一、安全知识体系
|
来自外部的安全攻击相对较少,内部造成的故障几率高达80%; 如果考虑安全,就需要牺牲性能;如果追求性能就无法兼顾安全 |
1、 硬件层面
- 硬件层面:物理机安全,UPS,保持机房温度,防盗等
- 系统层面:防止系统入侵,内核升级(打补丁),防病毒,避免弱口令,调整SSH端口
- 站点安全: 防止DDOS(高防),网站防病毒(WAF),放注入(WAF),防挂马(WAF),防劫持(HTTPs);
2.云架构层面
- 网络层面:不接入公网IP
- 系统层面:防漏洞注入->安骑士(系统层面的应用入侵防护软件[Aliyun])
- 网站层面
- 防止SQL注入-> WAF(Web Application Firewall),进行url规则匹配,过滤;拦截异常流量。
- 防止DDOS攻击->高防
- HTTPs:防止网页篡改
3.云安全厂商
3.云安全架构拓扑
二、Firewalld
1.概述
- 概念:Firewalld属于四层防火墙只能做tcp/udp规则;
- 区域:firewalld预先准备了几套防火墙策略集合(策略模版),用户可以根据不同场景而选择不同的策略模板,从而实现防火墙策略之间的快速切换
|
一个网卡只能绑定一个区域,但一个区域可以绑定多个网卡 可以根据来源的地址设定不同的规则 |
| 区域 | 默认规则策略 |
|---|---|
| trusted | 允许所有的数据包流入与流出 |
| home | 拒绝流入的流量,除非与流出的流量相关;如果流量与ssh、mdns、ipp-client、amba-client与dhcpv6-clientf服务相关,则允许流量 |
| internal | 等同于home区域 |
| work | 拒绝流入的流量,除非与流出的流量相关;如果流量与ssh、ipp-client与dhcpv6-client服务相关,则允许流量 |
| public | 拒绝流入的流量,除非与流出的流量相关;如果流量与ssh与dhcpv6-client服务相关,则允许流量 |
| external | 拒绝流入的流量,除非与流出的流量相关;如果流量与ssh服务相关,则允许流量 |
| dmz | 拒绝流入的流量,除非与流出的流量相关;如果流量与ssh服务相关,则允许流量 |
| block | 拒绝流入的流量,除非与流出的流量相关 |
| drop | 拒绝流入的流量,除非与流出的流量相关 |
2.管理Firewalld
- 开启firewalld服务
| systemctl start firewalld |
[root@m01 ~]# systemctl start firewalld.service - 关闭firewalld服务
| systemctl stop firewalld |
[root@m01 ~]# systemctl stop firewalld.service - 重启firewalld服务
| systemctl restart firewalld |
[root@m01 ~]# systemctl restart firewalld.service - 查看firewalld服务状态
| systemctl status firewalld |
[root@m01 ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Sun 2019-08-11 12:25:39 CST; 3s ago
Docs: man:firewalld(1)
Main PID: 21022 (firewalld)
CGroup: /system.slice/firewalld.service
└─21022 /usr/bin/python -Es /usr/sbin/firewalld --nofork -...
Aug 11 12:25:38 m01 systemd[1]: Starting firewalld - dynamic firewal....
Aug 11 12:25:39 m01 systemd[1]: Started firewalld - dynamic firewall....
