1默认public区域对外开放所有人能通过ssh服务连接,但拒绝192.168.200.0/24网段通过ssh连接服务器。
[root@localhost ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.200.0/24 port port=22 protocol=tcp drop'
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.200.0/24" port port="22" protocol="tcp" drop
2.使Firewalld允许所有人能访问http,nginx服务,但只有192.168.100.10主机可以访问ssh服务。
[root@localhost ~]# firewall-cmd --add-service={http,nginx}
Warning: ALREADY_ENABLED
[root@localhost ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.100.10 port port=22 protocol=tcp accept'
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client http ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.100.10" port port="22" protocol="tcp" accept
3.当用户来源IP地址是192.168.100.20主机,则将用户请求的5555端口转发至后端
192.168.100.10的22端口。
[root@localhost ~]# firewall-cmd --add-masquerade
success
[root@localhost ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.100.20" forward-port port="5555" protocol="tcp" to-port="22" to-addr="192.168.100.10"'
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.100.20" forward-port port="5555" protocol="tcp" to-port="22" to-addr="192.168.100.10"
4.将tcp协议端口3300-3400添加到external区域。
[root@localhost ~]# firewall-cmd --zone=external --add-port=3300-3400/tcp
success
[root@localhost ~]# firewall-cmd --zone=external --list-all
external
interfaces:
sources:
services: ssh
ports: 3300-3400/tcp
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
5.查询internal区域中是否包含接口ens33。
[root@localhost ~]# firewall-cmd --zone=internal --query-interface=ens33
no
6.为internal区域删除绑定的网络接口ens33。|
[root@localhost ~]# firewall-cmd --zone=internal --remove-interface=ens33
success
7.查询internal区域中是否启用了SSH服务。
[root@localhost ~]# firewall-cmd --zone=internal --query-service=ssh
yes
8.为internal区域设置允许访问SSH服务。
[root@localhost ~]# firewall-cmd --zone=internal --add-service=ssh
success