table of Contents
Firewall port access / forwarding service access, the source address management
1. Firewall port access policy
Use Firewalld server allows the client request 80 / tcp port, only temporarily applied, such as adding the permanent restarted after --permanent
1). Allow to temporarily add a single port release
[root@firewalld ~]# firewall-cmd --add-port=80/tcp
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 80/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:2) The provisional release to add more ports
[root@firewalld ~]# firewall-cmd --add-port={443/tcp,3306/tcp}
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 80/tcp 443/tcp 3306/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:3) adding a plurality of permanent ports, add --permanent, and the need to reload Firewalld
[root@firewalld ~]# firewall-cmd --add-port={80/tcp,443/tcp} --permanent
success
[root@firewalld ~]# firewall-cmd --reload
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:4) released by the case of check port --list-ports
[root@firewalld ~]# firewall-cmd --list-ports
80/tcp 443/tcp5). Add the port rules temporarily removed
[root@firewalld ~]# firewall-cmd --remove-port={80/tcp,443/tcp}
success
[root@firewalld ~]# firewall-cmd --list-ports
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@firewalld ~]# firewall-cmd --reload
success
#重启之后又回来了,因为之前设置了永久
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:2. Firewall service access policy
Use Firewalld allows customers to request to the server http https protocol, entered into force only temporary, such as adding the permanent reboot after --permanent
1) Temporary added to allow the release of a single service
[root@firewalld ~]# firewall-cmd --add-service=http
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:2) The provisional release to add more services
[root@firewalld ~]# firewall-cmd --add-service={http,https,mysql}
Warning: ALREADY_ENABLED: 'http' already in 'public'
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https mysql
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:3) Permanent add more services, we need to add --permanent, and the need to re-Fiirewalld
[root@firewalld ~]# firewall-cmd --add-service={http,https} --permanent
success
[root@firewalld ~]# firewall-cmd --reload
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:4) released by the case of check port --list-services
[root@firewalld ~]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client http https5). The removal of the temporary add http, https protocol
[root@firewalld ~]# firewall-cmd --remove-service={http,https}
success
[root@firewalld ~]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@firewalld ~]# firewall-cmd --reload
success
#重启之后,设置又回来了
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#永久移除
[root@firewalld ~]# firewall-cmd --remove-service={http,https} --permanent
success
[root@firewalld ~]# firewall-cmd --reload
success
[root@firewalld ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:6) How to add a custom port, turn it into a corresponding service
#1.拷贝相应的xml文件
[root@firewalld ~]# cd /usr/lib/firewalld/services/
[root@firewalld /usr/lib/firewalld/services]# cp http.xml test.xml
#2.修改端口为11211
[root@firewalld /usr/lib/firewalld/services]# cat test.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>WWW (test)</short>
<description>test is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
<port protocol="tcp" port="11211"/>
</service>
#3.防火墙增加规则
[root@firewalld ~]# firewall-cmd --permanent --add-service=test
success
[root@firewalld ~]# firewall-cmd --reload
success
[root@firewalld ~]# firewall-cmd --list-services
ssh dhcpv6-client test
#4.安装memcached, 并监听11211端口
[root@firewalld ~]# systemctl start memcached
[root@firewalld ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 9911/memcached
#5.测试验证
[C:\~]$ telnet 10.0.0.6 11211
Connecting to 10.0.0.6:11211...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.3. Firewall Interface Management
#查看接口在哪个zone下面
[root@web01 ~]# firewall-cmd --get-zone-of-interface=eth0
public
[root@web01 ~]# firewall-cmd --get-zone-of-interface=eth1
public
#移除eth1接口
[root@web01 ~]# firewall-cmd --remove-interface=eth1
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#添加一个接口
[root@web01 ~]# firewall-cmd --add-interface=eth0
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@web01 ~]# firewall-cmd --get-zone-of-interface=eth1
no zone
#将接口跟zone进行相关联
[root@web01 ~]# firewall-cmd --change-interface=eth0 --zone=public
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
4. firewall source address management
#禁用一个ip地址的所有访问
[root@web01 ~]# firewall-cmd --add-source=10.0.0.8/32 --zone=drop
success
[root@web01 ~]# firewall-cmd --get-active-zone
drop
sources: 10.0.0.8/32
public
interfaces: eth0
#禁用一个网段
[root@web01 ~]# firewall-cmd --add-source=10.0.0.0/24 --zone=drop
success
[root@web01 ~]# firewall-cmd --get-active-zone
drop
sources: 10.0.0.8/32 10.0.0.0/24
public
interfaces: eth0
#允许一个ip地址访问所有
[root@web01 ~]# firewall-cmd --add-source=10.0.0.8/32 --zone=trusted
success
[root@web01 ~]# firewall-cmd --get-active-zone
public
interfaces: eth0
trusted
sources: 10.0.0.8/32
#移除ip地址
[root@web01 ~]# firewall-cmd --remove-source=10.0.0.8/32 --zone=trusted
success
[root@web01 ~]# firewall-cmd --get-active-zone
public
interfaces: eth0
5. firewall port forwarding policy
Port forwarding is a traditional destination address mapping to achieve external network access to internal network resources, traffic forwarding command format is:
firewall-cmd --permanent --zone=<区域> --add-forward-port=port=<源端口号>:proto=<协议>:toport=<目标端口号>:toaddr=<目标IP地址>If you need a local 10.0.0.61:5555 port forwarding port-to-back 172.16.1.9:22
1. 开启masquerade,实现地址转换
[root@firewalld ~]# firewall-cmd --add-masquerade --permanent
success
2. 配置转发规则
[root@firewalld ~]# firewall-cmd --permanent --zone=public --add-forward-port=port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
success
[root@firewalld ~]# firewall-cmd --reload
success
3. 验证测试
[C:\~]$ ssh [email protected] 5555
Connecting to 10.0.0.6:5555...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last failed login: Sun Dec 8 18:59:01 CST 2019 from 10.0.0.100 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Dec 8 17:21:54 2019 from 10.0.0.1
[root@web01 ~]# ip a s eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:2a:a7:17 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.7/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe2a:a717/64 scope link
valid_lft forever preferred_lft forever