Hint: Some lines were ellipsized, use -l to show in full.- 开机自启动firewalld服务
| systemctl enable firewalld |
[root@m01 ~]# systemctl enable firewalld.service
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.- 禁用firewalld服务
| systemctl disable firewalld |
[root@m01 ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.3.Firewalld配置
- 配置状态(参数)
- runtime-临时有效,即时生效;(默认)
- permanent-永久有效,重启生效;
带permanent参数的规则会写入到Firewalld配置文件(/etc/firewalld/zones/public.xml)
[root@m01 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
</zone>
[root@m01 ~]# firewall-cmd --add-service={http,https} --permanent
success
[root@m01 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="http"/>
<service name="https"/>
</zone>- firewall-cmd指令
- 查看firewalld默认区域规则明细
firewalld开启默认拒绝所有流量流入(ssh与dhcpv6-client除外),但允许流量流出
| firewall-cmd --list-all |
[root@m01 ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: - 查看Firewall默认区域
| firewall-cmd --get-default-zone |
[root@m01 ~]# firewall-cmd --get-default-zone
public- 查看Firewall激活区域(默认没有激活区域)
| firewall-cmd --get-active-zones |
[root@m01 ~]# firewall-cmd --get-active-zones
[root@m01 ~]# firewall-cmd --add-interface=eth0 --zone=public
success
[root@m01 ~]# firewall-cmd --add-interface=eth1 --zone=trusted
success
[root@m01 ~]# firewall-cmd --get-active-zones
public
interfaces: eth0
trusted
interfaces: eth1
[root@m01 ~]# systemctl restart firewalld.service
[root@m01 ~]# firewall-cmd --get-active-zones - 查看Firewall指定区域的规则明细
| firewall-cmd --zone=区域 --list-all |
[root@m01 ~]# firewall-cmd --add-source=10.0.0.1/32 --zone=trusted
success
[root@m01 ~]# firewall-cmd --zone=trusted --list-all
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:- 将指定源地址添加至Firewall的指定区域
| firewall-cmd --add-source=IP地址/掩码 --zone=区域 |
[root@m01 ~]# firewall-cmd --list-all --zone=trusted
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources: 10.0.0.1/32
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: - 将指定端口加入默认区域
| firewall-cmd --add-interface=网络接口 |
[root@m01 ~]# firewall-cmd --add-interface=eth0
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'trusted' (see --get-active-zones)
You most likely need to use --zone=trusted option.
success
[root@m01 ~]# firewall-cmd --get-active-zones
public
interfaces: eth0- 将指定端口加入指定区域
| firewall-cmd --add-interface=网络接口 --zone=区域 |
[root@m01 ~]# firewall-cmd --add-interface=eth1 --zone=trusted
success
[root@m01 ~]# firewall-cmd --get-active-zones
public
interfaces: eth0
trusted
interfaces: eth1- 将指定端口从默认区域移除
| firewall-cmd --remove-interface=网络接口 |
[root@m01 ~]# firewall-cmd --remove-interface=eth0
success
[root@m01 ~]# firewall-cmd --get-active-zones
trusted
interfaces: eth1- 将指定端口从指定区域移除
| firewall-cmd --remove-interface=网络接口 --zone=区域 |
[root@m01 ~]# firewall-cmd --remove-interface=eth1 --zone=trusted
success
[root@m01 ~]# firewall-cmd --get-active-zones - 重载Firewall服务
| firewall-cmd --reload |
[root@m01 ~]# firewall-cmd --get-active-zones
trusted
sources: 10.0.0.1/32
[root@m01 ~]# firewall-cmd --reload
success
[root@m01 ~]# firewall-cmd --get-active-zones - 将指定指定传输层协议的端口在Firewall默认区域放行
|
firewall-cmd --add-port=端口/传输层协议
通过{端口1,端口号2,端口号3}/传输层协议的形式一次指定多个端口
通过起始端口-结束端口/传输层协议的形式指定端口范围
|
[root@m01 ~]# firewall-cmd --add-port=23/tcp
success
[root@m01 ~]# firewall-cmd --add-port={67,68,80,443,3306}/tcp
success
[root@m01 ~]# firewall-cmd --add-port=8000-8080/tcp
success
[root@m01 ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 23/tcp 67/tcp 68/tcp 80/tcp 443/tcp 3306/tcp 8000-8080/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: - 将指定指定传输层协议的端口在Firewall默认区域拒绝
| firewall-cmd --remove-port=端口/传输层协议 |
[root@m01 ~]# firewall-cmd --remove-port=23/tcp
