查看Firewall指定区域的规则明细
firewall-cmd --zone=区域 --list-all
[root@m01 ~]# firewall-cmd --add-source=10.0.0.1/32 --zone=trusted
success
[root@m01 ~]# firewall-cmd --zone=trusted --list-all
trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
  • 将指定源地址添加至Firewall的指定区域
firewall-cmd --add-source=IP地址/掩码 --zone=区域
[root@m01 ~]# firewall-cmd --list-all --zone=trusted
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 10.0.0.1/32
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  • 将指定端口加入默认区域
firewall-cmd --add-interface=网络接口
[root@m01 ~]# firewall-cmd --add-interface=eth0
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'trusted' (see --get-active-zones)
You most likely need to use --zone=trusted option.

success
[root@m01 ~]# firewall-cmd --get-active-zones 
public
  interfaces: eth0
  • 将指定端口加入指定区域
firewall-cmd --add-interface=网络接口 --zone=区域
[root@m01 ~]# firewall-cmd --add-interface=eth1 --zone=trusted
success
[root@m01 ~]# firewall-cmd --get-active-zones 
public
  interfaces: eth0
trusted
  interfaces: eth1
  • 将指定端口从默认区域移除
firewall-cmd --remove-interface=网络接口
[root@m01 ~]# firewall-cmd --remove-interface=eth0
success
[root@m01 ~]# firewall-cmd --get-active-zones 
trusted
  interfaces: eth1
  • 将指定端口从指定区域移除
firewall-cmd --remove-interface=网络接口 --zone=区域
[root@m01 ~]# firewall-cmd --remove-interface=eth1 --zone=trusted
success
[root@m01 ~]# firewall-cmd --get-active-zones 
  • 重载Firewall服务
firewall-cmd --reload
[root@m01 ~]# firewall-cmd --get-active-zones 
trusted
  sources: 10.0.0.1/32

[root@m01 ~]# firewall-cmd --reload 
success

[root@m01 ~]# firewall-cmd --get-active-zones 
  • 将指定指定传输层协议的端口在Firewall默认区域放行
firewall-cmd --add-port=端口/传输层协议

通过{端口1,端口号2,端口号3}/传输层协议的形式一次指定多个端口
通过起始端口-结束端口/传输层协议的形式指定端口范围
[root@m01 ~]# firewall-cmd --add-port=23/tcp
success
[root@m01 ~]# firewall-cmd --add-port={67,68,80,443,3306}/tcp
success
[root@m01 ~]# firewall-cmd --add-port=8000-8080/tcp
success
[root@m01 ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 23/tcp 67/tcp 68/tcp 80/tcp 443/tcp 3306/tcp 8000-8080/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  • 将指定指定传输层协议的端口在Firewall默认区域拒绝
firewall-cmd --remove-port=端口/传输层协议
[root@m01 ~]# firewall-cmd --remove-port=23/tcp
success
[root@m01 ~]# firewall-cmd --remove-port={67,68}/tcp
success
[root@m01 ~]# firewall-cmd --remove-port=8000-8080/tcp
success
[root@m01 ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 80/tcp 443/tcp 3306/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  • 将指定服务在Firewall默认区域放行
firewall-cmd --add-service=服务名
[root@m01 ~]# firewall-cmd --add-service=http
success
[root@m01 ~]# firewall-cmd --add-service={ftp,tftp,dhcp}
success
[root@m01 ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client http ftp tftp dhcp
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  • 将指定服务在Firewall默认区域拒绝
firewall-cmd --remove-service={服务名1,服务名2}
[root@m01 ~]# firewall-cmd --remove-service={http,ssh,dhcpv6-client}
success
[root@m01 ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ftp tftp dhcp
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

