關(guān)于防火墻基礎(chǔ)配置可參考博文:保證Linux系統(tǒng)安全之CentOS 7 firewalld防火墻入門詳解
關(guān)于防火墻IP偽裝和端口轉(zhuǎn)發(fā)可參考博文:保證Linux系統(tǒng)安全之firewalld防火墻配置地址偽裝和端口轉(zhuǎn)發(fā)詳解
案例環(huán)境:
保證Linux系統(tǒng)安全之配置firewalld防火墻的地址偽裝及端口轉(zhuǎn)發(fā)實(shí)例,可跟做?。?!
需求描述:
連接內(nèi)網(wǎng)網(wǎng)卡ens33地址為192.168.1.1,分配到firewall的trusted區(qū)域;
連接服務(wù)器網(wǎng)卡ens37地址為192.168.2.1,分配到firewall的dmz區(qū)域;
網(wǎng)關(guān)服務(wù)器連接互聯(lián)網(wǎng)網(wǎng)卡ens38地址為192.168.3.1,為公網(wǎng)IP地址,分配到firewall的external區(qū)域;
網(wǎng)站服務(wù)器和網(wǎng)關(guān)服務(wù)器均通過SSH來遠(yuǎn)程管理,為了安全,將SSH默認(rèn)端口改為12345;
網(wǎng)站服務(wù)器開啟 HTTPS,過濾未加密的HTTP流量;
網(wǎng)站務(wù)器拒絕ping測(cè)試,網(wǎng)關(guān)服務(wù)器拒絕來自互聯(lián)網(wǎng)上的ping測(cè)試;
公司內(nèi)網(wǎng)用戶需要通過網(wǎng)關(guān)服務(wù)器共享上網(wǎng);
互聯(lián)網(wǎng)用戶需要訪問網(wǎng)站服務(wù)器;
操作步驟
基本環(huán)境配置;
DMZ網(wǎng)站服務(wù)器環(huán)境搭建并啟動(dòng)服務(wù);
DMZ網(wǎng)站服務(wù)器上啟動(dòng)并配置firewalld防火墻策略;
Internet測(cè)試網(wǎng)站環(huán)境搭建并啟動(dòng)服務(wù)、設(shè)置防火墻規(guī)則;
網(wǎng)關(guān)服務(wù)器配置firewalld策略;
配置IP偽裝與端口轉(zhuǎn)發(fā);
案例實(shí)施
1.基本環(huán)境配置
(1)確認(rèn)網(wǎng)關(guān)服務(wù)器地址
[root@localhost ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::46cb:a832:aea4:7b65 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:00:11:89 txqueuelen 1000 (Ethernet)
RX packets 158 bytes 46815 (45.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 31 bytes 4270 (4.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# ifconfig ens37
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::8e69:6ed5:da33:fda4 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:00:11:93 txqueuelen 1000 (Ethernet)
RX packets 104 bytes 27490 (26.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 189 bytes 31923 (31.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# ifconfig ens38
ens38: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.1 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::5348:53e2:b3bc:d35b prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:00:11:9d txqueuelen 1000 (Ethernet)
RX packets 101 bytes 27238 (26.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 188 bytes 31304 (30.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(2)網(wǎng)關(guān)服務(wù)器開啟路由功能
[root@localhost ~]# vim /etc/sysctl.conf
……………… //省略部分內(nèi)容,添加以下內(nèi)容
net.ipv4.ip_forward = 1
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
(3)配置DMZ區(qū)域網(wǎng)站服務(wù)器地址、網(wǎng)關(guān)
[root@localhost ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.2 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::8744:c79c:521f:823f prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:2b:56:b5 txqueuelen 1000 (Ethernet)
RX packets 114 bytes 34398 (33.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 30 bytes 4162 (4.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.2.1 0.0.0.0 UG 100 0 0 ens33
(4)配置Internet測(cè)試網(wǎng)站服務(wù)器IP地址、網(wǎng)關(guān)
[root@localhost ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.2 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::7c8b:1ec0:7e4d:ac6 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:98:41:ac txqueuelen 1000 (Ethernet)
RX packets 113 bytes 31388 (30.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 40 bytes 4541 (4.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.3.1 0.0.0.0 UG 100 0 0 ens33
(5)配置內(nèi)部客戶機(jī)IP地址、網(wǎng)關(guān)
