Linux防火墙基础试题-firewalld

1默认public区域对外开放所有人能通过ssh服务连接,但拒绝192.168.200.0/24网段通过ssh连接服务器。

[root@localhost ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.200.0/24 port port=22 protocol=tcp drop'    
success
[root@localhost ~]#  firewall-cmd --list-all
public (default, active)
  interfaces: eno16777736
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="192.168.200.0/24" port port="22" protocol="tcp" drop

2.使Firewalld允许所有人能访问http,nginx服务,但只有192.168.100.10主机可以访问ssh服务。

[root@localhost ~]# firewall-cmd --add-service={http,nginx}
Warning: ALREADY_ENABLED
[root@localhost ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.100.10 port port=22 protocol=tcp accept'
success
[root@localhost ~]#  firewall-cmd --list-all               
public (default, active)
  interfaces: eno16777736
  sources: 
  services: dhcpv6-client http ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="192.168.100.10" port port="22" protocol="tcp" accept

3.当用户来源IP地址是192.168.100.20主机,则将用户请求的5555端口转发至后端
192.168.100.10的22端口。

[root@localhost ~]# firewall-cmd --add-masquerade
success
[root@localhost ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.100.20" forward-port port="5555" protocol="tcp" to-port="22" to-addr="192.168.100.10"'
success
[root@localhost ~]#  firewall-cmd --list-all     
public (default, active)
  interfaces: eno16777736
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="192.168.100.20" forward-port port="5555" protocol="tcp" to-port="22" to-addr="192.168.100.10"

4.将tcp协议端口3300-3400添加到external区域。

[root@localhost ~]# firewall-cmd --zone=external  --add-port=3300-3400/tcp 
success
[root@localhost ~]# firewall-cmd --zone=external --list-all
external
  interfaces: 
  sources: 
  services: ssh
  ports: 3300-3400/tcp
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules:

5.查询internal区域中是否包含接口ens33。

[root@localhost ~]# firewall-cmd --zone=internal --query-interface=ens33 
no

6.为internal区域删除绑定的网络接口ens33。|

[root@localhost ~]# firewall-cmd --zone=internal --remove-interface=ens33
success

7.查询internal区域中是否启用了SSH服务。

[root@localhost ~]#  firewall-cmd --zone=internal --query-service=ssh
yes

8.为internal区域设置允许访问SSH服务。

[root@localhost ~]# firewall-cmd --zone=internal --add-service=ssh   
success