success
[root@m01 ~]# firewall-cmd --remove-port={67,68}/tcp
success
[root@m01 ~]# firewall-cmd --remove-port=8000-8080/tcp
success
[root@m01 ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 443/tcp 3306/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: - 将指定服务在Firewall默认区域放行
| firewall-cmd --add-service=服务名 |
[root@m01 ~]# firewall-cmd --add-service=http
success
[root@m01 ~]# firewall-cmd --add-service={ftp,tftp,dhcp}
success
[root@m01 ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client http ftp tftp dhcp
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: - 将指定服务在Firewall默认区域拒绝
| firewall-cmd --remove-service={服务名1,服务名2} |
[root@m01 ~]# firewall-cmd --remove-service={http,ssh,dhcpv6-client}
success
[root@m01 ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ftp tftp dhcp
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: /usr/lib/firewalld/services/ 保存的模板Firewall服务可调用服务文件
|
< ?xml version="1.0" encoding="utf-8"? > < service > #简称 < short > WWW (HTTP) < /short > #描述 < description >HTTP is the protocol used to serve Web pages. If you plan to make your Web >server publicly available, enable this option. This option is not required for viewing pages >locally or developing Web pages.< /description > #服务调用的传输层协议和端口 < port protocol="tcp" port="80"/ > < /service > 该文件的文件名一定要以.xml结尾,文件名就是Firewall服务可调用的服务,其实质还是调用指定协议的指定端口 |
[root@m01 ~]# firewall-cmd --add-service=isakmp
Error: INVALID_SERVICE: isakmpstep1 自定义服务
[root@m01 ~]# cp /usr/lib/firewalld/services/http.xml /usr/lib/firewalld/services/isakmp.xml
[root@m01 ~]# vim /usr/lib/firewalld/services/isakmp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>IPsec VPN (isakmp)</short>
<description>Internet security association and key management protocol
</description>
<port protocol="tcp" port="500"/>
</service>
[root@m01 ~]# firewall-cmd --reload
successstep2 验证
[root@m01 ~]# firewall-cmd --add-service=isakmp
success
[root@m01 ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client isakmp
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: 4.Firewalld富规则配置
富规则按先后顺序匹配,按先匹配到的规则生效,但是拒绝规则优先生效
[root@aspen ~]# firewall-cmd --add-rich-rule="rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" accept"
success
[root@aspen ~]# firewall-cmd --add-rich-rule="rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" drop"
success
[root@aspen ~]# firewall-cmd --list-all
public
......
rich rules:
rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" accept
rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" drop
---------------------------------------------------------------------------------------------------------------------------
[root@m01 ~]# ssh root@172.16.1.201
ssh: connect to host 172.16.1.201 port 22: Connection timed out- 说明
| Firewalld富规则表示更加细致、更加详细的防火墙策略配置,他可以针对系统服务、端口号、源地址和目标地址等诸多信息进行更有针对性的策略配置;其执行优先级也是在所有防火墙策略中最高的。 |
- 帮助手册
| man firewall-cmd #Firewalld帮助手册 man firewalld.richlanguage #Firewalld富规则配置帮助手册 |
|
富规则手册 rule [source] [destination] service|port|protocol|icmp-block|icmp-type|masquerade|forward-port|source-port [log] [audit] [accept|reject|drop|mark] rule [family="ipv4|ipv6"]
source [not] address="address[/mask]"|mac="mac-address"|ipset="ipset"
destination [not] address="address[/mask]"
service name="service name"
port port="port value" protocol="tcp|udp"
protocol value="protocol value"
icmp-block name="icmptype name"
masquerade
icmp-type name="icmptype name"
forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
source-port port="port value" protocol="tcp|udp"
log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]
audit [limit value="rate/duration"]
|
- 富规则相关参数
在指定区域添加一条富规则
