关于firewalld防火墙的直接规则、富规则等原理概述可以参考上一篇博文:Centos 7的firewalld防火墙地址伪装和端口转发原理
环境如下图所示:
网关服务器和网站服务器都采用centos 7操作系统,网关服务器安装3块千兆网卡,分别连接Internet、企业内网、网站服务器。
网关服务器连接互联网卡ens32配置为公网IP地址为192.168.100.10,分配到firewall的external区域;连接内网网卡ens34地址为192.168.10.100,分配到firewall的trusted区域;连接服务器网卡ens35地址为192.168.20.100,分配到firewall的DMZ区域;
网站服务器和网关服务器都通过SSH来远程管理,为了安全,将SSH默认端口改为12345;
网站服务器开启https,过滤未加密的http流量;
网站服务器拒绝ping,网关服务器拒绝来自互联网上的ping;
内网用户需要通过网关服务器共享上网;
- 互联网用户需要访问网站服务器;
[root@firewalld ~]# ifconfig <!--查看配置完成的IP地址信息-->
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.10 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::20c:29ff:fe97:5c9f prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:97:5c:9f txqueuelen 1000 (Ethernet)
RX packets 880 bytes 135724 (132.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 498 bytes 71197 (69.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens34: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.100 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::20c:29ff:fe97:5ca9 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:97:5c:a9 txqueuelen 1000 (Ethernet)
RX packets 37 bytes 3555 (3.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 89 bytes 14988 (14.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens35: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.20.100 netmask 255.255.255.0 broadcast 192.168.20.255
inet6 fe80::20c:29ff:fe97:5cb3 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:97:5c:b3 txqueuelen 1000 (Ethernet)
RX packets 51 bytes 5019 (4.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 85 bytes 13888 (13.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@firewalld ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@firewalld ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@web ~]# ifconfig <!--查看配置完成的IP地址信息-->
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.20.10 netmask 255.255.255.0 broadcast 192.168.20.255
inet6 fe80::20c:29ff:fe62:325a prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:62:32:5a txqueuelen 1000 (Ethernet)
RX packets 237 bytes 21594 (21.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 220 bytes 30673 (29.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@web ~]# route -n <!--查看网关信息-->
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.20.100 0.0.0.0 UG 100 0 0 ens32
192.168.20.0 0.0.0.0 255.255.255.0 U 100 0 0 ens32
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
[root@web ~]# yum -y install httpd mod_ssl <!--安装httpd和mod_ssl软件包-->
[root@web ~]# systemctl start httpd <!--启动httpd服务-->
[root@web ~]# systemctl enable httpd <!--设置开机自动启动-->
[root@web ~]# echo "www.DMZ.web.com" > /var/www/html/index.html <!--创建网站首页测试页-->
[root@web ~]# vim /etc/ssh/sshd_config
<!--修改SSH服务监听的端口号(需要关闭SELinux)-->
Port 12345
[root@web ~]# systemctl restart sshd <!--重新启动SSH服务-->
[root@Centos04~]# hostnamectl set-hostname WAN_Web
[root@ Centos04 ~]# bash
[root@wan_web ~]# systemctl restart network
[root@wan_web ~]# ifconfig
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.30 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::20c:29ff:fe16:c54b prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:16:c5:4b txqueuelen 1000 (Ethernet)
RX packets 37 bytes 4898 (4.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 84 bytes 13483 (13.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@wan_web ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.10 0.0.0.0 UG 100 0 0 ens32
192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 ens32
[root@web ~]# systemctl start firewalld <!--启动防火墙服务-->
[root@web ~]# systemctl enable firewalld <!--设置开机自动启动->
[root@web ~]# firewall-cmd --set-default-zone=dmz
success
[root@web ~]# firewall-cmd --zone=dmz --add-service=https --permanent
success
[root@web ~]# firewall-cmd --zone=dmz --add-port=12345/tcp --permanent
success
[root@web ~]# firewall-cmd --add-icmp-block=echo-request --zone=dmz --permanent
success
[root@web ~]# firewall-cmd --add-icmp-block=echo-reply --zone=dmz --permanent
success
[root@web ~]# firewall-cmd --zone=dmz --remove-service=ssh --permanent
success
[root@web ~]# firewall-cmd --reload
success
[root@web ~]# firewall-cmd --list-all
dmz (active)
target: default
icmp-block-inversion: no
interfaces: ens32
sources:
services: https
ports: 12345/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-request echo-reply
rich rules:
[root@firewalld ~]# systemctl start firewalld
[root@firewalld ~]# systemctl enable firewalld
[root@firewalld ~]# firewall-cmd --set-default-zone=external<!--设置默认区域为external-->
success
[root@firewalld ~]# firewall-cmd --change-interface=ens34 --zone=trusted <!--将ens34添加至trusted区域-->
The interface is under control of NetworkManager, setting zone to 'trusted'.
success
[root@firewalld ~]# firewall-cmd --change-interface=ens35 --zone=dmz <!--将ens35添加至dmz区域-->
The interface is under control of NetworkManager, setting zone to 'dmz'.
