Linux Firewall Basics

Source: Internet
Author: User


SELinux Configuration


[Email protected] ~]# Getenforce

Enforcing

[Email protected] ~]# Setenforce 0

[Email protected] ~]# Getenforce

Permissive

[Email protected] ~]# Setenforce 1

[Email protected] ~]# Getenforce

Enforcing



######################################################################################


Configuring Aggregation Links

[[email protected] ~]# man teamd.conf/example Find related commands


1. Add an aggregation connection Team0 #加队取名定模式


[[email protected] ~]# NMCLI connection Add type team con-name TEAM0 ifname team0 config ' {"runner": {"name": "Activeback Up "}} '

Connection ' Team0 ' (3d3cdab0-e8aa-4db0-90de-7863c6d9f798) successfully added.



[Email protected] ~]# CAT/ETC/SYSCONFIG/NETWORK-SCRIPTS/IFCFG-TEAM0

Device=team0

team_config= "{\" Runner\ ": {\" name\ ": \" Activebackup\ "}}"

Devicetype=team

Bootproto=dhcp

Defroute=yes

Peerdns=yes

Peerroutes=yes

Ipv4_failure_fatal=no

Ipv6init=yes

Ipv6_autoconf=yes

Ipv6_defroute=yes

Ipv6_peerdns=yes

Ipv6_peerroutes=yes

Ipv6_failure_fatal=no

Name=team0

uuid=3d3cdab0-e8aa-4db0-90de-7863c6d9f798

Onboot=yes


[Email protected] ~]# ifconfig

Team0:flags=4099<up,broadcast,multicast> MTU 1500

Ether 6a:1f:d4:35:9f:2b Txqueuelen 0 (Ethernet)

RX Packets 0 Bytes 0 (0.0 B)

RX errors 0 dropped 0 overruns 0 frame 0

TX Packets 0 Bytes 0 (0.0 B)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0


Add a NIC in 2.team0 #slave slave add slave pick card


[Email protected] ~]# nmcli connection Add type Team-slave ifname eth1 master Team0

Connection ' team-slave-eth1 ' (E0DEB3CE-ED1B-4001-9616-BF483E3240F7) successfully added.

[Email protected] ~]# nmcli connection Add type Team-slave ifname eth2 master Team0

Connection ' Team-slave-eth2 ' (275238d8-df7a-4761-8635-0815a6510b6f) successfully added.


3. Configure the IP address of the TEAM0

[Email protected] ~]# NMCLI connection modify TEAM0 ipv4.method manual ipv4.addresses 192.168.1.1/24 connection.autoconn ECT Yes


4. Activating TEAM0 and each NIC

[Email protected] ~]# NMCLI connection up team-slave-eth1

Connection successfully activated (D-bus active path:/ORG/FREEDESKTOP/NETWORKMANAGER/ACTIVECONNECTION/4)

[Email protected] ~]# NMCLI connection up Team-slave-eth2

Connection successfully activated (D-bus active path:/ORG/FREEDESKTOP/NETWORKMANAGER/ACTIVECONNECTION/5)

[Email protected] ~]# NMCLI connection up Team0

Connection successfully activated (D-bus active path:/ORG/FREEDESKTOP/NETWORKMANAGER/ACTIVECONNECTION/6)


5. Verification

[Email protected] ~]# Teamdctl TEAM0 State

Setup

Runner:activebackup

Ports

Eth2

Link watches:

Link Summary:up

INSTANCE[LINK_WATCH_0]:

Name:ethtool

Link:up

Eth1

Link watches:

Link Summary:up

INSTANCE[LINK_WATCH_0]:

Name:ethtool

Link:up

Runner

Active Port:eth2


Delete Related Settings

NMCLI Connection Delete Team-slave-eth1

NMCLI Connection Delete Team-slave-eth2

NMCLI Connection Delete Team0


####################################################################################


Custom commands


[Email protected] ~]# VIM/ROOT/.BASHRC #影响root文件

Alias hello= ' echo Hello '

[Email protected] ~]# VIM/HOME/STUDENT/.BASHRC #影响student文件

Alias hi= ' echo Hi '

[Email protected] ~]# VIM/ETC/BASHRC #影响全局配置

Alias xixi= ' Echo Xixi '


Log out of remote connection and re-login

[[Email protected] ~]# exit

Log out

[[Email protected] Desktop]# s

Last login:wed Nov 1 08:33:41 from 172.25.0.250


Verify

[email protected] ~]# Hello

Hello

[Email protected] ~]# Xixi

Xixi

[email protected] ~]# hi

Bash:hi: Command not found ...


