Linux Firewalld 基础实例
2024-10-19 15:49:04
本次是一个Firewalld的基础操作实例,利用Firewalld图形操作界面进行访问控制操作。
实验拓扑
需求分析
首先拓扑涉及到两个区域,这里使用work和public区域,分别做相应的规则。
1.work区域禁止icmp,允许192.168.100.101访问SSH服务,同时允许访问Apache服务。
2.public区域禁止icmp,禁止SSH服务,允许访问Apache服务。
分析方法:基于
Firewalld的数据处理流程,可参考上一篇博客。
操作过程
基础准备
server安装Apache服务,默认已存在SSH服务。
[root@server ~]# yum install -y httpd
[root@server ~]# echo "This is test page , all host can access" > /var/www/html/index.html
[root@server ~]# systemctl start httpd.service
- 默认不关闭防火墙的情况下,可以
ping、ssh,不可以访问apache。
[root@host01 ~]# ping -c4 192.168.100.100
PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=0.573 ms
64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=0.575 ms
64 bytes from 192.168.100.100: icmp_seq=3 ttl=64 time=1.15 ms
64 bytes from 192.168.100.100: icmp_seq=4 ttl=64 time=0.441 ms
--- 192.168.100.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 0.441/0.686/1.156/0.277 ms
[root@host01 ~]# curl 192.168.100.100
curl: (7) Failed connect to 192.168.100.100:80; No route to host
[root@host01 ~]# ssh root@192.168.100.100
The authenticity of host '192.168.100.100 (192.168.100.100)' can't be established.
ECDSA key fingerprint is SHA256:5GGc1rmzWwjF+ozz/PPTyLO2s6NmFHSxbzCNsLazXhY.
ECDSA key fingerprint is MD5:0b:f5:62:d7:a4:1f:05:64:0b:7f:22:62:11:64:07:61.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.100' (ECDSA) to the list of known hosts.
root@192.168.100.100's password:
Last login: Wed Oct 23 09:55:12 2019
[root@server ~]# logout
Connection to 192.168.100.100 closed.
配置 Firewalld
[root@server ~]# firewall-config
- 给
work区域添加来源:192.168.100.101
- 允许
work区域的http、ssh服务,禁止其他存在的服务
- 允许
public区域的http服务,禁止其他存在的服务
- 通过
ICMP过滤器禁止request请求,在两个区域都做。
结果验证
- 网站访问
[root@host01 ~]# curl 192.168.100.100
This is test page , all host can access
[root@host02 ~]# curl 192.168.100.100
This is test page , all host can access
SSH远程
[root@host01 ~]# ssh root@192.168.100.100
root@192.168.100.100's password:
Last login: Wed Oct 23 10:47:15 2019
[root@server ~]# logout
Connection to 192.168.100.100 closed.
[root@host02 ~]# ssh root@192.168.100.100
ssh: connect to host 192.168.100.100 port 22: No route to host
ping测试
[root@host01 ~]# ping -c4 192.168.100.100
PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
From 192.168.100.100 icmp_seq=1 Destination Host Prohibited
From 192.168.100.100 icmp_seq=2 Destination Host Prohibited
From 192.168.100.100 icmp_seq=3 Destination Host Prohibited
From 192.168.100.100 icmp_seq=4 Destination Host Prohibited
--- 192.168.100.100 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3001ms
[root@host02 ~]# ping -c4 192.168.100.100
PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
From 192.168.100.100 icmp_seq=1 Destination Host Prohibited
From 192.168.100.100 icmp_seq=2 Destination Host Prohibited
From 192.168.100.100 icmp_seq=3 Destination Host Prohibited
From 192.168.100.100 icmp_seq=4 Destination Host Prohibited
--- 192.168.100.100 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3002ms
永久配置
- 设置永久配置
这里配置的是
运行时配置,若要更改永久配置需点击选项,首先将Runtime设定为永久配置,然后重载防火墙,直接重载防火墙会丢失运行时的配置。若是一开始就选择的永久配置,则可以直接重载防火墙使配置生效。
最新文章
- 【原】聊一聊 url 编码问题
- My97DatePicker使用技巧
- iOS Xcode注释的几种使用方法
- 【BZOJ】2697: 特技飞行
- [转]关于 initWithNibName 和 loadNibNamed 的区别和联系
- php 字符串的一些操作,以便记忆
- dirname(__FILE__)与__DIR__全等
- Oracle使用goldengate分别向Oracle和mysql双路的单向复制
- iOS 在 Xcode 中重命名项目名称
- Python3.5 入门学习记录——变量类型
- Git 少用 Pull 多用 Fetch 和 Merge(转)
- HTML文档及标签介绍
- OC中的枚举类型
- [Swift]LeetCode778. 水位上升的泳池中游泳 | Swim in Rising Water
- (十)操作数据库、xlrd、xlwt补充
- 剑指offer(6)
- 潭州课堂25班:Ph201805201 爬虫基础 第十课 图像处理- 极验验证码 (课堂笔记)
- mongodb用户管理和服务安装
- php链式操作的实现
- PHP HTML混写,PHP中把大块HTML文本直接赋值给字符串变量的方法