| --add-rich-rule='规则' |
在指定区域删除一条富规则
| --remove-rich-rule='规则' |
在指定区域搜索一条富规则(找到规则返回0,找不到规则返回1)
| --query-rich-rule='规则' |
列出指定区域所有富规则
| --list-rich-rule='规则' |
规则:
| 'rule family=ipv4 source address=IP地址/掩码 port port=端口号 protocol=传输层协议 动作'
示例
firewall-cmd -- add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 port port=32 protocol=tcp accept'
|
环境准备
[root@aspen ~]# systemctl restart firewalld.service
[root@aspen ~]# firewall-cmd --remove-service={ssh,dhcpv6-client}
success
[root@aspen ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: 例题1 允许10.0.0.161主机能够访问http服务,允许172.16.1.0/24能够访问22端口;
step1 设置规则
[root@aspen ~]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=10.0.0.161 port port=80 protocol=tcp accept"
success
[root@aspen ~]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=172.16.1.0/24 port port=22 protocol=tcp accept"
success
[root@aspen ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.161" port port="80" protocol="tcp" accept
rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" acceptstep2 验证
#HTTP
[root@m01 ~]# hostname -I
10.0.0.161 172.16.1.161
[root@m01 ~]# curl 10.0.0.201
Test_Page Provided by Apach
[root@lb01 ~]# hostname -I
10.0.0.15 10.0.0.13 172.16.1.15
[root@lb01 ~]# curl 10.0.0.201
curl: (7) Failed connect to 10.0.0.201:80; No route to host
#SSH
[root@m01 ~]# ssh 10.0.0.201
ssh: connect to host 10.0.0.201 port 22: No route to host
[root@m01 ~]# ssh 172.16.1.201
root@172.16.1.201's password:
Last login: Sun Aug 11 13:37:13 2019 from 10.0.0.1
[root@aspen ~]# 例题2 默认public区域对外开放所有人都能通过ssh服务连接,但拒绝172.16.1.0/24网段通过ssh连接服务器
step1 设置规则
[root@aspen ~]# firewall-cmd --add-service=ssh
success
[root@aspen ~]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=172.16.1.0/24 port port=22 protocol=tcp drop"
success
[root@aspen ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.16.1.0/24" port port="22" protocol="tcp" dropstep2 验证
[root@m01 ~]# ssh 172.16.1.201
root@172.16.1.201's password:
Last login: Sun Aug 11 13:37:13 2019 from 10.0.0.1
[root@aspen ~]# logout
Connection to 172.16.1.201 closed.
[root@m01 ~]# ssh 172.16.1.201
ssh: connect to host 172.16.1.201 port 22: Connection timed out例题3 允许所有人能访问http和https服务,但只有10.0.0.1主机可以访问ssh服务;
step1 设置规则
[root@aspen ~]# firewall-cmd --add-port={80,443}/tcp
success
[root@aspen ~]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=10.0.0.1 port port=22 protocol=tcp accept"
success
[root@aspen ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1" port port="22" protocol="tcp" acceptstep2 验证
#HTTP/HTTPs
[root@m01 ~]# curl 10.0.0.201
Test_Page Provided by Apache
[root@m01 ~]# hostname -I
10.0.0.161 172.16.1.161
[root@lb01 ~]# curl 10.0.0.201
Test_Page Provided by Apache
[root@lb01 ~]# hostname -I
10.0.0.15 10.0.0.13 172.16.1.15
#SSH
[root@m01 ~]# hostname -I
10.0.0.161 172.16.1.161
[root@m01 ~]# ssh root@172.16.201
ssh: connect to host 172.16.201 port 22: Connection refused
[D:\~]$ ipconfig
Windows IP 配置
以太网适配器 VMware Network Adapter VMnet8:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::148f:b2f1:f63a:c878%18
IPv4 地址 . . . . . . . . . . . . : 10.0.0.1
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . :
[D:\~]$ ssh root@10.0.0.201
Connecting to 10.0.0.201:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
WARNING! The remote SSH server rejected X11 forwarding request.
Last login: Sun Aug 11 14:04:58 2019 from 10.0.0.161
[root@aspen ~]# 5.Firewalld实现路由与端口转发
- 路由+NAT
| firewall-cmd --add-masquerade |
[root@aspen ~]# firewall-cmd --add-masquerade
success| 开启Firewalld服务的路由转发功能,内核转发自动打开; 且关闭Firewalld服务路由功能时,内核转发功能不会自动关闭 |
[root@aspen ~]# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_use_pmtu = 0
......
