Centos7-firewall(初学转发及访问控制)

不论是service、ports、forward-ports还是rich rules项只要开启了端口,该端口就可以向外提供服务了1、添加永久有效规则 –permanent
1)方式:
允许 firewall-cmd –permanent –add-rich-rule ‘rule family=ipv4 source address=192.168.0.104 port port=9100 protocol=tcp accept’
拒绝 firewall-cmd –permanent –add-rich-rule ‘rule family=ipv4 source address=192.168.0.104 port port=9100 protocol=tcp reject’
删除 firewall-cmd –permanent –remove-rich-rule ‘rule family=ipv4 source address=192.168.0.104 port port=9100 protocol=tcp accept’

注意:端口转发不允许添加accept和reject
firewall-cmd –permanent –add-rich-rule ‘rule family=ipv4 source address=192.168.0.0/24 forward-port port=9900 protocol=tcp to-port=80 to-addr=47.89.33.211 accept’
Error: INVALID_RULE: forward-port and action

2)永久添加后,计算机会把该规则写到/etc/firewalld/zones/*.xml(相关区域)的里面,临时添加的不会写入。
3)该规则重新载入防火墙才会生效
firewall-cmd –reload

2、IP或端口转发
1)抓发到其他机器时需要二个条件:
A.开启IP伪装:
firewall-cmd –add-masquerade
B.添加转发规则:
firewall-cmd [–zone=] –add-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=

| :toport=[-]:toaddr=
}
firewall-cmd –permanent –zone=public –add-forward-port=port=81:proto=tcp:toaddr=192.168.0.105:toport=80
#将本机收到的81端口的包转发到192.168.0.105服务器(非本机)的80端口
2)、同台机器的的端口转发时需要一个条件:
A.添加转发规则:
firewall-cmd –permanent –zone=public –add-forward-port=port=81:proto=tcp:toport=80
注意:转发到本机时不能写本机IP,否则就不会转发成功

3、防火墙规则分析:
[root@localhost ~]# firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: yes
forward-ports: port=9100:proto=tcp:toport=80:toaddr=47.89.33.212
port=9400:proto=tcp:toport=80:toaddr=192.168.0.106
port=9600:proto=tcp:toport=80:toaddr=
port=9700:proto=tcp:toport=80:toaddr=127.0.0.1
sourceports:
icmp-blocks:
rich rules:
rule family=”ipv4” source address=”192.168.0.104” forward-port port=”9300” protocol=”tcp” to-port=”80” to-addr=”192.168.0.105”
rule family=”ipv4” source address=”192.168.0.104” forward-port port=”9500” protocol=”tcp” to-port=”80” to-addr=”192.168.0.106”
rule family=”ipv4” source address=”192.168.0.0/24” forward-port port=”9800” protocol=”tcp” to-port=”80” to-addr=”47.89.33.212”
注意:不论是service、ports、forward-ports还是rich rules项只要开启了端口,该端口就可以向外提供服务了

4、转发某段IP的包到某台服务器的某个端口上(rich-rule)
firewall-cmd –add-rich-rule=’rule family=”ipv4” source address=”192.168.0.0/24” forward-port port=”9900” protocol=”tcp” to-port=”80” to-addr=”47.89.33.211”’
疑问:
这个转发是直接路由转发还是其他的?
NAT转发

5、查询firewall的使用手册
[root@localhost ~]# man -k firewall
firewall-cmd (1) - firewalld command line client
firewall-config (1) - firewalld GUI configuration tool
firewall-offline-cmd (1) - firewalld offline command line client
firewalld (1) - Dynamic Firewall Manager
firewalld.conf (5) - firewalld configuration file
firewalld.dbus (5) - firewalld D-Bus interface description
firewalld.direct (5) - firewalld direct configuration file
firewalld.icmptype (5) - firewalld icmptype configuration files
firewalld.ipset (5) - firewalld ipset configuration files
firewalld.lockdown-whitelist (5) - firewalld lockdown whitelist configuration file
firewalld.richlanguage (5) - Rich Language Documentation
firewalld.service (5) - firewalld service configuration files
firewalld.zone (5) - firewalld zone configuration files
firewalld.zones (5) - firewalld zones

你可能感兴趣的:(firewall)