防火墙富规则、备份恢复、开启内部上网
1. 防火墙富规则策略
Firewalld中的富规则表示更细致、更详细的防火墙策略配置,它可以针对系统服务、端口号、源地址和目标地址等诸多信息进行更有针对性的策略配置, 优先级在所有的防火墙策略中也是最高的。下面为Firewalld富规则帮助手册.
[root@web01 ~]# man firewalld #Firewalld帮助手册
[root@web01 ~]# man firewalld.richlanguage #Firewalld富规则手册
rule
[source]
[destination]
service|port|protocol|icmp-block|masquerade|forward-port
[log]
[audit]
[accept|reject|drop]
rule [family="ipv4|ipv6"]
source address="address[/mask]" [invert="True"]
destination address="address[/mask]" invert="True"
service name="service name"
port port="port value" protocol="tcp|udp"
protocol value="protocol value"
forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]
accept | reject [type="reject type"] | drop
#富规则相关命令
--add-rich-rule='<RULE>' #在指定的区添加一条富规则
--remove-rich-rule='<RULE>' #在指定的区删除一条富规则
--query-rich-rule='<RULE>' #找到规则返回0 ,找不到返回1
--list-rich-rules #列出指定区里的所有富规则
1). 比如允许10.0.0.1主机能够访问http服务,允许172.16.1.0/24能访问11211端口
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=http accept'
success
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 port port="11211" protocol="tcp" accept'
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client test
ports: 80/tcp 443/tcp
protocols:
masquerade: yes
forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept
#验证测试
[C:~]$ telnet 10.0.0.6 80
Connecting to 10.0.0.6:80...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
[root@web01 ~]# telnet 10.0.0.6 80
Trying 10.0.0.6...
telnet: connect to address 10.0.0.6: No route to host
[C:~]$ telnet 10.0.0.6 11211
Connecting to 10.0.0.6:11211...
Canceled.
[root@web01 ~]# telnet 172.16.1.6 11211
Trying 172.16.1.6...
Connected to 172.16.1.6.
Escape character is '^]'.
2). 默认public区域对外开放所有人能通过ssh服务连接,但拒绝172.16.1.0/24网段通过ssh连接服务器
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 service name="ssh" drop'
success
#验证测试
[root@web01 ~]# ssh root@10.0.0.6
root@10.0.0.6's password:
[root@web01 ~]# ssh root@172.16.1.6
^C
3). 使Firewalld允许所有人能访问http,https服务,但只有10.0.0.1主机可以访问ssh服务
[root@firewalld ~]# firewall-cmd --zone=public --add-service={http,https}
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http https
ports: 443/tcp
protocols:
masquerade: yes
forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept
rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=ssh accept'
success
[root@firewalld ~]# firewall-cmd --remove-service=ssh
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client http https
ports: 443/tcp
protocols:
masquerade: yes
forward-ports: port=5555:proto=tcp:toport=22:toaddr=10.0.0.7
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" service name="http" accept
rule family="ipv4" source address="172.16.1.0/24" port port="11211" protocol="tcp" accept
rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop
rule family="ipv4" source address="10.0.0.1/32" service name="ssh" accept
#验证测试
[root@web01 ~]# telnet 10.0.0.6 80
Trying 10.0.0.6...
Connected to 10.0.0.6.
Escape character is '^]'.
^]
telnet> Connection closed.
[root@web01 ~]# ssh root@10.0.0.6
ssh: connect to host 10.0.0.6 port 22: No route to host
[C:~]$ ssh root@10.0.0.6
Connecting to 10.0.0.6:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
4). 当用户来源IP地址是10.0.0.1主机,则将用户请求的5555端口转发至后端172.16.1.7的22端口
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client test
ports: 80/tcp 443/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#开启地址转发
[root@firewalld ~]# firewall-cmd --add-masquerade
Warning: ALREADY_ENABLED: masquerade already enabled in 'public'
success
[root@firewalld ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 forward-port port=5555 protocol="tcp" to-port="22" to-addr=172.16.1.7'
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client test
ports: 80/tcp 443/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="172.16.1.7"
#验证测试
[C:~]$ ssh root@10.0.0.6 5555
Connecting to 10.0.0.6:5555...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last failed login: Sun Dec 8 20:12:23 CST 2019 from 10.0.0.100 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Dec 8 18:59:02 2019 from 10.0.0.100
[root@web02 ~]# ssh root@10.0.0.6 5555
root@10.0.0.6's password:
bash: 5555: command not found
5).查看设定的规则,如果没有添加--permanent参数则重启Firewalld会失效。富规则按先后顺序匹配,优先匹配到的规则生效
[root@firewalld ~]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="10.0.0.7"
2.Firewalld备份恢复
#我们所有针对public区域编写的永久添加的规则都会写入备份文件(--permanent)
[root@firewalld ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="test"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="443"/>
<masquerade/>
</zone>
备份的时候只需要把配置文件进行拷贝就行了,导入之后,重启生效。
[root@web01 ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@web01 ~]# firewall-cmd --reload
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@web01 ~]# firewall-cmd --zone=public --remove-service=http --permanent
success
[root@web01 ~]# firewall-cmd --reload
success
[root@web01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
#备份配置文件
#只保存永久添加的规则
[root@web01 ~]# ll /etc/firewalld/zones/public.xml #公共区的配置文件
[root@web01 ~]# ll /etc/firewalld/zones/ #区域的配置规则文件都在这个区中
3. 防火墙开启内部上网
在指定的带有公网IP的实例上启动Firewalld防火墙的NAT地址转换,以此达到内部主机上网。
1. Firewalld防火墙开启masquerade,实现地址转换
1. Firewalld防火墙开启masquerade,实现地址转换
[root@firewalld ~]# firewall-cmd --add-masquerade --permanent
success
[root@firewalld ~]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="10.0.0.1/32" forward-port port="5555" protocol="tcp" to-port="22" to-addr="10.0.0.7" --permanent
[root@firewalld ~]# firewall-cmd --reload
success
[root@firewalld ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client test
ports: 80/tcp 443/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
2. 客户端将网关指向Firewalld服务器,将所有网络请求交给Firewalld
[root@web01 ~]# tail -1 /etc/sysconfig/network-scripts/ifcfg-eth1
GATEWAY=172.16.1.6
3. 客户端还需配置dns服务器
[root@web01 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 223.5.5.5
4. 关闭eth0网卡,重启eth1,使其配置生效
[root@web01 ~]# systemctl restart network && ifdown eth0
5. 测试后端web的网络是否正常
[C:~]$ ssh root@10.0.0.7 5555
Connecting to 10.0.0.7:5555...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last failed login: Sun Dec 8 20:38:58 CST 2019 from gateway on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Dec 8 20:12:25 2019 from 10.0.0.100
[root@web01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:0c:29:2a:a7:17 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:2a:a7:21 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe2a:a721/64 scope link
valid_lft forever preferred_lft forever
[root@web02 ~]# ping baidu.com
ping: baidu.com: Name or service not known
#重启eth1
[root@web02 ~]# ifdown eth1 && ifup eth1
Device 'eth1' successfully disconnected.
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/10)
[root@web01 ~]# ping baidu.com
PING baidu.com (220.181.38.148) 56(84) bytes of data.
64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=127 time=32.6 ms
^C
--- baidu.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 32.653/32.653/32.653/0.000 ms