Advanced operation and maintenance – detailed explanation of firewall

Hits: 0

Two [virtual machines] , desktop dual network cards, configure the ip as 172.25.254.113 and 1.1.1.113
to open another virtual machine server, configure the ip as 1.1.1.213
Download httpd on the desktop with dual network cards, and write the default release file in the default release directory

systemctl start httpd

  1. Use a real machine to access 172.25.254.113 through http

firewall -cmd --list- all      View firewall status

I can’t access it, because the desktop’s virtual machine firewall is public, and http access is not allowed.

firewall-cmd --add-source=172.25.254.13 --zone=trusted

Add the source of the host’s ip to the trusted domain.
In the host test, it can be accessed through http
. 2. The server can ping 1.1.1.113 through http
, but it cannot be accessed because the default domain of the firewall is public, and http cannot be accessed.

firewall-cmd -- remove - interface =eth1 --zone= public     remove the eth1 interface from the public domain
firewall-cmd --add -interface = eth1 --zone =trusted Add the eth1 interface to the trusted zone
firewall-cmd --list-all --zone=trusted View trusted zone

After the addition is successful,
test on the server
and access 1.1.1.113 through http, you can visit
and want to change eth1 back,

firewalll-cmd --change-interface=eth1 --zone=public

Permanent operation and reload

firewall-cmd --permanent --remove-service=ssh Permanent operations require reload to take effect 
firewall-cmd --reload will not disconnect connected devices after reloading 
firewall-cmd --complete-reload complete reload will Disconnect an already linked device

Demonstration experiment
permanently delete ssh in desktop virtual machine

[root@dektop ~]# firewall-cmd --permanent --remove-service=ssh
success
[root@dektop ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0 eth1
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

After permanently deleting ssh, there is no reloading
on the real machine ssh connection desktop can connect

[root@dektop ~]# firewall-cmd --reload
Success

At this point, ssh can no longer be connected, but the previous connection will not be disconnected
But the previous connection will not be disconnected

[root@dektop ~]# firewall-cmd --complete-reload
success

After a complete reload, the previous connection is disconnected and cannot be operated anymore

End method
Open another shell and end the process
Port operation

firewall-cmd --zone=public --list-ports
firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --permanent --zone=public --remove-port=22/ssh

On desktop
cd /etc/firewalld configuration file

Specify an ip to access ssh

[root@dektop ~]# firewall-cmd --direct --
--add-chain       --get-all-rules   --passthrough     --query-rule
--add-rule        --get-chains      --permanent       --remove-chain
--get-all-chains  --get-rules       --query-chain     --remove-rule
[root@dektop ~]# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -s 172.25.254.13 -p tcp --dport 22 -j ACCEPT
success
[root@dektop ~]# firewall-cmd --remove-service=ssh
success

Use the direct command to specify, and then delete the default ssh mode. The designated mode is in the specified mode, and the others are in the default mode. Therefore, if the default mode of ssh is deleted, the experimental phenomenon will be obvious.
accept accept
reject reject, if there is a response, the client will no longer access
drop discard, if there is no response, the client will continue to visit

Test on the server side

[root@localhost ~]# ssh root@1.1.1.113
ssh: connect to host 1.1.1.113 port 22: No route to host
[root@localhost ~]#

Test on real machine

[kiosk@foundation13 ~]$ ssh root@172.25.254.113
root@172.25.254.113's password: 
Last login: Fri May 31 22:41:32 2019 from 172.25.254.13
[root@dektop ~]#

Because the real machine ip is specified, it can be accessed
[root@dektop ~]# firewall-[cmd] –list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

[root@dektop ~]# firewall-cmd --direct --get-all-rules 
ipv4 filter INPUT 1 -s 172.25.254.13 -p tcp --dport 22 -j ACCEPT

After adding this way, it cannot be viewed with firewall-cmd –list-all

firewall -cmd --direct --get- all -rules to view

delete

[root@dektop ~]# firewall-cmd --direct --remove-rule ipv4 filter INPUT 1 -s 172.25.254.13 -p tcp --dport 22 -j ACCEPT
success
[root@dektop ~]# firewall-cmd --direct --get-all-rules
[root@dektop ~]#

Address masquerading
The server hosts in network segment 1 want to connect to the real machine, but they are no longer on the same network segment, so they cannot connect. Let the desktop with dual network cards enable the function of address masquerading, and let the server connect to the host through the desktop.

[root@dektop ~]# firewall-cmd --add-masquerade 
success
[root@dektop ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0 eth1
  sources: 
  services: dhcpv6-client
  ports: 
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules:

[root@dektop ~]# sysctl -a |grep ip_forward
net.ipv4.ip_forward = 1

Set the gateway to 1.1.1.113 for the server virtual machine on network segment 1 to
view

[root@localhost ~]# route -n
Kernel IP routing table
Destination     Gateway     Genmask     Flags Metric Ref    Use Iface
0.0.0.0        1.1.1.113       0.0.0.0         UG    1024   0        0 eth0
1.1.1.0         0.0.0.0        255.255.255.0   U     0      0        0 eth0

test
ping 172.25.254.13

Address masquerading is after routing

Port forwarding
Use the real machine with ip of 172 to connect to the server host in the 1 network segment, but it cannot be connected.
Now when the real machine is connected to the 22 port of the desktop with dual network cards, it directly jumps to the server host in the 1 network segment.

On a dual NIC host

[root@dektop ~]# firewall-cmd --add-forward-port=port=22:proto=tcp:toport=22:toaddr=1.1.1.213
success
[root@dektop ~]# firewall-cmd --list-all
  public (default, active)
  interfaces: eth0 eth1
  sources: 
  services: dhcpv6-client
  ports: 
  masquerade: yes
  forward-ports: port=22:proto=tcp:toport=22:toaddr=1.1.1.213
  icmp-blocks: 
  rich rules:

Then go to the real machine to ssh connection

[kiosk@foundation13 ~]$ ssh root@172.25.254.113
root@172.25.254.113's password: 
Last login: Sat Jun  1 01:21:30 2019 from 1.1.1.113
[root@server ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 1.1.1.213  netmask 255.255.255.0  broadcast 1.1.1.255
        inet6 fe80::5054:ff:fe54:5072  prefixlen 64  scopeid 0x20<link>
        ether 52:54:00:54:50:72  txqueuelen 1000  (Ethernet)
        RX packets 163169  bytes 11236766 (10.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2244  bytes 200891 (196.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@server ~]#

Note that when entering the password, you should enter the password of the single network card server

You may also like...

Leave a Reply

Your email address will not be published.