Linux Firewalld 基础实例
程序员文章站
2022-07-04 08:46:06
本次是一个 Firewalld 的基础操作实例,利用 Firewalld 图形操作界面进行访问控制操作。 ......
本次是一个firewalld
的基础操作实例,利用firewalld
图形操作界面进行访问控制操作。
实验拓扑
需求分析
首先拓扑涉及到两个区域,这里使用work
和public
区域,分别做相应的规则。
1.work
区域禁止icmp
,允许192.168.100.101
访问ssh
服务,同时允许访问apache
服务。
2.public
区域禁止icmp
,禁止ssh
服务,允许访问apache
服务。
分析方法:基于
firewalld
的数据处理流程,可参考。
操作过程
基础准备
-
server
安装apache
服务,默认已存在ssh
服务。
[root@server ~]# yum install -y httpd [root@server ~]# echo "this is test page , all host can access" > /var/www/html/index.html [root@server ~]# systemctl start httpd.service
- 默认不关闭防火墙的情况下,可以
ping
、ssh
,不可以访问apache
。
[root@host01 ~]# ping -c4 192.168.100.100 ping 192.168.100.100 (192.168.100.100) 56(84) bytes of data. 64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=0.573 ms 64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=0.575 ms 64 bytes from 192.168.100.100: icmp_seq=3 ttl=64 time=1.15 ms 64 bytes from 192.168.100.100: icmp_seq=4 ttl=64 time=0.441 ms --- 192.168.100.100 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 0.441/0.686/1.156/0.277 ms
[root@host01 ~]# curl 192.168.100.100 curl: (7) failed connect to 192.168.100.100:80; no route to host
[root@host01 ~]# ssh root@192.168.100.100 the authenticity of host '192.168.100.100 (192.168.100.100)' can't be established. ecdsa key fingerprint is sha256:5ggc1rmzwwjf+ozz/pptylo2s6nmfhsxbzcnslazxhy. ecdsa key fingerprint is md5:0b:f5:62:d7:a4:1f:05:64:0b:7f:22:62:11:64:07:61. are you sure you want to continue connecting (yes/no)? yes warning: permanently added '192.168.100.100' (ecdsa) to the list of known hosts. root@192.168.100.100's password: last login: wed oct 23 09:55:12 2019 [root@server ~]# logout connection to 192.168.100.100 closed.
配置 firewalld
[root@server ~]# firewall-config
- 给
work
区域添加来源:192.168.100.101
- 允许
work
区域的http
、ssh
服务,禁止其他存在的服务
- 允许
public
区域的http
服务,禁止其他存在的服务
- 通过
icmp过滤器
禁止request
请求,在两个区域都做。
结果验证
- 网站访问
[root@host01 ~]# curl 192.168.100.100 this is test page , all host can access
[root@host02 ~]# curl 192.168.100.100 this is test page , all host can access
-
ssh
远程
[root@host01 ~]# ssh root@192.168.100.100 root@192.168.100.100's password: last login: wed oct 23 10:47:15 2019 [root@server ~]# logout connection to 192.168.100.100 closed.
[root@host02 ~]# ssh root@192.168.100.100 ssh: connect to host 192.168.100.100 port 22: no route to host
-
ping
测试
[root@host01 ~]# ping -c4 192.168.100.100 ping 192.168.100.100 (192.168.100.100) 56(84) bytes of data. from 192.168.100.100 icmp_seq=1 destination host prohibited from 192.168.100.100 icmp_seq=2 destination host prohibited from 192.168.100.100 icmp_seq=3 destination host prohibited from 192.168.100.100 icmp_seq=4 destination host prohibited --- 192.168.100.100 ping statistics --- 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3001ms
[root@host02 ~]# ping -c4 192.168.100.100 ping 192.168.100.100 (192.168.100.100) 56(84) bytes of data. from 192.168.100.100 icmp_seq=1 destination host prohibited from 192.168.100.100 icmp_seq=2 destination host prohibited from 192.168.100.100 icmp_seq=3 destination host prohibited from 192.168.100.100 icmp_seq=4 destination host prohibited --- 192.168.100.100 ping statistics --- 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3002ms
永久配置
- 设置永久配置
这里配置的是
运行时
配置,若要更改永久配置需点击选项
,首先将runtime设定为永久配置
,然后重载防火墙
,直接重载防火墙会丢失运行时的配置。若是一开始就选择的永久配置,则可以直接重载防火墙使配置生效。
上一篇: 倍思推出镜面湖数显充电器:内置电流表 秒懂快充状态
下一篇: 各种windows10下的快捷键