第七章 firewall防火墙
本节所讲内容:
7.1、TCPWRAPS简介与实际应用
7.2、firewall防火墙简介
7.3、firewall防火墙实际应用
实验环境:
服务端:server IP:192.168.26.82
客户端:client IP:192.168.26.80
内 网:server IP:10.0.0.81
正文部分:
7.1、TCPWRAPS简介与实际应用
7.1.1、TCPWRAPS简介
DTCPWRAPS概述:
1)组成:由两部分控制文件组成 (1)/etc/hosts.allow (2)/etc/hots.deny
2)功能:对一些特定服务访问控制
主要格式如下:
特定服务名 : IP地址/掩码 (掩码是/255.255.255.0不能写成/24)
如: sshd : 192.168.26.0/255.255.255.0
sshd : ALL
匹配规则:
/etc/hosts.allow优先级高,规则匹配成功则通过
hosts.allow规则如果不匹配,则检查跟hosts.deny规则是否匹配,如果匹配则禁止
如果两个文件规则都不匹配,则直接允许通过
实际举例说明:
要求:只允许192.168.26.80可以ssh连接192.168.26.82服务器
[root@node-12 ~]# tail -1 /etc/hosts.allow
sshd : 192.168.26.80/255.255.255.255
[root@node-12 ~]#tail -1 /etc/hosts.deny
sshd : ALL
7.2、firewall防火墙简介
7.2.1 firewall系统防火墙引入
在centos6时代,防火墙是用的iptables,到了centos7与centos8,系统防火墙默认成了firewall。时代在进步,我们在学习上也应该将自己的知识与时俱进。
启动系统防火墙并设置为开机启动:
[root@node-12 ~]# systemctl start firewalld && systemctl enable firewalld
查看系统防火墙状态:
[root@node-12 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset
: enabled) Active: active (running) since Tue 2020-07-07 21:26:43 CST; 29s ago
Docs: man:firewalld(1)
7.2.2 firewall防火墙zone的说明
Zone: 是指由默认规则组成的集合,归属不同区域会加载不同防火墙规则
查看有哪些区域
[root@node-12 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
重点zone:public trusted block
public:实际生产过程最常用的默认区域
trusted:信任区域,允许通过所有包
block:黑洞区域,禁止通过所有包
查看与设置默认区域
[root@node-12 ~]# firewall-cmd --get-default-zone
[root@node-12 ~]# firewall-cmd --set-default-zone=public
success
网卡与区域的关系
一个网卡如果不归属具体区域,那系统认为是归属默认区域
一个网卡只能归属一个区域
网卡归属哪个区域就会使用哪个区域的过滤规则
查询:[root@node-12 ~]# firewall-cmd --get-zone-of-interface=eth1
no zone
说明:eth1没有设置具体区域,则就归属于默认区域
[root@node-12 ~]#firewall-cmd --change-interface=eth1 --zone=home && firewall-cmd --get-zone-of-interface=eth1
home
现在把eth1从home区域删除
删除:[root@node-12 ~]# firewall-cmd --remove-interface=eth1 --zone=home
success
修改:[root@node-12 ~]# firewall-cmd --change-interface=eth0 --zone=public
success
说明:修改eth0归属区域
[root@node-12 ~]# firewall-cmd --get-zone-of-interface=eth0
public
添加:[root@node-12 ~]# firewall-cmd --add-interface=eth1 --zone=trusted
success
7.3、firewall防火墙实际应用
以下通过实际应用来简单说明firewall防火墙设置
7.3.1、firewall防火墙对服务的过滤
1)查看firewall防火墙现在允许通过的服务
[root@node-12 ~]# firewall-cmd --get-default-zone
public
--首先查看默认区域
[root@node-12 ~]# firewall-cmd --list-services
dhcpv6-client ssh
--查看默认区域允许通过服务
实例1、允许web服务被访问
web服务在防火墙规则中是httpd还是http呢?
