防火墙技术
程序员文章站
2021-12-25 10:57:08
...
防火墙技术
配置主机名
节点配置主机名:
[[email protected] ~]# hostnamectl set-hostname user1
//退出并重新连接虚拟机
[[email protected] ~]# hostnamectl
Static hostname: user1
Icon name: computer-vm
Chassis: vm
Machine ID: 17d24d21f1c34b699c19d5e84762b3fe
Boot ID: 6ea800f863564e11afc5d91d65fafb3f
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-327.el7.x86_64
Architecture: x86-64redis2节点配置主机名:
[[email protected] ~]# hostnamectl set-hostname user2
//退出并重新连接虚拟机
[[email protected] ~]# hostnamectl
Static hostname: user2
Icon name: computer-vm
Chassis: vm
Machine ID: 17d24d21f1c34b699c19d5e84762b3fe
Boot ID: d6c808d94d6b4501b5ad740429e23aa4
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-327.el7.x86_64
Architecture: x86-64
将centos镜像上传并挂载,所有节点配置yum源
所有节点配置本地yum源。
[[email protected] ~]# mkdir /opt/centos
[[email protected] ~]# mount CentOS-7-x86_64-DVD-1511.iso /opt/centos
mount: /dev/loop0 is write-protected, mounting read-only
[[email protected] ~]# rm -rf /etc/yum.repos.d/*
[[email protected] ~]# cat /etc/yum.repos.d/local.repo
[centos]
name=centos
baseurl=file:///opt/centos
gpgcheck=0
enabled=1
在两个节点安装并启动httpd和mariadb服务,并在user2上新建一个网页。
[[email protected] ~]# yum install mariadb-server httpd -y
[[email protected] ~]# systemctl start httpd
[[email protected] ~]# systemctl start mariadb
[[email protected] ~]# yum install mariadb-server httpd -y
[[email protected] ~]# systemctl start httpd
[[email protected] ~]# systemctl start mariadb
[[email protected] ~]# echo welcome to beijing > /var/www/html/index.html
此时user2主机进行控制其他机器访问。
[[email protected] ~]# iptables -A INPUT -s 192.168.20.1,127.0.0.1 -j ACCEPT //允许本地windows系统访问
[[email protected] ~]# iptables -A INPUT -j REJECT //拒绝其他所有主机访问本机
[[email protected] ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 8 560 ACCEPT all -- * * 192.168.20.1 0.0.0.0/0
2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
3 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 308 bytes)
num pkts bytes target prot opt in out source destination
[[email protected] html]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 15 1012 ACCEPT all -- * * 192.168.20.1 0.0.0.0/0
2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
3 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 1568 bytes)
num pkts bytes target prot opt in out source destination
此时user1主机无法访问user2主机。
[[email protected] ~]# curl 192.168.20.20
curl: (7) Failed connect to 192.168.20.20:80; Connection refused
此时只允许user1用户访问本机的httpd服务。
[[email protected] ~]# iptables -I INPUT 3 -s 192.168.20.10 -p tcp --dport 80 -j ACCEPT
[[email protected] ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 126 9352 ACCEPT all -- * * 192.168.20.1 0.0.0.0/0
2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
3 0 0 ACCEPT tcp -- * * 192.168.20.10 0.0.0.0/0 tcp dpt:80
4 1 60 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7 packets, 772 bytes)
num pkts bytes target prot opt in out source destination
此时user1主机通过TCP协议就可以访问user2主机的httpd服务内容。
[[email protected] ~]# curl 192.168.20.20
welcome to beijing
在user2主机将mysql数据库允许user1主机访问。
[[email protected] ~]# iptables -I INPUT 3 -s 192.168.20.10 -p tcp --dport 3306 -j ACCEPT
[[email protected] ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 220 16328 ACCEPT all -- * * 192.168.20.1 0.0.0.0/0
2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
3 0 0 ACCEPT tcp -- * * 192.168.20.10 0.0.0.0/0 tcp dpt:3306
4 6 397 ACCEPT tcp -- * * 192.168.20.10 0.0.0.0/0 tcp dpt:80
5 1 60 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1580 bytes)
num pkts bytes target prot opt in out source destination
在user2主机将mysql数据库允许user1主机访问,并验证。
[[email protected] ~]# mysql -e "grant all on *.* to [email protected]'192.168.20.%' identified by 'centos'"
[[email protected] ~]# mysql -utest -pcentos -h192.168.20.20 //在user1节点验证
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 6
Server version: 5.5.44-MariaDB MariaDB Server
Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
上一篇: Shell脚本一键生成SSL证书
下一篇: 自学三、centos7安装jdk1.8