/usr/lib/firewalld/services/ 保存的模板Firewall服务可调用服务文件

< ?xml version="1.0" encoding="utf-8"? >
< service >

#简称
< short > WWW (HTTP) < /short >

#描述
< description >HTTP is the protocol used to serve Web pages. If you plan to make your Web >server publicly available, enable this option. This option is not required for viewing pages >locally or developing Web pages.< /description >
#服务调用的传输层协议和端口
< port protocol="tcp" port="80"/ >
< /service >

该文件的文件名一定要以.xml结尾,文件名就是Firewall服务可调用的服务,其实质还是调用指定协议的指定端口
[root@m01 ~]# firewall-cmd --add-service=isakmp
Error: INVALID_SERVICE: isakmp

step1 自定义服务

[root@m01 ~]# cp /usr/lib/firewalld/services/http.xml /usr/lib/firewalld/services/isakmp.xml
[root@m01 ~]# vim /usr/lib/firewalld/services/isakmp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>IPsec VPN (isakmp)</short>
  <description>Internet security association and key management protocol
</description>
  <port protocol="tcp" port="500"/>
</service>
[root@m01 ~]# firewall-cmd --reload 
success

step2 验证

[root@m01 ~]# firewall-cmd --add-service=isakmp
success
[root@m01 ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client isakmp
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

4.Firewalld富规则配置

富规则按先后顺序匹配,按先匹配到的规则生效,但是拒绝规则优先生效

[root@aspen ~]# firewall-cmd --add-rich-rule="rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" accept"
success
[root@aspen ~]# firewall-cmd --add-rich-rule="rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" drop"
success
[root@aspen ~]# firewall-cmd --list-all
public
......
  rich rules: 
    rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" accept
    rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" drop
---------------------------------------------------------------------------------------------------------------------------
[root@m01 ~]# ssh root@172.16.1.201
ssh: connect to host 172.16.1.201 port 22: Connection timed out
  • 说明
Firewalld富规则表示更加细致、更加详细的防火墙策略配置,他可以针对系统服务、端口号、源地址和目标地址等诸多信息进行更有针对性的策略配置;其执行优先级也是在所有防火墙策略中最高的。
  • 帮助手册
man firewall-cmd #Firewalld帮助手册
man firewalld.richlanguage #Firewalld富规则配置帮助手册

富规则手册
rule
[source]
[destination]
service|port|protocol|icmp-block|icmp-type|masquerade|forward-port|source-port
[log]
[audit]
[accept|reject|drop|mark]

rule [family="ipv4|ipv6"]
source [not] address="address[/mask]"|mac="mac-address"|ipset="ipset"
destination [not] address="address[/mask]"

service name="service name"
port port="port value" protocol="tcp|udp"
protocol value="protocol value"
icmp-block name="icmptype name"
masquerade
icmp-type name="icmptype name"
forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
source-port port="port value" protocol="tcp|udp"

log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]
audit [limit value="rate/duration"]
  • 富规则相关参数
    在指定区域添加一条富规则
--add-rich-rule='规则'

在指定区域删除一条富规则

--remove-rich-rule='规则'

在指定区域搜索一条富规则(找到规则返回0,找不到规则返回1)

--query-rich-rule='规则'

列出指定区域所有富规则

--list-rich-rule='规则'

规则:

'rule family=ipv4 source address=IP地址/掩码 port port=端口号 protocol=传输层协议 动作'

示例
firewall-cmd -- add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 port port=32 protocol=tcp accept'

环境准备

[root@aspen ~]# systemctl restart firewalld.service 
[root@aspen ~]# firewall-cmd --remove-service={ssh,dhcpv6-client}
success
[root@aspen ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

例题1 允许10.0.0.161主机能够访问http服务,允许172.16.1.0/24能够访问22端口;
step1 设置规则

[root@aspen ~]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=10.0.0.161 port port=80 protocol=tcp accept"
success
[root@aspen ~]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=172.16.1.0/24 port port=22 protocol=tcp accept"
success
[root@aspen ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="10.0.0.161" port port="80" protocol="tcp" accept
    rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" accept

step2 验证

#HTTP
[root@m01 ~]# hostname -I
10.0.0.161 172.16.1.161 
[root@m01 ~]# curl 10.0.0.201
Test_Page Provided by Apach

