本次是一个firewalld的基础操作实例，利用firewalld图形操作界面进行访问控制操作。

实验拓扑

需求分析

首先拓扑涉及到两个区域，这里使用work和public区域，分别做相应的规则。

1.work区域禁止icmp，允许192.168.100.101访问ssh服务，同时允许访问apache服务。

2.public区域禁止icmp，禁止ssh服务，允许访问apache服务。

分析方法：基于firewalld的数据处理流程，可参考。

操作过程

基础准备

• server安装apache服务，默认已存在ssh服务。

[root@server ~]# yum install -y httpd
[root@server ~]# echo "this is test page , all host can access" > /var/www/html/index.html
[root@server ~]# systemctl start httpd.service

• 默认不关闭防火墙的情况下，可以ping、ssh，不可以访问apache。

[root@host01 ~]# ping -c4 192.168.100.100
ping 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=0.573 ms
64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=0.575 ms
64 bytes from 192.168.100.100: icmp_seq=3 ttl=64 time=1.15 ms
64 bytes from 192.168.100.100: icmp_seq=4 ttl=64 time=0.441 ms

--- 192.168.100.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 0.441/0.686/1.156/0.277 ms

[root@host01 ~]# curl 192.168.100.100
curl: (7) failed connect to 192.168.100.100:80; no route to host

[root@host01 ~]# ssh root@192.168.100.100
the authenticity of host '192.168.100.100 (192.168.100.100)' can't be established.
ecdsa key fingerprint is sha256:5ggc1rmzwwjf+ozz/pptylo2s6nmfhsxbzcnslazxhy.
ecdsa key fingerprint is md5:0b:f5:62:d7:a4:1f:05:64:0b:7f:22:62:11:64:07:61.
are you sure you want to continue connecting (yes/no)? yes
warning: permanently added '192.168.100.100' (ecdsa) to the list of known hosts.
root@192.168.100.100's password: 
last login: wed oct 23 09:55:12 2019
[root@server ~]# logout
connection to 192.168.100.100 closed.

配置 firewalld

[root@server ~]# firewall-config

• 给work区域添加来源：192.168.100.101

• 允许work区域的http、ssh服务，禁止其他存在的服务

• 允许public区域的http服务，禁止其他存在的服务

• 通过icmp过滤器禁止request请求，在两个区域都做。

结果验证

• 网站访问

[root@host01 ~]# curl 192.168.100.100
this is test page , all host can access

[root@host02 ~]# curl 192.168.100.100
this is test page , all host can access

• ssh远程

[root@host01 ~]# ssh root@192.168.100.100
root@192.168.100.100's password: 
last login: wed oct 23 10:47:15 2019
[root@server ~]# logout
connection to 192.168.100.100 closed.

[root@host02 ~]# ssh root@192.168.100.100
ssh: connect to host 192.168.100.100 port 22: no route to host

• ping测试

[root@host01 ~]# ping -c4 192.168.100.100
ping 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
from 192.168.100.100 icmp_seq=1 destination host prohibited
from 192.168.100.100 icmp_seq=2 destination host prohibited
from 192.168.100.100 icmp_seq=3 destination host prohibited
from 192.168.100.100 icmp_seq=4 destination host prohibited

--- 192.168.100.100 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3001ms

[root@host02 ~]# ping -c4 192.168.100.100
ping 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
from 192.168.100.100 icmp_seq=1 destination host prohibited
from 192.168.100.100 icmp_seq=2 destination host prohibited
from 192.168.100.100 icmp_seq=3 destination host prohibited
from 192.168.100.100 icmp_seq=4 destination host prohibited

--- 192.168.100.100 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3002ms

永久配置

• 设置永久配置

• 这里配置的是运行时配置，若要更改永久配置需点击选项，首先将runtime设定为永久配置，然后重载防火墙，直接重载防火墙会丢失运行时的配置。

• 若是一开始就选择的永久配置，则可以直接重载防火墙使配置生效。