[root@localhost ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::9bb5:2c48:1095:d75a prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:fb:76:60 txqueuelen 1000 (Ethernet)
RX packets 106 bytes 29223 (28.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 31 bytes 4349 (4.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 ens33
2.DMZ網(wǎng)站服務(wù)器環(huán)境并啟動(dòng)服務(wù)
(1)開啟firewalld防火墻
[root@localhost ~]# systemctl start firewalld
(2)搭建httpd服務(wù)
[root@localhost ~]# yum -y install httpd
//基于http訪問的HTTP網(wǎng)站
[root@localhost ~]# yum -y install httpd mod_ssl
//基于https訪問的HTTP網(wǎng)站
[root@localhost ~]# systemctl start httpd
//開啟HTTP服務(wù)
(3)更改SSH的監(jiān)聽端口(重啟服務(wù)時(shí)建議關(guān)閉SELinux)
[root@localhost ~]# vim /etc/ssh/sshd_config
………… //省略部分內(nèi)容,修改以下內(nèi)容
Port 12345
[root@localhost ~]# setenforce 0
//臨時(shí)關(guān)閉SELinux
[root@localhost ~]# systemctl restart sshd
//重啟ssh服務(wù)
3.DMZ網(wǎng)站服務(wù)器上啟動(dòng)并配置firewalld防火墻策略
(1)設(shè)置防火墻默認(rèn)區(qū)域?yàn)閐mz區(qū)域
[root@localhost ~]# firewall-cmd --set-default-zone=dmz
success
(2)為dmz區(qū)域添加相應(yīng)服務(wù)及端口
[root@localhost ~]# firewall-cmd --zone=dmz --add-service=https
success
[root@localhost ~]# firewall-cmd --zone=dmz --add-port=12345/tcp
success
(3)禁止ping測(cè)試
[root@localhost ~]# firewall-cmd --zone=dmz --add-icmp-block=echo-request
success
(4)將默認(rèn)的ssh服務(wù)刪除
[root@localhost ~]# firewall-cmd --zone=dmz --remove-service=ssh
success
(5)保存當(dāng)前防火墻配置
[root@localhost ~]# firewall-cmd --runtime-to-permanent
success
//將臨時(shí)配置轉(zhuǎn)換為永久配置
[root@localhost ~]# firewall-cmd --list-all --zone=dmz
//查看并確認(rèn)配置信息
dmz (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: https
ports: 12345/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks: echo-request
rich rules:
搭建方法可參考第2、3步
(1)開啟防火墻
[root@localhost ~]# systemctl start firewalld
(2)設(shè)置默認(rèn)區(qū)域?yàn)閑xternel區(qū)域
[root@localhost ~]# firewall-cmd --set-default-zone=external
success
(3)將各個(gè)網(wǎng)卡分配至指定區(qū)域
[root@localhost ~]# firewall-cmd --change-interface=ens33 --zone=trusted
success
[root@localhost ~]# firewall-cmd --change-interface=ens37 --zone=dmz
success
(4)內(nèi)部客戶機(jī)訪問DMZ網(wǎng)站測(cè)試
[root@localhost ~]# firewall-cmd --runtime-to-permanent
success
[root@localhost ~]# firewall-cmd --get-active-zones
dmz
interfaces: ens37
external
interfaces: ens38
trusted
interfaces: ens33
(5)內(nèi)部客戶機(jī)訪問網(wǎng)站服務(wù)器
保證Linux系統(tǒng)安全之配置firewalld防火墻的地址偽裝及端口轉(zhuǎn)發(fā)實(shí)例,可跟做?。。?br/>保證Linux系統(tǒng)安全之配置firewalld防火墻的地址偽裝及端口轉(zhuǎn)發(fā)實(shí)例,可跟做?。。?/p>
(6)更改ssh服務(wù)監(jiān)聽端口
[root@localhost ~]# vim /etc/ssh/sshd_config
………… //省略部分內(nèi)容,修改以下內(nèi)容
Port 12345
[root@localhost ~]# setenforce 0
//臨時(shí)關(guān)閉SELinux
[root@localhost ~]# systemctl restart sshd
//重啟ssh服務(wù)
(7)配置external區(qū)域添加TCP的12345端口、移除ssh服務(wù)
[root@localhost ~]# firewall-cmd --zone=external --add-port=12345/tcp
success
[root@localhost ~]# firewall-cmd --zone=external --remove-service=ssh
success
(8)配置external區(qū)域進(jìn)行ping測(cè)試、保存為永久配置
[root@localhost ~]# firewall-cmd --zone=external --add-icmp-block=echo-request
success
[root@localhost ~]# firewall-cmd --runtime-to-permanent
success
(9)Internet測(cè)試服務(wù)器遠(yuǎn)程網(wǎng)關(guān)服務(wù)器
[root@localhost ~]# ssh -p 12345 192.168.3.1
The authenticity of host '[192.168.3.1]:12345 ([192.168.3.1]:12345)' can't be established.
