梦里花落知多少一一能捡多少是多少

系统

系统

技术栈:
知识点:

firewalld使用说明

  • #启动/停止/开机启动/开机不启动
  • systemctl start/stop/enable/disable firewalld.service
  • # 查看防火墙状态
  • firewall-cmd --state/systemctl status firewalld
  • # 查看现有的规则
  • iptables -nL
  • firewall-cmd --zone=public --list-ports/--list-all
  • #添加/删除服务
  • firewall-cmd --permanent --zone=public --add/remove-service=ssh
  • # 添加单个单端口
  • firewall-cmd --permanent --zone=public --add-port=81/tcp
  • # 添加多个端口
  • firewall-cmd --permanent --zone=public --add-port=8080-8083/tcp
  • # 删除某个端口
  • firewall-cmd --permanent --zone=public --remove-port=81/tcp
  • # 针对某个 IP开放端口
  • firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.142.166" port protocol="tcp" port="6379" accept"
  • firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.233" accept"
  • # 删除某个IP
  • firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.1.51" accept"
  • #拒绝某个ip地址访问所有端口
  • firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.0.10" reject'
  • # 针对一个ip段访问
  • firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.0/16" accept"
  • firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="9200" accept"
  • #kvm创建虚拟机以后可以ping宿主机但无法访问任何端口,关闭防火墙就好了
  • #1.查看防火墙活跃区域,一般是public,这个问题关注libvirt (active),区域(活跃状态
  • firewall-cmd --list-all-zone
  • #2.添加区域端口
  • firewall-cmd --zone=libvirt --add-port=8080/tcp --permanent
  • #NAT策略,不等同于http端口号转换,网卡enp3s0进入数据的80端口转为192.168.1.30的3128端口(不同网卡)
  • firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i enp3s0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.30:3128
  • #NAT策略,不等同于http端口号转换,网卡enp3s0进入数据的80端口转为192.168.1.30的3128端口(相同网卡)
  • firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i enp3s0 -p tcp --dport 80 -j REDIRECT --to-ports 3128
  • #inet firewalld->table inet firewalld { # handle 23
  • #filter_FWD_internal->chain filter_FWD_internal
  • #113->jump filter_FWD_internal_deny # handle 113
  • nft delete rule inet firewalld filter_FWD_internal handle 113
  • #放行出去的数据包,数据出去的地址是3128
  • firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --dport 3128 -j ACCEPT
  • #放行进来的数据包,来源端口为80
  • firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --sport 80 -j ACCEPT
  • #放行进来的数据包,目的端口为80
  • firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 80 -j ACCEPT
  • firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i enp3s0 -o bridge0 -j ACCEPT
  • iptables -t filter -nvL
  • firewall-cmd --direct --get-all-rules
  • #添加操作后别忘了执行重载
  • firewall-cmd --reload