[root@lb01 ~]# hostname -I
10.0.0.15 10.0.0.13 172.16.1.15 
[root@lb01 ~]# curl 10.0.0.201
curl: (7) Failed connect to 10.0.0.201:80; No route to host
#SSH
[root@m01 ~]# ssh 10.0.0.201
ssh: connect to host 10.0.0.201 port 22: No route to host
[root@m01 ~]# ssh 172.16.1.201
root@172.16.1.201's password: 
Last login: Sun Aug 11 13:37:13 2019 from 10.0.0.1
[root@aspen ~]# 

例题2 默认public区域对外开放所有人都能通过ssh服务连接,但拒绝172.16.1.0/24网段通过ssh连接服务器
step1 设置规则

[root@aspen ~]# firewall-cmd --add-service=ssh
success
[root@aspen ~]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=172.16.1.0/24 port port=22 protocol=tcp drop"
success
[root@aspen ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" drop

step2 验证

[root@m01 ~]# ssh 172.16.1.201
root@172.16.1.201's password: 
Last login: Sun Aug 11 13:37:13 2019 from 10.0.0.1
[root@aspen ~]# logout
Connection to 172.16.1.201 closed.
[root@m01 ~]# ssh 172.16.1.201
ssh: connect to host 172.16.1.201 port 22: Connection timed out

例题3 允许所有人能访问http和https服务,但只有10.0.0.1主机可以访问ssh服务;
step1 设置规则

[root@aspen ~]# firewall-cmd --add-port={80,443}/tcp
success
[root@aspen ~]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=10.0.0.1 port port=22 protocol=tcp accept"
success
[root@aspen ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 80/tcp 443/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="10.0.0.1" port port="22" protocol="tcp" accept

step2 验证

#HTTP/HTTPs
[root@m01 ~]# curl 10.0.0.201
Test_Page Provided by Apache
[root@m01 ~]# hostname -I
10.0.0.161 172.16.1.161 
[root@lb01 ~]# curl 10.0.0.201
Test_Page Provided by Apache
[root@lb01 ~]# hostname -I
10.0.0.15 10.0.0.13 172.16.1.15 
#SSH
[root@m01 ~]# hostname -I
10.0.0.161 172.16.1.161 
[root@m01 ~]# ssh root@172.16.201
ssh: connect to host 172.16.201 port 22: Connection refused
[D:\~]$ ipconfig 

Windows IP 配置
以太网适配器 VMware Network Adapter VMnet8:

   连接特定的 DNS 后缀 . . . . . . . : 
   本地链接 IPv6 地址. . . . . . . . : fe80::148f:b2f1:f63a:c878%18
   IPv4 地址 . . . . . . . . . . . . : 10.0.0.1
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 
[D:\~]$ ssh root@10.0.0.201

Connecting to 10.0.0.201:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

WARNING! The remote SSH server rejected X11 forwarding request.
Last login: Sun Aug 11 14:04:58 2019 from 10.0.0.161
[root@aspen ~]# 

5.Firewalld实现路由与端口转发

  • 路由+NAT
firewall-cmd --add-masquerade
[root@aspen ~]# firewall-cmd --add-masquerade 
success
开启Firewalld服务的路由转发功能,内核转发自动打开;
且关闭Firewalld服务路由功能时,内核转发功能不会自动关闭
[root@aspen ~]# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_use_pmtu = 0
......
[root@aspen ~]# firewall-cmd --add-masquerade 
success
[root@aspen ~]# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
......
[root@aspen ~]# firewall-cmd --remove-masquerade 
success
[root@aspen ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
[root@aspen ~]# sysctl -a | grep net.ipv4.ip_forward
......
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0

