firewalld 内核级加强型火墙
getenforce ##查看selinux开启
Enforcing ##警告模式
vim /etc/httpd/conf/httpd.conf
42 Listen 6666 ##将http端口改为6666
systemctl restart httpd ##重启后报错
Job for httpd.service failed. See ‘systemctl status httpd.service’ and ‘journalctl -xn’ for details.
semanage port -a -t http_port_t -p tcp 6666 ##添加6666端口
systemctl restart httpd ##重启成功
semanage port -l | grep http ##查看http所有端口
http_port_t tcp 6666, 80, 81, 443, 488, 8008, 8009, 8443, 9000 ##端口启用成功
firewall-config ##图形管理
permanent ##永久更改
ports 6666 tcp ##添加6666端口
Options —> reload firewall ##刷新&保存
http://172.25.254.108 ##访问失败
http://172.25.254.108:6666/ ##访问成功
firewall-cmd –list-all ##查看
ports: 6666/tcp
firewall-cmd –state ##状态
firewall-cmd –get-active-zones ##当前正在生效的设定
firewall-cmd –get-default-zone ##默认域是哪一个
firewall-cmd –get-zones ##查看系统火墙有哪些
firewall-cmd –zone=public –list-all ##列出当前策略
firewall-cmd –get-services ##查看所有可以开启的服务
firewall-cmd –list-all-zones ##列出系统中可以直接使用的
firewall-cmd –set-default-zone=dmz ##dmz设为默认域
添加ip方式:
firewall-cmd –permanent –add-source=172.25.254.8 –zone=trusted ##允许8访问
firewall-cmd –reload
firewall-cmd –permanent –remove-source=172.25.254.8 –zone=trusted ##移除
firewall-cmd –reload
添加端口方式:
firewall-cmd –list-all ##查看
nm-connection-editor ##配置eth1
firewall-cmd –list-all –zone=trusted
firewall-cmd –set-default-zone=trusted
firewall-cmd –add-interface=eth0 –zone=trusted
firewall-cmd –list-all –zone=trusted
firewall-cmd –add-service=http –zone=trusted
firewall-cmd –list-all –zone=trusted
172.25.254.208
systemctl start httpd ##开启http服务
firewall-cmd –list-all ##查看开启的服务
firewall-cmd –get-services ##查看所有可以开启的服务
firewall-cmd –add-service=http ##临时打开http
172.25.254.108
systemctl restart firewalld.service ##重启后消失
firewall-cmd –list-all
firewall-cmd –permanent –add-service=http ##永久打开
firewall-cmd –reload
172.25.254.108
vim /etc/httpd/conf/httpd.conf ##更改端口
Listen 8080
systemctl restart httpd
firewall-cmd –permanent –add-port=8080/tcp ##打开端口
firewall-cmd –reload
172.25.254.108:8080
firewall-cmd –direct –add-rule ipv4 filter INPUT 1 ! -s 172.25.254.8 -p tcp –dport 22 -j REJECT ##只允许8使用22端口否则拒绝,第一条非172.25.254.8不能连接22端口
firewall-cmd –direct –remove-rule ipv4 filter INPUT 1 ! -s 172.25.254.8 -p tcp –dport 22 -j REJECT ##移除
firewall-cmd –direct –add-rule ipv4 filter INPUT 1 ! -s 172.25.254.8 -p tcp –dport 22 -j DROP ##只允许8连接否则等待
firewall-cmd –direct –remove-rule ipv4 filter INPUT 1 ! -s 172.25.254.8 -p tcp –dport 22 -j DROP ##移除
目的地地址转发,路由之前 ##别人连我,转换出去
firewall-cmd –add-masquerade –zone=public
firewall-cmd –list-all
firewall-cmd –add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.8
firewall-cmd –list-all
firewall-cmd –remove-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.8
原地址转换
主机:
eth1 192.168.0.208
systemctl restart network
firewall-cmd –add-rich-rule=’rule family=ipv4 source address=172.25.254.108 masquerade’
firewall-cmd –list-all
辅机:
systemctl restart network ##配置ip192.168.0.1网关192.168.0.208
firewall-cmd –add-masquerade –zone=public
ping 172.25.254.250 #网络通畅
systemctl start iptables.service
systemctl status iptables.service ##查看当前状态
systemctl stop firewalld.service ##停止火墙
systemctl mask firewalld.service ##冻结火墙
iptables -nL ##查看所有策略
iptables -F ##清空所以策略
iptables -nL ##再次查看
systemctl restart iptables.service ##重启
iptables -nL ##查看策略发现是临时改动
iptables -F ##再次清空
service iptables save ##保存
systemctl restart iptables.service ##再次重启
iptables -nL ##再次查看
iptables -t filter -nL ##查看filter
iptables -t nat -nL ##查看nat
iptables -t mangle -nL ##查看mangle
iptables -A INPUT -p tcp –dport 22 -j ACCEPT ##添加22端口
iptables -A INPUT -i lo -j ACCEPT ##添加lo回环接口
iptables -A INPUT -j REJECT ##拒绝其他请求
iptables -nL ##查看
iptables -I INPUT 3 -p tcp –dport 80 -j ACCEPT ##插入
iptables -nL
iptables -R INPUT 3 -p tcp –dport 8080 -j ACCEPT ##修改
iptables -nL
172.25.254.108
iptables -D INPUT 4 ##删除
iptables -nL
yum install vsftpd -y
systemctl start vsftpd
lftp 172.25.254.108
iptables -P INPUT DROP ##默认修改为丢掉
iptables -nL
Chain INPUT (policy DROP)
lftp 172.25.254.108 ##请求不会回应
lftp 172.25.254.108:~> ls
`ls’ at 0 [Connecting…]
iptables -P INPUT ACCEPT ##默认修改为允许
Chain INPUT (policy ACCEPT)
lftp 172.25.254.108 ##请求会回应
lftp 172.25.254.108:~> ls
drwxr-xr-x 2 0 0 6 Aug 03 2015 pub
iptables -A INPUT -j REJECT ##添加拒绝,请求会回应
iptables -D INPUT 4
iptables -N van ##添加链
iptables -nL
iptables -E van VAN ##修改链
iptables -nL
iptables -X VAN ##删除链
iptables -nL
火墙策略优化
iptables -F ##再次清空
service iptables save ##保存
systemctl restart iptables.service ##再次重启
iptables -nL ##再次查看
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -nL
iptables -A INPUT -m state –state NEW -i lo -j ACCEPT
iptables -A INPUT -m state –state NEW -p tcp –dport 8080 -j ACCEPT
iptables -A INPUT -m state –state NEW -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -m state –state NEW -j REJECT
iptables -nL
所有策略再次使用时会直接使用第一条提升速度
原地址转换与地址伪装
iptables -t nat -A POSTROUTING -j SNAT –to-source 172.25.254.108
iptables -nL -t nat
iptables -t nat -A PREROUTING -j DNAT –to-dest 192.168.0.108
iptables -nL -t nat
iptables -t nat -D PREROUTING 1
iptables -nL -t nat
iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-dest 192.168.0.108
iptables -t nat -nL
访问172.25.254.108得到