ntf防火墙

  • #查询规则
  • nft -a list ruleset | less

centos-stream9+firewalld+squid5.7透明代理+双网卡

  • #1.准备
  • ulimit -Hs 65535
  • ulimit -n 65535
  • vi /etc/security/limits.conf
  • * soft nofile 65535
  • * hard nofile 65535
  • #2.squid部分
  • #2.1.编译:enable-linux-netfilter-启用透明代理,with-openssl-https代理会用到
  • ./configure --prefix=/usr/local/squid \
  • --enable-async-io=100 \
  • --with-openssl=/var/kerberos \
  • --with-pthreads \
  • --enable-storeio="aufs,diskd,ufs" \
  • --enable-removal-policies="heap,lru" \
  • --enable-icmp \
  • --enable-linux-netfilter \
  • --enable-delay-pools \
  • --enable-useragent-log \
  • --enable-referer-log \
  • --enable-kill-parent-hack \
  • --enable-arp-acl \
  • --enable-default-err-language=Simplify_Chinese \
  • --enable-err-languages="Simplify_Chinese English" \
  • --disable-poll \
  • --disable-wccp \
  • --disable-wccpv2 \
  • --disable-ident-lookups \
  • --disable-internal-dns \
  • --enable-basic-auth-helpers="NCSA" \
  • --enable-stacktrace \
  • --with-large-files \
  • --disable-mempools \
  • --with-filedescriptors=65536 \
  • --enable-ssl \
  • --enable-x-accelerator-var
  • #2.2.安装make install-pinger-启用--enable-icmp以后需要执行
  • make&make -j2&make install-pinger
  • #2.3.squid.conf
  • http_access allow all
  • http_port 0.0.0.0:3128
  • http_port 0.0.0.0:3129 intercept
  • https_port 0.0.0.0:3130 intercept ssl-bump tls-cert=/usr/local/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
  • acl step1 at_step SslBump1
  • acl step2 at_step SslBump2
  • acl step3 at_step SslBump3
  • ssl_bump stare step2
  • ssl_bump bump step3
  • cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
  • coredump_dir /usr/local/squid/var/cache/squid
  • refresh_pattern ^ftp: 1440 20% 10080
  • refresh_pattern ^gopher: 1440 0% 1440
  • refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
  • refresh_pattern . 0 20% 4320
  • visible_hostname tcdnetwork.com
  • #2.4.生成证书
  • openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -keyout myCA.pem -out myCA.pem
  • openssl x509 -in myCA.pem -outform DER -out myCA.der
  • #2.5.初始化,看报错,主要解决文件夹权限问题
  • /usr/local/squid/sbin/squid -z
  • #2.6.前台启动主要看有没有报错,后台启动看cache也行
  • /usr/local/squid/sbin/squid -NCd1
  • #3.防火墙部分
  • #3.1.外网卡
  • firewall-cmd --zone=external --add-interface=team0 --permanent
  • #3.2.内网卡
  • firewall-cmd --zone=internal --add-interface=enp3s0 --permanent
  • #3.3.先让3128网络代理功能启动看是否正常,执行以下三条命令后,浏览器设置代理应该可以访问网页
  • firewall-cmd --permanent --add-forward-port=port=3128:proto=tcp:toaddr=192.168.1.30:toport=3128
  • firewall-cmd --permanent --zone=internal --add-port=3128/tcp
  • firewall-cmd --reload
  • #3.4.让双网卡数据可以流动起来-透明代理部分
  • firewall-cmd --permanent --new-policy intToExt
  • firewall-cmd --permanent --policy intToExt --add-ingress-zone internal
  • firewall-cmd --permanent --policy intToExt --add-egress-zone external
  • firewall-cmd --permanent --policy intToExt --set-target ACCEPT
  • #3.5.NAT策略,不等同于http端口号转换,网卡enp3s0进入数据的80端口转为192.168.1.30的3129端口(不同网卡)
  • firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i enp3s0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.30:3129
  • firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i enp3s0 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.30:3130
  • firewall-cmd --reload
  • #4.收尾做个squid启动服务吧,用法应该不用多说了
  • cat /usr/lib/systemd/system/squid.service
  • [Unit]
  • After=network.target network-online.target nss-lookup.target
  • [Service]
  • Type=forking
  • ExecStart=/usr/local/squid/sbin/squid -s
  • ExecStop=/usr/local/squid/sbin/squid -k shutdown
  • PIDFile=/usr/local/squid/var/run/squid.pid
  • [Install]
  • WantedBy=multi-user.target

防火墙策略

  • firewall-cmd --permanent --new-policy intToExt
  • firewall-cmd --permanent --policy intToExt --add-ingress-zone internal
  • firewall-cmd --permanent --policy intToExt --add-egress-zone external
  • firewall-cmd --permanent --policy intToExt --set-target ACCEPT

firewalld开启日志

  • #编辑防火墙配置文件
  • vi /etc/firewalld/firewalld.conf
  • #日志改all
  • LogDenied=off->LogDenied=all
  • #获取日志状态
  • firewall-cmd --get-log-denied
  • #获取拒绝的记录
  • dmesg --|grep -i reject

cockpit

  • #cockpit默认禁止远程访问,需注释root允许远程访问
  • vi /etc/cockpit/disallowed-users

selinux

  • #查询ssh服务允许使用的端口号
  • semanage port -l | grep ssh
  • #向ssh添加允许使用的端口号
  • semanage port -a -t ssh_port_t -p tcp 5500
  • #删除服务允许使用的端口号(策略定义端口无法删除)
  • semanage port --delete -t ssh_port_t -p tcp 5500