Linux防火墙基础

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux防火墙基础相关的知识,希望对你有一定的参考价值。


SElinux配置


[[email protected] ~]# getenforce 

Enforcing

[[email protected] ~]# setenforce 0

[[email protected] ~]# getenforce 

Permissive

[[email protected] ~]# setenforce 1

[[email protected] ~]# getenforce 

Enforcing



######################################################################################


配置聚合链路

[[email protected] ~]# man teamd.conf     /example 查找相关命令


1.添加聚合连接team0                 #加队取名定模式


[[email protected] ~]# nmcli connection add type team con-name team0 ifname team0 config ‘{ "runner": {"name": "activebackup"}}‘

Connection ‘team0‘ (3d3cdab0-e8aa-4db0-90de-7863c6d9f798) successfully added.



[[email protected] ~]# cat /etc/sysconfig/network-scripts/ifcfg-team0

DEVICE=team0

TEAM_CONFIG="{ \"runner\": {\"name\": \"activebackup\"}}"

DEVICETYPE=Team

BOOTPROTO=dhcp

DEFROUTE=yes

PEERDNS=yes

PEERROUTES=yes

IPV4_FAILURE_FATAL=no

IPV6INIT=yes

IPV6_AUTOCONF=yes

IPV6_DEFROUTE=yes

IPV6_PEERDNS=yes

IPV6_PEERROUTES=yes

IPV6_FAILURE_FATAL=no

NAME=team0

UUID=3d3cdab0-e8aa-4db0-90de-7863c6d9f798

ONBOOT=yes


[[email protected] ~]# ifconfig 

team0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500

        ether 6a:1f:d4:35:9f:2b  txqueuelen 0  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


2.team0中添加网卡     #slave  奴隶    添加奴隶 选卡


[[email protected] ~]# nmcli connection add type team-slave ifname eth1 master team0 

Connection ‘team-slave-eth1‘ (e0deb3ce-ed1b-4001-9616-bf483e3240f7) successfully added.

[[email protected] ~]# nmcli connection add type team-slave ifname eth2 master team0 

Connection ‘team-slave-eth2‘ (275238d8-df7a-4761-8635-0815a6510b6f) successfully added.


3.配置team0的IP地址

[[email protected] ~]# nmcli connection modify team0 ipv4.method manual ipv4.addresses 192.168.1.1/24 connection.autoconnect yes


4.激活team0和各个网卡

[[email protected] ~]# nmcli connection up team-slave-eth1

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)

[[email protected] ~]# nmcli connection up team-slave-eth2

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/5)

[[email protected] ~]# nmcli connection up team0

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)


5.验证

[[email protected] ~]# teamdctl team0 state

setup:

  runner: activebackup

ports:

  eth2

    link watches:

      link summary: up

      instance[link_watch_0]:

        name: ethtool

        link: up

  eth1

    link watches:

      link summary: up

      instance[link_watch_0]:

        name: ethtool

        link: up

runner:

  active port: eth2


  删除相关设置

 nmcli connection delete team-slave-eth1

 nmcli connection delete team-slave-eth2

 nmcli connection delete team0


####################################################################################


自定义命令


[[email protected] ~]# vim /root/.bashrc             #影响root文件

alias hello=‘echo hello‘ 

[[email protected] ~]# vim /home/student/.bashrc     #影响student文件

alias hi=‘echo hi‘

[[email protected] ~]# vim /etc/bashrc               #影响全局配置

alias xixi=‘echo xixi‘


退出远程连接重新登陆

[[email protected] ~]# exit

登出

[[email protected] 桌面]# s

Last login: Wed Nov  1 08:33:41 2017 from 172.25.0.250


验证

[[email protected] ~]# hello

hello

[[email protected] ~]# xixi

xixi

[[email protected] ~]# hi

bash: hi: 未找到命令...


换到用户student验证

[[email protected] root]$ hi

hi

[[email protected] root]$ xixi

xixi

[[email protected] root]$ hello

bash: hello: 未找到命令...