success
[root@firewalld ~]# firewall-cmd --get-active-zones
dmz
interfaces: ens35
external
interfaces: ens32
trusted
interfaces: ens34
[root@firewalld ~]# firewall-cmd --runtime-to-permanent <!--将当前配置保存到文件中-->
success
[root@firewalld ~]# firewall-cmd --zone=external --add-port=12345/tcp --permanent success
[root@firewalld ~]# firewall-cmd --zone=external --remove-service=ssh --permanent success
[root@firewalld ~]# firewall-cmd --zone=external --add-icmp-block=echo-request --permanent
success
[root@firewalld ~]# firewall-cmd --zone=external --add-icmp-block=echo-reply --permanent
success
[root@firewalld ~]# firewall-cmd --reload
success
[root@firewalld ~]# firewall-cmd --list-all
external (active)
target: default
icmp-block-inversion: no
interfaces: ens32
sources:
services:
ports: 12345/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks: echo-request echo-reply
rich rules:
以下开始测试ssh连接:
[root@wan_web ~]# ssh -p 12345 root@192.168.100.10
The authenticity of host '[192.168.100.10]:12345 ([192.168.100.10]:12345)' can't be established.
ECDSA key fingerprint is SHA256:PUueT9fU9QbsyNB5NC5hbSXzaWxxQavBxXmfoknXl4I.
ECDSA key fingerprint is MD5:6d:f7:95:0e:51:1a:d8:9e:7b:b6:3f:58:51:51:4b:3b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.100.10]:12345' (ECDSA) to the list of known hosts.
root@192.168.100.10's password:
Last login: Wed Nov 27 02:27:01 2019 from 192.168.100.20
[root@firewalld ~]# ls
anaconda-ks.cfg initial-setup-ks.cfg
以下测试ping命令:
[root@firewalld ~]# ping 192.168.10.20
PING 192.168.10.20 (192.168.10.20) 56(84) bytes of data.
From 192.168.10.100 icmp_seq=1 Destination Host Unreachable
From 192.168.10.100 icmp_seq=2 Destination Host Unreachable
From 192.168.10.100 icmp_seq=3 Destination Host Unreachable
[root@wan_web ~]# ping 192.168.100.10
PING 192.168.100.10 (192.168.100.10) 56(84) bytes of data.
From 192.168.100.10 icmp_seq=1 Destination Host Prohibited
From 192.168.100.10 icmp_seq=2 Destination Host Prohibited
From 192.168.100.10 icmp_seq=3 Destination Host Prohibited
[root@wan_web ~]# ping 192.168.10.20
PING 192.168.10.20 (192.168.10.20) 56(84) bytes of data.
From 192.168.100.10 icmp_seq=1 Destination Host Unreachable
From 192.168.100.10 icmp_seq=2 Destination Host Unreachable
From 192.168.100.10 icmp_seq=3 Destination Host Unreachable
[root@wan_web ~]# yum -y install httpd mod_ssl
[root@wan_web ~]# systemctl start httpd
[root@wan_web ~]# systemctl enable httpd
[root@wan_web ~]# echo "WAN_Web.com" > /var/www/html/index.html
[root@web ~]# curl http://192.168.100.30
WAN_Web.com
[root@firewalld ~]# firewall-cmd --list-all --zone=external
external (active)
target: default
icmp-block-inversion: no
interfaces: ens32
sources:
services:
ports: 12345/tcp
protocols:
masquerade: yes <!--地址伪装已启用-->
forward-ports:
source-ports:
icmp-blocks: echo-request echo-reply
rich rules:
在网关服务器上关闭external默认的地址伪装,添加富规则,要求external区域内,源地址为192.168.10.0/24网段的地址开启地址IP伪装
[root@firewalld ~]# firewall-cmd --remove-masquerade --zone=external
success
[root@firewalld ~]# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 source address=192.168.10.0/24 masquerade'
success
在dmz区域的网站服务器上测试,发现无法访问外网网站,但是内网测试机可以
[root@web ~]# curl http://192.168.100.30
curl: (7) Failed connect to 192.168.100.30:80; 没有到主机的路由
[root@firewalld ~]# firewall-cmd --zone=external --add-forward-port=port=443:proto=tcp:toaddr=192.168.20.10
success
上述配置完成后,现在公司申请了一个新的公网ip地址192.168.100.200,那么就需要重新做端口转发了
[root@firewalld ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
NAME=ens32
DEVICE=ens32
ONBOOT=yes
IPADDR=192.168.100.10 <!--复制此行粘贴到下面-->
NATEMASK=255.255.255.0
ZONE=external
PREFIX=24 <!--复制此行粘贴到下面-->
IPADDR1=192.168.100.200
<!--修改为IPADD1,IP地址修改为100.200-->
IPV4_FAILURE_FATAL=no
PREFIX1=24 <!--修改为PREFIX1-->
IPV6INIT=no
UUID=152beb06-47c5-c5e8-95a9-385590654382
[root@firewalld ~]# systemctl restart network <!--重启网卡服务-->
[root@firewalld ~]# ip add <!--查看IP地址是否配置成功-->
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:97:5c:9f brd ff:ff:ff:ff:ff:ff
inet 192.168.100.10/24 brd 192.168.100.255 scope global ens32
valid_lft forever preferred_lft forever
inet 192.168.100.200/24 brd 192.168.100.255 scope global secondary ens32
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe97:5c9f/64 scope link
valid_lft forever preferred_lft forever
[root@firewalld ~]# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 destination address=192.168.100.200/32 forward-port port=443 protocol=tcp to-addr=192.168.20.10'
success
—————— 本文至此结束,感谢阅读 ——————
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。