系统
系统
技术栈:知识点:
firewalld使用说明
- #启动/停止/开机启动/开机不启动
- systemctl start/stop/enable/disable firewalld.service
- # 查看防火墙状态
- firewall-cmd --state/systemctl status firewalld
- # 查看现有的规则
- iptables -nL
- firewall-cmd --zone=public --list-ports/--list-all
- #添加/删除服务
- firewall-cmd --permanent --zone=public --add/remove-service=ssh
- # 添加单个单端口
- firewall-cmd --permanent --zone=public --add-port=81/tcp
- # 添加多个端口
- firewall-cmd --permanent --zone=public --add-port=8080-8083/tcp
- # 删除某个端口
- firewall-cmd --permanent --zone=public --remove-port=81/tcp
- # 针对某个 IP开放端口
- firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.142.166" port protocol="tcp" port="6379" accept"
- firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.233" accept"
- # 删除某个IP
- firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.1.51" accept"
- #拒绝某个ip地址访问所有端口
- firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.0.10" reject'
- # 针对一个ip段访问
- firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.0/16" accept"
- firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="9200" accept"
- #kvm创建虚拟机以后可以ping宿主机但无法访问任何端口,关闭防火墙就好了
- #1.查看防火墙活跃区域,一般是public,这个问题关注libvirt (active),区域(活跃状态
- firewall-cmd --list-all-zone
- #2.添加区域端口
- firewall-cmd --zone=libvirt --add-port=8080/tcp --permanent
- #NAT策略,不等同于http端口号转换,网卡enp3s0进入数据的80端口转为192.168.1.30的3128端口(不同网卡)
- firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i enp3s0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.30:3128
- #NAT策略,不等同于http端口号转换,网卡enp3s0进入数据的80端口转为192.168.1.30的3128端口(相同网卡)
- firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i enp3s0 -p tcp --dport 80 -j REDIRECT --to-ports 3128
- #inet firewalld->table inet firewalld { # handle 23
- #filter_FWD_internal->chain filter_FWD_internal
- #113->jump filter_FWD_internal_deny # handle 113
- nft delete rule inet firewalld filter_FWD_internal handle 113
- #放行出去的数据包,数据出去的地址是3128
- firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --dport 3128 -j ACCEPT
- #放行进来的数据包,来源端口为80
- firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --sport 80 -j ACCEPT
- #放行进来的数据包,目的端口为80
- firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 80 -j ACCEPT
- firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i enp3s0 -o bridge0 -j ACCEPT
- iptables -t filter -nvL
- firewall-cmd --direct --get-all-rules
- #添加操作后别忘了执行重载
- firewall-cmd --reload
ntf防火墙
- #查询规则
- nft -a list ruleset | less
centos-stream9+firewalld+squid5.7透明代理+双网卡
- #1.准备
- ulimit -Hs 65535
- ulimit -n 65535
- vi /etc/security/limits.conf
- * soft nofile 65535
- * hard nofile 65535
- #2.squid部分
- #2.1.编译:enable-linux-netfilter-启用透明代理,with-openssl-https代理会用到
- ./configure --prefix=/usr/local/squid \
- --enable-async-io=100 \
- --with-openssl=/var/kerberos \
- --with-pthreads \
- --enable-storeio="aufs,diskd,ufs" \
- --enable-removal-policies="heap,lru" \
- --enable-icmp \
- --enable-linux-netfilter \
- --enable-delay-pools \
- --enable-useragent-log \
- --enable-referer-log \
- --enable-kill-parent-hack \
- --enable-arp-acl \
- --enable-default-err-language=Simplify_Chinese \
- --enable-err-languages="Simplify_Chinese English" \
- --disable-poll \
- --disable-wccp \
- --disable-wccpv2 \
- --disable-ident-lookups \
- --disable-internal-dns \
- --enable-basic-auth-helpers="NCSA" \