路由转发功能验证

[root@aspen ~]# firewall-cmd --add-masquerade
success
[root@aspen ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
[root@lb01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=none
NAME=eth0
DEVICE=eth0
ONBOOT=no
IPADDR=10.0.0.15
PREFIX=24
#GATEWAY=10.0.0.254
DNS1=10.0.0.254
[root@lb01 ~]# systemctl restart network
[root@lb01 ~]# ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 00:0c:29:81:e4:ae brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:81:e4:b8 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.15/24 brd 172.16.1.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe81:e4b8/64 scope link 
       valid_lft forever preferred_lft forever
[root@lb01 ~]# ping baidu.com
ping: baidu.com: Name or service not known
[root@lb01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=static
NAME=eth1
DEVICE=eth1
ONBOOT=yes
IPADDR=172.16.1.15
PREFIX=24
GATEWAY=172.16.1.201
DNS1=223.5.5.5
[root@lb01 ~]# systemctl restart network
[root@lb01 ~]# ping baidu.com
PING baidu.com (39.156.69.79) 56(84) bytes of data.
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=1 ttl=127 time=12.4 ms
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=2 ttl=127 time=13.7 ms
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=3 ttl=127 time=13.5 ms
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=4 ttl=127 time=18.3 ms
^C
--- baidu.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 12.440/14.522/18.334/2.257 ms
  • 机器间端口转发
firewall-cmd --add-masquerade #开启路由转发功能
firewall-cmd --add-rich-rule="rule family=ipv4 source address=源地址 forward-port port=请求端口 protocol=传输层协议 to-port=转发端口 to-addr=转发地址" #端口转发

例题1 将源地址为10.0.0.1主机对服务器5555端口的请求转发至后端服务器172.16.1.161的22端口

[root@aspen ~]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=10.0.0.1 forward-port port=5555 protocol=tcp to-port=22 to-addr=172.16.1.161"
success
[root@aspen ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="10.0.0.1" forward-port port="5555" protocol="tcp" to-port="22" to-addr="172.16.1.161"

结果验证

[D:\~]$ ipconfig 

Windows IP 配置
以太网适配器 VMware Network Adapter VMnet8:

   连接特定的 DNS 后缀 . . . . . . . : 
   本地链接 IPv6 地址. . . . . . . . : fe80::148f:b2f1:f63a:c878%18
   IPv4 地址 . . . . . . . . . . . . : 10.0.0.1
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 

[D:\~]$ ssh root@10.0.0.201 5555

Connecting to 10.0.0.201:5555...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

WARNING! The remote SSH server rejected X11 forwarding request.
Last login: Sun Aug 11 15:27:09 2019 from 10.0.0.1
[root@m01 ~]# systemctl status firewalld.service 
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)
......
  • IP路由相内核关参数
0表示关闭,1表示开启
  1. net.ipv4.ip_forward 内核路由转发
  2. net.ipv4.icmp_echo_ignore_all 内核echo包响应(0表示允许,1表示禁止)
    相关命令
sysctl #查看或设置内核参数

-a #查看内核所有变量
-p #查看配置文件生效的内核参数

配置文件:/etc/sysctl.conf

[root@aspen ~]# vim /etc/sysctl.conf 
......
#net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_all=1
[root@aspen ~]# sysctl -p
net.ipv4.icmp_echo_ignore_all = 1
[D:\~]$ ping 10.0.0.201

正在 Ping 10.0.0.201 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。

10.0.0.201 的 Ping 统计信息:
    数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),

[D:\~]$ ssh root@10.0.0.201

Connecting to 10.0.0.201:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

WARNING! The remote SSH server rejected X11 forwarding request.
Last login: Sun Aug 11 15:22:58 2019 from 10.0.0.1
[root@aspen ~]# 

附:思维导图

发表评论

您的电子邮箱地址不会被公开。