ECDSA key fingerprint is b2:4e:e8:f9:23:9f:85:dc:54:87:97:eb:15:cc:b0:48.
Are you sure you want to continue connecting (yes/no)?
(10)內(nèi)部客戶機(jī)遠(yuǎn)程DMZ網(wǎng)站服務(wù)器
[root@localhost ~]# ssh -p 12345 192.168.2.2
The authenticity of host '[192.168.2.2]:12345 ([192.168.2.2]:12345)' can't be established.
ECDSA key fingerprint is 25:54:5c:d5:ce:e1:04:9f:25:19:be:73:ce:93:86:54.
Are you sure you want to continue connecting (yes/no)?
6.網(wǎng)關(guān)服務(wù)器上配置IP轉(zhuǎn)發(fā)與端口轉(zhuǎn)發(fā)
默認(rèn)external區(qū)域有IP轉(zhuǎn)發(fā)功能!
(1)刪除external區(qū)域中的IP偽裝,并利用富規(guī)則開啟
[root@localhost ~]# firewall-cmd --remove-masquerade --zone=external
success
[root@localhost ~]# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade'
success
(2)dmz網(wǎng)站服務(wù)器測(cè)試訪問Internet測(cè)試網(wǎng)站
保證Linux系統(tǒng)安全之配置firewalld防火墻的地址偽裝及端口轉(zhuǎn)發(fā)實(shí)例,可跟做?。?!
(3)配置端口轉(zhuǎn)發(fā)實(shí)現(xiàn)Internet測(cè)試網(wǎng)站訪問dmz區(qū)域網(wǎng)站服務(wù)器(直接規(guī)則)
[root@localhost ~]# firewall-cmd --zone=external --add-forward-port=port=443:proto=tcp:toaddr=192.168.2.2
success
//網(wǎng)關(guān)服務(wù)器將互聯(lián)網(wǎng)測(cè)試機(jī)的請(qǐng)求轉(zhuǎn)發(fā)到dmz區(qū)域網(wǎng)站服務(wù)器
(4)測(cè)試
保證Linux系統(tǒng)安全之配置firewalld防火墻的地址偽裝及端口轉(zhuǎn)發(fā)實(shí)例,可跟做?。?!
(5)配置端口轉(zhuǎn)發(fā)實(shí)現(xiàn)Internet測(cè)試網(wǎng)站訪問dmz區(qū)域網(wǎng)站服務(wù)器(富規(guī)則)
需在ens38網(wǎng)卡上配置一個(gè)臨時(shí)IP地址
[root@localhost ~]# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 destination address=192.168.3.100 forward-port port=443 protocol=tcp to-addr=192.168.2.2'
success
(6)測(cè)試
保證Linux系統(tǒng)安全之配置firewalld防火墻的地址偽裝及端口轉(zhuǎn)發(fā)實(shí)例,可跟做?。?!
另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)cdcxhl.cn,海內(nèi)外云服務(wù)器15元起步,三天無理由+7*72小時(shí)售后在線,公司持有idc許可證,提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國服務(wù)器、虛擬主機(jī)、免備案服務(wù)器”等云主機(jī)租用服務(wù)以及企業(yè)上云的綜合解決方案,具有“安全穩(wěn)定、簡單易用、服務(wù)可用性高、性價(jià)比高”等特點(diǎn)與優(yōu)勢(shì),專為企業(yè)上云打造定制,能夠滿足用戶豐富、多元化的應(yīng)用場(chǎng)景需求。
當(dāng)前標(biāo)題:IP地址偽裝和端口轉(zhuǎn)發(fā)-創(chuàng)新互聯(lián)
網(wǎng)站鏈接:http://www.rwnh.cn/article34/hsjse.html
成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供商城網(wǎng)站、響應(yīng)式網(wǎng)站、品牌網(wǎng)站設(shè)計(jì)、網(wǎng)站制作、電子商務(wù)、面包屑導(dǎo)航
聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請(qǐng)盡快告知,我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如需處理請(qǐng)聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時(shí)需注明來源: 創(chuàng)新互聯(lián)
猜你還喜歡下面的內(nèi)容