[root@node-12 ~]# firewall-cmd --get-services | grep http
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-r
pc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nfs3 nrpe ntp open*** ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
或:
[root@node-12 ~]# firewall-cmd --query-service=h --直接按tab键就出来了
high-availability http https
所以此处应该是:
添加:
[root@node-12 ~]# firewall-cmd --add-service=http && firewall-cmd --add-service=http --permanent
[root@node-12 ~]# firewall-cmd --add-service=https && firewall-cmd --add-service=https --permanent
如果要让规则永久生效,后面一定要加:--permanent
[root@node-12 ~]# firewall-cmd --reload
success
[root@node-12 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh http https
删除:
[root@node-12 ~]# firewall-cmd --remove-service=http && firewall-cmd --remove-service=http --permanent
success
查询:
[root@node-12 ~]# firewall-cmd --query-service=http
no
如果是no则说明防火墙禁止通过,是yes则说明防火墙允许通过
7.3.2、firewall防火墙对特定端口的过滤
实例2:firewall防火墙对phpmyadmin使用的8080端口控制
查询:[root@node-12 ~]# firewall-cmd --query-port=8080/tcp
no
如果是no则说明防火墙禁止通过,是yes则说明防火墙允许通过
添加:[root@node-12 ~]# firewall-cmd --add-port=8080/tcp
success
[root@node-12 ~]# firewall-cmd --add-port=8080/tcp --permanent
success
删除:[root@node-12 ~]# firewall-cmd --remove-port=8080/tcp --permanent
success
7.3.3、firewall防火墙对icmp的过滤
Icmp的控制也就是我们平时应用的ping 的过滤
默认是ping是开启的,首先查看icmp协议规则:
[root@node-12 ~]# firewall-cmd --get-icmptypes
address-unreachable bad-header communication-prohibited destination-unreachable echo
-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
一看这么规则很多时间就蒙圈了,实际用以下规则就可以实现禁ping了
实例3:禁止ping
[root@node-10 ~]# ping 192.168.26.82
PING 192.168.26.82 (192.168.26.82) 56(84) bytes of data.
64 bytes from 192.168.26.82: icmp_seq=1 ttl=64 time=0.263 ms
64 bytes from 192.168.26.82: icmp_seq=2 ttl=64 time=0.291 ms
测试是可以ping通的
添加禁ping规则:
方法1:
[root@node-12 ~]# firewall-cmd --add-icmp-block=echo-reply && firewall-cmd --add-icmp-block=echo-reply --permanent
success
再测试就已经不通了
[root@node-10 ~]# ping 192.168.26.82
PING 192.168.26.82 (192.168.26.82) 56(84) bytes of data.
From 192.168.26.82 icmp_seq=1 Destination Host Prohibited
From 192.168.26.82 icmp_seq=2 Destination Host Prohibited
方法2:
[root@node12 ~]#firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop'
[root@node12 ~]#firewall-cmd --add-rich-rule='rule protocol value=icmp drop'
[root@node12 ~]#firewall-cmd --complete-reload
方法3:
[root@node12 ~]#echo net.ipv4.icmp_echo_ignore_all = 1 >> /etc/sysctl.conf
[root@node12 ~]#sysctl -p
7.3.4、firewall防火墙实现NAT及端口转发功能
7.3.4.1 firewall防火墙实现NAT功能
firewall防火墙实现NAT功能以实现路由上网的功能,也就是实现我们日常使用的路由器的功能
[root@node-12 ~]# ip addr |grep eth
2: eth0:
link/ether 00:0c:29:15:8f:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.26.82/24 brd 192.168.26.255 scope global eth0
3: eth1:
link/ether 00:0c:29:15:8f:55 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd 10.0.0.255 scope global eth1
此处eth0代表外网 eth1代表内网
内网服务器的IP地址
[root@node-11 ~]# ip addr |grep eth
2: eth0:
link/ether 00:0c:29:d3:a4:00 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.81/24 brd 10.0.0.255 scope global eth0
[root@node-11 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 |grep GATEWAY
GATEWAY=10.0.0.1
开启内核IP转发功能
[root@node-12 ~]# echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
[root@node-12 ~]# sysctl -p
net.ipv4.ip_forward = 1
开启防火墙‘伪装’功能
[root@node-12 ~]#firewall-cmd --add-masquerade && firewall-cmd --add-masquerade --permanent
success
删除防火墙‘伪装’功能
[root@node-12 ~]# firewall-cmd --remove-masquerade && firewall-cmd --remove-masquerade --permanent
内网结点可以与外网连接
[root@node-11 ~]# ping -c 3 www.baidu.com
PING www.a.shifen.com (61.135.169.121) 56(84) bytes of data.
