Linux防火墙基础
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux防火墙基础相关的知识,希望对你有一定的参考价值。
SElinux配置
[[email protected] ~]# getenforce
Enforcing
[[email protected] ~]# setenforce 0
[[email protected] ~]# getenforce
Permissive
[[email protected] ~]# setenforce 1
[[email protected] ~]# getenforce
Enforcing
######################################################################################
配置聚合链路
[[email protected] ~]# man teamd.conf /example 查找相关命令
1.添加聚合连接team0 #加队取名定模式
[[email protected] ~]# nmcli connection add type team con-name team0 ifname team0 config ‘{ "runner": {"name": "activebackup"}}‘
Connection ‘team0‘ (3d3cdab0-e8aa-4db0-90de-7863c6d9f798) successfully added.
[[email protected] ~]# cat /etc/sysconfig/network-scripts/ifcfg-team0
DEVICE=team0
TEAM_CONFIG="{ \"runner\": {\"name\": \"activebackup\"}}"
DEVICETYPE=Team
BOOTPROTO=dhcp
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=team0
UUID=3d3cdab0-e8aa-4db0-90de-7863c6d9f798
ONBOOT=yes
[[email protected] ~]# ifconfig
team0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 6a:1f:d4:35:9f:2b txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
2.team0中添加网卡 #slave 奴隶 添加奴隶 选卡
[[email protected] ~]# nmcli connection add type team-slave ifname eth1 master team0
Connection ‘team-slave-eth1‘ (e0deb3ce-ed1b-4001-9616-bf483e3240f7) successfully added.
[[email protected] ~]# nmcli connection add type team-slave ifname eth2 master team0
Connection ‘team-slave-eth2‘ (275238d8-df7a-4761-8635-0815a6510b6f) successfully added.
3.配置team0的IP地址
[[email protected] ~]# nmcli connection modify team0 ipv4.method manual ipv4.addresses 192.168.1.1/24 connection.autoconnect yes
4.激活team0和各个网卡
[[email protected] ~]# nmcli connection up team-slave-eth1
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[[email protected] ~]# nmcli connection up team-slave-eth2
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/5)
[[email protected] ~]# nmcli connection up team0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
5.验证
[[email protected] ~]# teamdctl team0 state
setup:
runner: activebackup
ports:
eth2
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
eth1
link watches:
link summary: up
instance[link_watch_0]:
name: ethtool
link: up
runner:
active port: eth2
删除相关设置
nmcli connection delete team-slave-eth1
nmcli connection delete team-slave-eth2
nmcli connection delete team0
####################################################################################
自定义命令
[[email protected] ~]# vim /root/.bashrc #影响root文件
alias hello=‘echo hello‘
[[email protected] ~]# vim /home/student/.bashrc #影响student文件
alias hi=‘echo hi‘
[[email protected] ~]# vim /etc/bashrc #影响全局配置
alias xixi=‘echo xixi‘
退出远程连接重新登陆
[[email protected] ~]# exit
登出
[[email protected] 桌面]# s
Last login: Wed Nov 1 08:33:41 2017 from 172.25.0.250
验证
[[email protected] ~]# hello
hello
[[email protected] ~]# xixi
xixi
[[email protected] ~]# hi
bash: hi: 未找到命令...
换到用户student验证
[[email protected] root]$ hi
hi
[[email protected] root]$ xixi
xixi
[[email protected] root]$ hello
bash: hello: 未找到命令...
[[email protected] root]$
#######################################################################################
防火墙策略管理
搭建基本的web服务
服务端 Apache httpd
1 安装httpd软件
yum -y install httpd
2 重启httpd服务 设置开机自启
[[email protected] ~]# systemctl restart httpd
[[email protected] ~]# systemctl enable httpd
3 设计简单网页
[[email protected] ~]# vim /var/www/html/index.html
<marquee><font color=green><h1>hahahahahahahahaha
[[email protected] ~]# firefox 172.25.0.11
4 FTP服务的搭建 #FTP做文件传输服务
[[email protected] ~]# yum -y install vsftpd
[[email protected] ~]# systemctl restart vsftpd
[[email protected] ~]# systemctl enable vsftpd
5 测试
[[email protected] ~]# firefox ftp://172.25.0.11
防火墙
查看防火墙状态
[[email protected] ~]# systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since 三 2017-11-01 08:28:25 CST; 7h ago
Main PID: 481 (firewalld)
CGroup: /system.slice/firewalld.service
└─481 /usr/bin/python -Es /usr/sbin/firewalld --nofork --...
11月 01 08:28:25 localhost systemd[1]: Started firewalld - dynamic....
Hint: Some lines were ellipsized, use -l to show in full.
预设安全区域
public
trusted
block
drop
##################################################################################
防火墙判断的规则:匹配及停止
1.首先看请求(客户端)当中的源IP地址,所有区域中是否有对于改IP地址的策略,如果有则该请求进入该区域
2.进入默认区域
虚拟机desktop0:
# firefox http://172.25.0.11 #访问失败
# firefox ftp://172.25.0.11 #访问失败
虚拟机server0:
# firewall-cmd --get-default-zone #查看默认区域
# firewall-cmd --zone=public --list-all
# firewall-cmd --zone=public --add-service=http #添加服务
# firewall-cmd --zone=public --list-all #查看区域规则信息
虚拟机desktop0:
# firefox http://172.25.0.11 #访问成功
# firefox ftp://172.25.0.11 #访问失败
虚拟机server0:
# firewall-cmd --zone=public --add-service=ftp
# firewall-cmd --zone=public --list-all
虚拟机desktop0:
# firefox ftp://172.25.0.11 #访问成功
#####################################################
--permanent选项:实现永久设置
虚拟机server0:
# firewall-cmd --reload #重新加载防火墙
# firewall-cmd --zone=public --list-all
# firewall-cmd --permanent --zone=public --add-service=ftp
# firewall-cmd --permanent --zone=public --add-service=http
# firewall-cmd --reload #重新加载防火墙
# firewall-cmd --zone=public --list-all
####################################################
修改默认的区域,不需要加上--permanent
虚拟机desktop0:
# ping 172.25.0.11 #可以通信
虚拟机server0:
# firewall-cmd --set-default-zone=block #修改默认区域
# firewall-cmd --get-default-zone #查看默认区域
虚拟机desktop0:
# ping 172.25.0.11 #不可以通信
虚拟机server0:
# firewall-cmd --set-default-zone=drop
# firewall-cmd --get-default-zone
虚拟机desktop0:
# ping 172.25.0.11 #通信无反馈
######################################################
虚拟机server0:
# firewall-cmd --permanent --zone=public --add-source=172.25.0.10
# firewall-cmd --zone=public --list-all
# firewall-cmd --reload
# firewall-cmd --zone=public --list-all
虚拟机desktop0:
# firefox http://172.25.0.11
##################################################
实现本机的端口映射
本地应用的端口重定向(端口1 --> 端口2)
– 从客户机访问 端口1 的请求,自动映射到本机 端口2
– 比如,访问以下两个地址可以看到相同的页面:
虚拟机desktop0:
# firefox http://172.25.0.11:5423-------》172.25.0.11:80
虚拟机server0:
# firewall-cmd --permanent --zone=public
--add-forward-port=port=5423:proto=tcp:toport=80
# firewall-cmd --reload
# firewall-cmd --zone=public --list-all
虚拟机desktop0:
# firefox http://172.25.0.11:5423
以上是关于Linux防火墙基础的主要内容,如果未能解决你的问题,请参考以下文章