[root@aspen ~]# firewall-cmd --add-masquerade
success
[root@aspen ~]# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
......
[root@aspen ~]# firewall-cmd --remove-masquerade
success
[root@aspen ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@aspen ~]# sysctl -a | grep net.ipv4.ip_forward
......
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0路由转发功能验证
[root@aspen ~]# firewall-cmd --add-masquerade
success
[root@aspen ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:[root@lb01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=none
NAME=eth0
DEVICE=eth0
ONBOOT=no
IPADDR=10.0.0.15
PREFIX=24
#GATEWAY=10.0.0.254
DNS1=10.0.0.254
[root@lb01 ~]# systemctl restart network
[root@lb01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:0c:29:81:e4:ae brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:81:e4:b8 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.15/24 brd 172.16.1.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe81:e4b8/64 scope link
valid_lft forever preferred_lft forever
[root@lb01 ~]# ping baidu.com
ping: baidu.com: Name or service not known[root@lb01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=static
NAME=eth1
DEVICE=eth1
ONBOOT=yes
IPADDR=172.16.1.15
PREFIX=24
GATEWAY=172.16.1.201
DNS1=223.5.5.5
[root@lb01 ~]# systemctl restart network
[root@lb01 ~]# ping baidu.com
PING baidu.com (39.156.69.79) 56(84) bytes of data.
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=1 ttl=127 time=12.4 ms
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=2 ttl=127 time=13.7 ms
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=3 ttl=127 time=13.5 ms
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=4 ttl=127 time=18.3 ms
^C
--- baidu.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 12.440/14.522/18.334/2.257 ms- 机器间端口转发
| firewall-cmd --add-masquerade #开启路由转发功能 firewall-cmd --add-rich-rule="rule family=ipv4 source address=源地址 forward-port port=请求端口 protocol=传输层协议 to-port=转发端口 to-addr=转发地址" #端口转发 |
例题1 将源地址为10.0.0.1主机对服务器5555端口的请求转发至后端服务器172.16.1.161的22端口
[root@aspen ~]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=10.0.0.1 forward-port port=5555 protocol=tcp to-port=22 to-addr=172.16.1.161"
success
[root@aspen ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.0.1" forward-port port="5555" protocol="tcp" to-port="22" to-addr="172.16.1.161"结果验证
[D:\~]$ ipconfig
Windows IP 配置
以太网适配器 VMware Network Adapter VMnet8:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::148f:b2f1:f63a:c878%18
IPv4 地址 . . . . . . . . . . . . : 10.0.0.1
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . :
[D:\~]$ ssh root@10.0.0.201 5555
Connecting to 10.0.0.201:5555...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
WARNING! The remote SSH server rejected X11 forwarding request.
Last login: Sun Aug 11 15:27:09 2019 from 10.0.0.1
[root@m01 ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
......- IP路由相内核关参数
| 0表示关闭,1表示开启 |
- net.ipv4.ip_forward 内核路由转发
- net.ipv4.icmp_echo_ignore_all 内核echo包响应(0表示允许,1表示禁止)
相关命令
|
sysctl #查看或设置内核参数
-a #查看内核所有变量
-p #查看配置文件生效的内核参数
配置文件:/etc/sysctl.conf |
[root@aspen ~]# vim /etc/sysctl.conf
......
#net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_all=1
[root@aspen ~]# sysctl -p
net.ipv4.icmp_echo_ignore_all = 1[D:\~]$ ping 10.0.0.201
正在 Ping 10.0.0.201 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。
10.0.0.201 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),
[D:\~]$ ssh root@10.0.0.201
Connecting to 10.0.0.201:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
WARNING! The remote SSH server rejected X11 forwarding request.
Last login: Sun Aug 11 15:22:58 2019 from 10.0.0.1
[root@aspen ~]# 附:思维导图