Change to user student authentication

[email protected] root]$ hi

Hi

[Email protected] root]$ Xixi

Xixi

[email protected] root]$ Hello

Bash:hello: Command not found ...

[Email protected] root]$


#######################################################################################


Firewall Policy Management


Build a basic Web service

Service-side Apache httpd


1 Installing HTTPD Software

Yum-y Install httpd


2 Restart HTTPD Service Setup Boot

[Email protected] ~]# systemctl restart httpd

[Email protected] ~]# Systemctl enable httpd


3 Designing a simple Web page

[Email protected] ~]# vim/var/www/html/index.html


<marquee><font Color=green>


[email protected] ~]# Firefox 172.25.0.11



4 Construction of FTP service #FTP做文件传输服务

[Email protected] ~]# yum-y install VSFTPD

[Email protected] ~]# systemctl restart VSFTPD

[Email protected] ~]# Systemctl enable VSFTPD



5 Testing

[email protected] ~]# Firefox ftp://172.25.0.11


Firewall


View firewall status

[Email protected] ~]# systemctl status Firewalld.service

firewalld.service-firewalld-dynamic Firewall daemon

Loaded:loaded (/usr/lib/systemd/system/firewalld.service; enabled)

Active:active (running) since three 2017-11-01 08:28:25 CST; 7h ago

Main pid:481 (FIREWALLD)

CGroup:/system.slice/firewalld.service

└─481/usr/bin/python-es/usr/sbin/firewalld--nofork--...


November 08:28:25 localhost systemd[1]: Started firewalld-dynamic ....

Hint:some lines were ellipsized, use-l to show on full.



Preset security Zones

Public

Trusted

Block

Drop


##################################################################################


Rules for firewall judgments: matching and stopping


1. First look at the source IP address in the request (client), whether there is a policy to change the IP address in all regions, if there is a request to enter the zone

2. Go to the default zone



Virtual Machine desktop0:

# Firefox http://172.25.0.11 #访问失败

# Firefox ftp://172.25.0.11 #访问失败

Virtual Machine Server0:

# Firewall-cmd--get-default-zone #查看默认区域

# Firewall-cmd--zone=public--list-all

# firewall-cmd--zone=public--add-service=http #添加服务

# firewall-cmd--zone=public--list-all #查看区域规则信息

Virtual Machine desktop0:

# Firefox http://172.25.0.11 #访问成功

# Firefox ftp://172.25.0.11 #访问失败

Virtual Machine Server0:

# Firewall-cmd--zone=public--add-service=ftp

# Firewall-cmd--zone=public--list-all

Virtual Machine desktop0:

# Firefox ftp://172.25.0.11 #访问成功


#####################################################

--permanent Options: Implementing Permanent settings


Virtual Machine Server0:


# Firewall-cmd--reload #重新加载防火墙

# Firewall-cmd--zone=public--list-all


# firewall-cmd--permanent--zone=public--add-service=ftp

# firewall-cmd--permanent--zone=public--add-service=http


# Firewall-cmd--reload #重新加载防火墙

# Firewall-cmd--zone=public--list-all


####################################################

Modify the default zone and do not need to add--permanent


Virtual Machine desktop0:

# ping 172.25.0.11 #可以通信

Virtual Machine Server0:

# Firewall-cmd--set-default-zone=block #修改默认区域

# Firewall-cmd--get-default-zone #查看默认区域


Virtual Machine desktop0:

# ping 172.25.0.11 #不可以通信


Virtual Machine Server0:

# Firewall-cmd--set-default-zone=drop

# Firewall-cmd--get-default-zone

Virtual Machine desktop0:

# ping 172.25.0.11 #通信无反馈


######################################################


Virtual Machine Server0:

# firewall-cmd--permanent--zone=public--add-source=172.25.0.10


# Firewall-cmd--zone=public--list-all

# Firewall-cmd--reload

# Firewall-cmd--zone=public--list-all


Virtual Machine desktop0:

# Firefox http://172.25.0.11


##################################################


Implementing a native port mapping

Port redirection for on-premises applications (port 1 and Port 2)

– Automatically map to native port 2 from client Access port 1 requests

– For example, visit the following two addresses to see the same page:


Virtual Machine desktop0:

# Firefox http://172.25.0.11:5423-------"172.25.0.11:80


Virtual Machine Server0:

# Firewall-cmd--permanent--zone=public

--add-forward-port=port=5423:proto=tcp:toport=80


# Firewall-cmd--reload


# Firewall-cmd--zone=public--list-all



Virtual Machine desktop0:

# Firefox http://172.25.0.11:5423





Linux Firewall Basics

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.