- --enable-stacktrace \
- --with-large-files \
- --disable-mempools \
- --with-filedescriptors=65536 \
- --enable-ssl \
- --enable-x-accelerator-var
- #2.2.安装make install-pinger-启用--enable-icmp以后需要执行
- make&make -j2&make install-pinger
- #2.3.squid.conf
- http_access allow all
- http_port 0.0.0.0:3128
- http_port 0.0.0.0:3129 intercept
- https_port 0.0.0.0:3130 intercept ssl-bump tls-cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
- acl step1 at_step SslBump1
- acl step2 at_step SslBump2
- acl step3 at_step SslBump3
- ssl_bump stare step2
- ssl_bump bump step3
- cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
- coredump_dir /usr/local/squid/var/cache/squid
- refresh_pattern ^ftp: 1440 20% 10080
- refresh_pattern ^gopher: 1440 0% 1440
- refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
- refresh_pattern . 0 20% 4320
- visible_hostname tcdnetwork.com
- #2.4.生成证书
- openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -keyout myCA.pem -out myCA.pem
- openssl x509 -in myCA.pem -outform DER -out myCA.der
- #2.5.初始化,看报错,主要解决文件夹权限问题
- /usr/local/squid/sbin/squid -z
- #2.6.前台启动主要看有没有报错,后台启动看cache也行
- /usr/local/squid/sbin/squid -NCd1
- #3.防火墙部分
- #3.1.外网卡
- firewall-cmd --zone=external --add-interface=team0 --permanent
- #3.2.内网卡
- firewall-cmd --zone=internal --add-interface=enp3s0 --permanent
- #3.3.先让3128网络代理功能启动看是否正常,执行以下三条命令后,浏览器设置代理应该可以访问网页
- firewall-cmd --permanent --add-forward-port=port=3128:proto=tcp:toaddr=192.168.1.30:toport=3128
- firewall-cmd --permanent --zone=internal --add-port=3128/tcp
- firewall-cmd --reload
- #3.4.让双网卡数据可以流动起来-透明代理部分
- firewall-cmd --permanent --new-policy intToExt
- firewall-cmd --permanent --policy intToExt --add-ingress-zone internal
- firewall-cmd --permanent --policy intToExt --add-egress-zone external
- firewall-cmd --permanent --policy intToExt --set-target ACCEPT
- #3.5.NAT策略,不等同于http端口号转换,网卡enp3s0进入数据的80端口转为192.168.1.30的3129端口(不同网卡)
- firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i enp3s0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.30:3129
- firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i enp3s0 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.30:3130
- firewall-cmd --reload
- #4.收尾做个squid启动服务吧,用法应该不用多说了
- cat /usr/lib/systemd/system/squid.service
- [Unit]
- After=network.target network-online.target nss-lookup.target
- [Service]
- Type=forking
- ExecStart=/usr/local/squid/sbin/squid -s
- ExecStop=/usr/local/squid/sbin/squid -k shutdown
- PIDFile=/usr/local/squid/var/run/squid.pid
- [Install]
- WantedBy=multi-user.target
防火墙策略
- firewall-cmd --permanent --new-policy intToExt
- firewall-cmd --permanent --policy intToExt --add-ingress-zone internal
- firewall-cmd --permanent --policy intToExt --add-egress-zone external
- firewall-cmd --permanent --policy intToExt --set-target ACCEPT
firewalld开启日志
- #编辑防火墙配置文件
- vi /etc/firewalld/firewalld.conf
- #日志改all
- LogDenied=off->LogDenied=all
- #获取日志状态
- firewall-cmd --get-log-denied
- #获取拒绝的记录
- dmesg --|grep -i reject
cockpit
- #cockpit默认禁止远程访问,需注释root允许远程访问
- vi /etc/cockpit/disallowed-users
selinux
- #查询ssh服务允许使用的端口号
- semanage port -l | grep ssh
- #向ssh添加允许使用的端口号
- semanage port -a -t ssh_port_t -p tcp 5500
- #删除服务允许使用的端口号(策略定义端口无法删除)
- semanage port --delete -t ssh_port_t -p tcp 5500