reset server
[root@server2 ~]# systemctl status firewalld
[root@server2 ~]# systemctl stop iptables
[root@server2 ~]# systemctl mask iptables
[root@server2 ~]# systemctl start firewalld
[root@server2 ~]# systemctl enable firewalld
[root@server2 ~]# firewall-cmd --state ##查看firewalld的状态
[root@server2 ~]# firewall-cmd --get-active-zones ##查看当前活动的区域,并附带一个目前分配给它们的接口列表
[root@server2 ~]# firewall-cmd --get-zones ##查看所有可用区域
[root@server2 ~]# firewall-cmd --zone=public --list-all ##列出指定域的所有设置
[root@server2 ~]# firewall-cmd --get-services ##列出所有预设服务
[root@server2 ~]# firewall-cmd --set-default-zone=trusted ##设置默认区域
success
[root@server2 ~]# firewall-cmd --get-default-zone ##查看默认区域
trusted
[root@server2 ~]# firewall-cmd --set-default-zone=public
success
[root@server2 ~]# firewall-cmd --permanent --add-source=172.25.254.250 ##设置网络地址到默认区域
success
[root@server2 ~]# firewall-cmd --reload ##重载防火墙
success
[root@server2 ~]# firewall-cmd --list-all ##列出所有的设置
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.250
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server2 ~]# firewall-cmd --permanent --remove-source=172.25.254.250
success
[root@server2 ~]#firewall -cmd --permanent --zone=trusted --add-source=172.25.254.250 ##设置网络地址到指定的区域
success
[root@server2 ~]# firewall-cmd --reload
success
[root@server2 ~]#firewall -cmd--permanent --zone=public --remove-source=172.25.254.250 ##删除指定区域中的网路地址
success
[root@server2 ~]# firewall-cmd --reload
success
[root@server2 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server2 ~]# firewall-cmd --remove-interface=eth0 --zone=public ##删除网络接口
success
[root@server2 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server2 ~]# firewall-cmd --add-interface=eth0 --zone=trusted
success
[root@server2 ~]# firewall-cmd --reload
success
测试:
[root@server2 ~]# yum install httpd -y
[root@server2 ~]# systemctl start httpd
浏览器输入eth0网段的ip172.25.2.11可以访问,eth1的ip172.25.254.202不能
firewall-cmd --permanent --zone=public --add-service=smtp ##添加服务
firewall-cmd --permanent --zone=public --remove-service=smtp ##删除服务
[root@server2 ~]# firewall-cmd --list-ports
[root@server2 ~]# firewall-cmd --add-port=53/tcp ##添加端口
success
[root@server2 ~]# firewall-cmd --list-ports
53/tcp
[root@server2 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth1
sources:
services: dhcpv6-client ssh
ports: 53/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server2 ~]# firewall-cmd --remove-service=ssh ##移除ssh
success
[root@server2 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth1
sources:
services: dhcpv6-client
ports: 53/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server2 ~]# firewall-cmd --permanent --remove-service=ssh
success
[root@server2 ~]# firewall-cmd --reload ##重载防火墙
[root@server2 ~]# firewall-cmd --complete-reload ##完全重载防火墙,立即中断连接
success
通过 firewall-cmd 工具,可以使用 --direct 选项在运行时间里增加或者移除链。
[root@server2 ~]# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 ! -s 172.25.254.250 -p tcp --dport 22 -j ACCEPT ##添加规则,除250主机不能访问22端口其余都可以
success
[root@server2 ~]# firewall-cmd --direct --get-all-rules ##列出规则
ipv4 filter INPUT 0 '!' -s 172.25.254.250 -p tcp --dport 22 -j ACCEPT
1>端口转发
[root@server2 ~]# systemctl restart firewalld
[root@server2 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@server2 ~]# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.1
success
[root@server2 ~]# firewall-cmd --add-service=ssh
success
[root@server2 ~]# firewall-cmd --add-masquerade
success
[root@server2 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.254.1
icmp-blocks:
rich rules:
测试:
真机ssh root@172.25.254.202
[root@foundation2 Desktop]# ssh root@172.25.254.202
root@172.25.254.202's password:
Last failed login: Sat Jun 3 11:48:23 CST 2017 from 172.25.254.202 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Sat Jun 3 11:47:29 2017 from foundation144.ilt.example.com
[root@foundation1 ~]#
2>伪装
[root@server2 ~]# systemctl restart firewalld
[root@server2 ~]# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=172.25.254.202 masquerade'
success
[root@server2 ~]# firewall-cmd --add-service=ssh
success
[root@server2 ~]# firewall-cmd --add-masquerade
success
[root@server2 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.25.254.202" masquerade
测试:
用desktop
设置其ip为172.25.2.10
gateway为172.25.2.11
ping172.25.254.202和172.25.2.11
[root@localhost ~]# ssh root@172.25.2.11
root@172.25.2.11's password:
Last login: Sat Jun 3 01:25:53 2017 from 172.25.2.10
[root@server2 ~]# ssh root@172.25.254.1
root@172.25.254.1's password:
Last login: Sat Jun 3 13:36:52 2017 from 172.25.254.202
[root@foundation1 ~]# w
13:38:46 up 4:41, 10 users, load average: 0.52, 0.26, 0.23
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
kiosk :0 :0 08:57 ?xdm? 33:29 0.46s gdm-sessio
kiosk pts/0 :0 08:58 9:50 14.41s 0.05s ssh -X roo
kiosk pts/1 :0 08:58 22.00s 29.21s 0.01s ssh -X roo
kiosk pts/2 :0 08:58 10:06 0.07s 1:06 /usr/libex
root pts/10 172.25.254.202 13:38 1.00s 0.04s 0.00s w ##用2网段登陆伪装成了254网段