Linux Firewalld 基础实例

Linux Firewalld 基础介绍

本次是一个Firewalld的基础操作实例,利用Firewalld图形操作界面进行访问控制操作。


实验拓扑

Linux Firewalld 基础介绍

需求分析

首先拓扑涉及到两个区域,这里使用workpublic区域,分别做相应的规则。

1.work区域禁止icmp,允许192.168.100.101访问SSH服务,同时允许访问Apache服务。

2.public区域禁止icmp,禁止SSH服务,允许访问Apache服务。

分析方法:基于Firewalld的数据处理流程,可参考上一篇博客。

操作过程

基础准备
  • server安装Apache服务,默认已存在SSH服务。
[root@server ~]# yum install -y httpd  [root@server ~]# echo "This is test page , all host can access" > /var/www/html/index.html  [root@server ~]# systemctl start httpd.service  
  • 默认不关闭防火墙的情况下,可以pingssh,不可以访问apache
[root@host01 ~]# ping -c4 192.168.100.100  PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.  64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=0.573 ms  64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=0.575 ms  64 bytes from 192.168.100.100: icmp_seq=3 ttl=64 time=1.15 ms  64 bytes from 192.168.100.100: icmp_seq=4 ttl=64 time=0.441 ms    --- 192.168.100.100 ping statistics ---  4 packets transmitted, 4 received, 0% packet loss, time 3003ms  rtt min/avg/max/mdev = 0.441/0.686/1.156/0.277 ms  
[root@host01 ~]# curl 192.168.100.100  curl: (7) Failed connect to 192.168.100.100:80; No route to host  
[root@host01 ~]# ssh [email protected]  The authenticity of host '192.168.100.100 (192.168.100.100)' can't be established.  ECDSA key fingerprint is SHA256:5GGc1rmzWwjF+ozz/PPTyLO2s6NmFHSxbzCNsLazXhY.  ECDSA key fingerprint is MD5:0b:f5:62:d7:a4:1f:05:64:0b:7f:22:62:11:64:07:61.  Are you sure you want to continue connecting (yes/no)? yes  Warning: Permanently added '192.168.100.100' (ECDSA) to the list of known hosts.  [email protected]'s password:  Last login: Wed Oct 23 09:55:12 2019  [root@server ~]# logout  Connection to 192.168.100.100 closed.  

配置 Firewalld

[root@server ~]# firewall-config  
  • work区域添加来源:192.168.100.101

Linux Firewalld 基础介绍

  • 允许work区域的httpssh服务,禁止其他存在的服务

Linux Firewalld 基础介绍

  • 允许public区域的http服务,禁止其他存在的服务

Linux Firewalld 基础介绍

  • 通过ICMP过滤器禁止request请求,在两个区域都做。

Linux Firewalld 基础介绍

结果验证

  • 网站访问
[root@host01 ~]# curl 192.168.100.100  This is test page , all host can access  
[root@host02 ~]# curl 192.168.100.100  This is test page , all host can access  
  • SSH远程
[root@host01 ~]# ssh [email protected]  [email protected]'s password:  Last login: Wed Oct 23 10:47:15 2019  [root@server ~]# logout  Connection to 192.168.100.100 closed.  
[root@host02 ~]# ssh [email protected]  ssh: connect to host 192.168.100.100 port 22: No route to host  
  • ping测试
[root@host01 ~]# ping -c4 192.168.100.100  PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.  From 192.168.100.100 icmp_seq=1 Destination Host Prohibited  From 192.168.100.100 icmp_seq=2 Destination Host Prohibited  From 192.168.100.100 icmp_seq=3 Destination Host Prohibited  From 192.168.100.100 icmp_seq=4 Destination Host Prohibited    --- 192.168.100.100 ping statistics ---  4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3001ms  
[root@host02 ~]# ping -c4 192.168.100.100  PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.  From 192.168.100.100 icmp_seq=1 Destination Host Prohibited  From 192.168.100.100 icmp_seq=2 Destination Host Prohibited  From 192.168.100.100 icmp_seq=3 Destination Host Prohibited  From 192.168.100.100 icmp_seq=4 Destination Host Prohibited    --- 192.168.100.100 ping statistics ---  4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3002ms  

永久配置

  • 设置永久配置

Linux Firewalld 基础介绍

  • 这里配置的是运行时配置,若要更改永久配置需点击选项,首先将Runtime设定为永久配置,然后重载防火墙,直接重载防火墙会丢失运行时的配置。

  • 若是一开始就选择的永久配置,则可以直接重载防火墙使配置生效。

本站所发布的一切资源仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如果侵犯你的利益,请发送邮箱到 [email protected],我们会很快的为您处理。
超哥软件库 » Linux Firewalld 基础实例