64 bytes from 61.135.169.121 (61.135.169.121): icmp_seq=1 ttl=127 time=17.3 ms
64 bytes from 61.135.169.121 (61.135.169.121): icmp_seq=2 ttl=127 time=16.7 ms
64 bytes from 61.135.169.121 (61.135.169.121): icmp_seq=3 ttl=127 time=17.7 ms
7.3.4.2 firewall防火墙实现端口转发功能
通过firewall防火墙实现端口转发功能,以实现从外网192.168.26.80能访问内网web服务器 10.0.0.81
[root@node-10 ~]# ip addr |grep eth
2: eth0:
link/ether 00:0c:29:71:22:a6 brd ff:ff:ff:ff:ff:ff
inet 192.168.26.80/24 brd 192.168.26.255 scope global eth0
1)开启内核IP转发功能
[root@node-12 ~]# echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
[root@node-12 ~]# sysctl -p
net.ipv4.ip_forward = 1
2)开启防火墙端口转发功能
[root@node-12 ~]# firewall-cmd --add-forward-port='port=80:proto=tcp:toport=80:toaddr=10.0.0.81'
success
[root@node-12 ~]# firewall-cmd --add-forward-port='port=80:proto=tcp:toport=80:toaddr=10.0.0.81' --permanent
success
3)在外网机器192.168.26.80上测试
[root@node-10 ~]# curl http://10.0.0.81
curl: (7) Failed connect to 10.0.0.81:80; Connection refused
说明:无法直接访问内网的网站
[root@node-10 ~]# curl http://192.168.26.82
this is 10.0.0.81
--端口转发成功,网站可以正常访问
7.3.5、firewall防火墙富规则(重点)
firewall防火墙富规则是fireall防火墙学习的重点与难点同时也是RHCE必考内容,以下通过几个实例来说明firewall防火墙富规则的重要功能
[root@node12 ~]# man firewalld.richlanguage
然后搜索关键字‘/Example’会找到几个例子,这些很有用
Example 1
Enable new IPv4 and IPv6 connections for protocol 'ah'
说明:对于协议‘ah’的IPv4 and IPv6都可以连接
内容:rule protocol value="ah" accept
实例:firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop'
Example 2
Allow new IPv4 and IPv6 connections for service ftp and log 1 per minute using audit
说明:对于服务FTPIPv4 and IPv6都可以连接且日志记录1次/分钟
内容:rule service name="ftp" log limit value="1/m" audit accept
实例:firewall-cmd --permanent --add-rich-rule='rule family=ipv4 service name=http accept'
--允许访问服务器的http协议
Example 3
Allow new IPv4 connections from address 192.168.0.0/24 for service tftp and log 1 per minutes using syslog
说明:允许192.168.0.0段的机器访问tftp服务且每分钟写入日志一次
内容:rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept
实例:firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.26.0/24 service name=http accept'
--允许192.168.26段的机器能访问服务器的http服务
Example 4 与上例相似略过
New IPv6 connections from 1:2:3:4:6:: to service radius are all rejected and logged at a rate of 3 per minute. New
IPv6 connections from other sources are accepted.
内容:rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject
rule family="ipv6" service name="radius" accept
Example 5
Forward IPv6 port/packets receiving from 1:2:3:4:6:: on port 4011 with protocol tcp to 1::2:3:4:7 on port 4012
说明:将访问IPV6-1:2:3:4:6地址TCP协议的端口4011转发到IPV6-1:2:3:4:6地址TCP协议的端口4012
内容:rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
实例:firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="192.168.26.82" forward-port to-addr="10.0.0.81" to-port="80" protocol="tcp" port="80"'
--将访问192.168.26.82的TCP-80端口转到到后端的10.0.0.81的80端口
Example 6
White-list source address to allow all connections from 192.168.2.2
说明:来自列表中源地址192.168.2.2的访问将被许可
内容:rule family="ipv4" source address="192.168.2.2" accept
实例:firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="192.168.26.80" service name=ssh accept'
--来自列表中源地址192.168.26.80的SSH访问将被许可
Example 7
Black-list source address to reject all connections from 192.168.2.3
说明:黑名单列表中源地址192.168.2.3的icmp相关访问将被拒绝
内容:rule family="ipv4" source address="192.168.2.3" reject type="icmp-admin-prohibited"
实例:firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="192.168.26.83" service name=ssh reject'
--来自列表中源地址192.168.26.83的SSH访问将被拒绝
Example 8 与上例相似略过
Black-list source address to drop all connections from 192.168.2.4
rule family="ipv4" source address="192.168.2.4" drop
工作中的实际例子:
1、只允许192.168.26.1访问192.168.26.82的httpd服务
#firewall-cmd --add-rich-rule ‘rule family=ipv4 source address=192.168.26.1 service name=http accecpt’
#firewall-cmd --add-rich-rule ‘rule family=ipv4 source address=192.168.26.1 service name=http accecpt’--permanent
#firewall-cmd --reload
2、只允许192.168.26.1访问192.168.26.82修改后sshd的 2222端口
#firewall-cmd --add-rich-rule ‘rule family=ipv4 source address=192.168.26.1 port port=2222 protocol=tcp accecpt’
#firewall-cmd --add-rich-rule ‘rule family=ipv4 source address=192.168.26.1 port port=2222 protocol=tcp accecpt’--permanent
#firewall-cmd --reload
3、只允许10.0.0.81能NAT访问公网
#firewall-cmd --add-rich-rule ‘rule family=ipv4 source address=10.0.0.81 masquerade’
#firewall-cmd --add-rich-rule ‘rule family=ipv4 source address=10.0.0.81 masquerade’--permanent
#firewall-cmd --reload
以上是跟老段老师考RHCE时关于firewalld防火墙学习笔记与日常工作的总结,希望能对大家有帮助。