[[email protected] root]$ 


#######################################################################################


防火墙策略管理


搭建基本的web服务

服务端  Apache    httpd


1 安装httpd软件

 yum -y install httpd


2 重启httpd服务  设置开机自启

[[email protected] ~]# systemctl restart httpd

[[email protected] ~]# systemctl enable httpd


3 设计简单网页

[[email protected] ~]# vim /var/www/html/index.html


<marquee><font color=green><h1>hahahahahahahahaha


[[email protected] ~]# firefox 172.25.0.11



4 FTP服务的搭建                         #FTP做文件传输服务   

[[email protected] ~]# yum -y install vsftpd

[[email protected] ~]# systemctl restart vsftpd

[[email protected] ~]# systemctl enable vsftpd



5 测试

[[email protected] ~]# firefox ftp://172.25.0.11


防火墙


查看防火墙状态

[[email protected] ~]# systemctl status firewalld.service 

firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)

   Active: active (running) since 三 2017-11-01 08:28:25 CST; 7h ago

 Main PID: 481 (firewalld)

   CGroup: /system.slice/firewalld.service

           └─481 /usr/bin/python -Es /usr/sbin/firewalld --nofork --...


11月 01 08:28:25 localhost systemd[1]: Started firewalld - dynamic....

Hint: Some lines were ellipsized, use -l to show in full.



预设安全区域

public

trusted

block

drop


##################################################################################


防火墙判断的规则:匹配及停止


  1.首先看请求(客户端)当中的源IP地址,所有区域中是否有对于改IP地址的策略,如果有则该请求进入该区域

  2.进入默认区域



虚拟机desktop0:

# firefox http://172.25.0.11  #访问失败

# firefox ftp://172.25.0.11   #访问失败

虚拟机server0:

# firewall-cmd --get-default-zone        #查看默认区域

# firewall-cmd --zone=public --list-all 

# firewall-cmd --zone=public --add-service=http #添加服务

# firewall-cmd --zone=public --list-all   #查看区域规则信息

虚拟机desktop0:

# firefox http://172.25.0.11  #访问成功

# firefox ftp://172.25.0.11   #访问失败

虚拟机server0:

# firewall-cmd --zone=public --add-service=ftp

# firewall-cmd --zone=public --list-all 

虚拟机desktop0:

# firefox ftp://172.25.0.11   #访问成功


#####################################################

 

 --permanent选项:实现永久设置


虚拟机server0:


# firewall-cmd --reload   #重新加载防火墙

# firewall-cmd --zone=public --list-all 


# firewall-cmd --permanent --zone=public  --add-service=ftp

# firewall-cmd --permanent --zone=public --add-service=http


# firewall-cmd --reload   #重新加载防火墙

# firewall-cmd --zone=public --list-all 


####################################################

 

修改默认的区域,不需要加上--permanent


虚拟机desktop0:

# ping 172.25.0.11     #可以通信

虚拟机server0:

# firewall-cmd --set-default-zone=block   #修改默认区域

# firewall-cmd --get-default-zone         #查看默认区域


虚拟机desktop0:

# ping 172.25.0.11   #不可以通信


虚拟机server0:

# firewall-cmd --set-default-zone=drop 

# firewall-cmd --get-default-zone

虚拟机desktop0:

# ping 172.25.0.11   #通信无反馈


######################################################


虚拟机server0: 

# firewall-cmd --permanent --zone=public --add-source=172.25.0.10


# firewall-cmd --zone=public --list-all 

# firewall-cmd --reload 

# firewall-cmd --zone=public --list-all


虚拟机desktop0:

# firefox http://172.25.0.11


##################################################


实现本机的端口映射

本地应用的端口重定向(端口1 --> 端口2)

– 从客户机访问 端口1 的请求,自动映射到本机 端口2

– 比如,访问以下两个地址可以看到相同的页面:


虚拟机desktop0:

# firefox http://172.25.0.11:5423-------》172.25.0.11:80


虚拟机server0: 

# firewall-cmd --permanent --zone=public 

--add-forward-port=port=5423:proto=tcp:toport=80 


# firewall-cmd --reload 


# firewall-cmd --zone=public --list-all



虚拟机desktop0: 

# firefox http://172.25.0.11:5423





以上是关于Linux防火墙基础的主要内容,如果未能解决你的问题,请参考以下文章

Linux防火墙基础

Linux防火墙基础(Firewalld命令的使用)

Linux笔记基础篇-防火墙,selinux的关闭

Linux防火墙iptables基础

Linux防火墙基础

Linux防火墙基础