防火牆富規則、備份恢復、開啟內部上網
1. 防火牆富規則策略
Firewalld中的富規則表示更細致、更詳細的防火牆策略配置,它可以針對系統服務、端口號、源地址和目標地址等諸多信息進行更有針對性的策略配置, 優先級在所有的防火牆策略中也是最高的。下面為Firewalld富規則幫助手冊.
[root@web01 ~]# man firewalld #Firewalld幫助手冊
[root@web01 ~]# man firewalld.richlanguage #Firewalld富規則手冊
rule
[source]
[destination]
service|port|protocol|icmp-block|masquerade|forward-port
[log]
[audit]
[accept|reject|drop]
rule [family="ipv4|ipv6"]
source address="address[/mask]" [invert="True"]
destination address="address[/mask]" invert="True"
service name="service name"
port port="port value" protocol="tcp|udp"
protocol value="protocol value"
forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]
accept | reject [type="reject type"] | drop
#富規則相關命令
--add-rich-rule='<RULE>' #在指定的區添加一條富規則
--remove-rich-rule='<RULE>' #在指定的區刪除一條富規則
--query-rich-rule='<RULE>' #找到規則返回0 ,找不到返回1
--list-rich-rules #列出指定區里的所有富規則
1). 比如允許10.0.0.1主機能夠訪問http服務,允許172.16.1.0/24能訪問11211端口
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=http accept'
success
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 port port="11211" protocol="tcp" accept'
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client test
ports: 80/tcp 443/tcp
protocols:
masquerade: yes
forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept
#驗證測試
[C:\~]$ telnet 10.0.0.6 80
Connecting to 10.0.0.6:80...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
[root@web01 ~]# telnet 10.0.0.6 80
Trying 10.0.0.6...
telnet: connect to address 10.0.0.6: No route to host
[C:\~]$ telnet 10.0.0.6 11211
Connecting to 10.0.0.6:11211...
Canceled.
[root@web01 ~]# telnet 172.16.1.6 11211
Trying 172.16.1.6...
Connected to 172.16.1.6.
Escape character is '^]'.
2). 默認public區域對外開放所有人能通過ssh服務連接,但拒絕172.16.1.0/24網段通過ssh連接服務器
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 service name="ssh" drop'
success
#驗證測試
[root@web01 ~]# ssh root@10.0.0.6
root@10.0.0.6's password:
[root@web01 ~]# ssh root@172.16.1.6
^C
3). 使Firewalld允許所有人能訪問http,https服務,但只有10.0.0.1主機可以訪問ssh服務
[root@firewalld ~]# firewall-cmd --zone=public --add-service={http,https}
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https
ports: 443/tcp
protocols:
masquerade: yes
forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept
rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=ssh accept'
success
[root@firewalld ~]# firewall-cmd --remove-service=ssh
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client http https
ports: 443/tcp
protocols:
masquerade: yes
forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept
rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop
rule family="ipv4" source address="10.0.0.1/32" service name="ssh" accept
#驗證測試
[root@web01 ~]# telnet 10.0.0.6 80
Trying 10.0.0.6...
Connected to 10.0.0.6.
Escape character is '^]'.
^]
telnet> Connection closed.
[root@web01 ~]# ssh root@10.0.0.6
ssh: connect to host 10.0.0.6 port 22: No route to host
[C:\~]$ ssh root@10.0.0.6
Connecting to 10.0.0.6:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
4). 當用戶來源IP地址是10.0.0.1主機,則將用戶請求的5555端口轉發至后端172.16.1.7的22端口
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client test
ports: 80/tcp 443/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#開啟地址轉發
[root@firewalld ~]# firewall-cmd --add-masquerade
Warning: ALREADY_ENABLED: masquerade already enabled in 'public'
success
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 forward-port port=5555 protocol="tcp" to-port="22" to-addr=172.16.1.7'
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client test
ports: 80/tcp 443/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="172.16.1.7"
#驗證測試
[C:\~]$ ssh root@10.0.0.6 5555
Connecting to 10.0.0.6:5555...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last failed login: Sun Dec 8 20:12:23 CST 2019 from 10.0.0.100 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Dec 8 18:59:02 2019 from 10.0.0.100
[root@web02 ~]# ssh root@10.0.0.6 5555
root@10.0.0.6's password:
bash: 5555: command not found
5).查看設定的規則,如果沒有添加--permanent參數則重啟Firewalld會失效。富規則按先后順序匹配,優先匹配到的規則生效
[root@firewalld ~]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="10.0.0.7"
2.Firewalld備份恢復
#我們所有針對public區域編寫的永久添加的規則都會寫入備份文件(--permanent)
[root@firewalld ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="test"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="443"/>
<masquerade/>
</zone>
備份的時候只需要把配置文件進行拷貝就行了,導入之后,重啟生效。
[root@web01 ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@web01 ~]# firewall-cmd --reload
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@web01 ~]# firewall-cmd --zone=public --remove-service=http --permanent
success
[root@web01 ~]# firewall-cmd --reload
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#備份配置文件
#只保存永久添加的規則
[root@web01 ~]# ll /etc/firewalld/zones/public.xml #公共區的配置文件
[root@web01 ~]# ll /etc/firewalld/zones/ #區域的配置規則文件都在這個區中
3. 防火牆開啟內部上網
在指定的帶有公網IP的實例上啟動Firewalld防火牆的NAT地址轉換,以此達到內部主機上網。
1. Firewalld防火牆開啟masquerade,實現地址轉換
1. Firewalld防火牆開啟masquerade,實現地址轉換
[root@firewalld ~]# firewall-cmd --add-masquerade --permanent
success
[root@firewalld ~]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="10.0.0.7" --permanent
[root@firewalld ~]# firewall-cmd --reload
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client test
ports: 80/tcp 443/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
2. 客戶端將網關指向Firewalld服務器,將所有網絡請求交給Firewalld
[root@web01 ~]# tail -1 /etc/sysconfig/network-scripts/ifcfg-eth1
GATEWAY=172.16.1.6
3. 客戶端還需配置dns服務器
[root@web01 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 223.5.5.5
4. 關閉eth0網卡,重啟eth1,使其配置生效
[root@web01 ~]# systemctl restart network && ifdown eth0
5. 測試后端web的網絡是否正常
[C:\~]$ ssh root@10.0.0.7 5555
Connecting to 10.0.0.7:5555...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last failed login: Sun Dec 8 20:38:58 CST 2019 from gateway on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Dec 8 20:12:25 2019 from 10.0.0.100
[root@web01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:0c:29:2a:a7:17 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:2a:a7:21 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe2a:a721/64 scope link
valid_lft forever preferred_lft forever
[root@web02 ~]# ping baidu.com
ping: baidu.com: Name or service not known
#重啟eth1
[root@web02 ~]# ifdown eth1 && ifup eth1
Device 'eth1' successfully disconnected.
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/10)
[root@web01 ~]# ping baidu.com
PING baidu.com (220.181.38.148) 56(84) bytes of data.
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=127 time=32.6 ms
^C
--- baidu.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 32.653/32.653/32.653/0.000 ms