Linux Firewall Basics

SELinux Configuration

[Email protected] ~]# Getenforce

Enforcing

[Email protected] ~]# Setenforce 0

[Email protected] ~]# Getenforce

Permissive

[Email protected] ~]# Setenforce 1

[Email protected] ~]# Getenforce

Enforcing

######################################################################################

Configuring Aggregation Links

[[email protected] ~]# man teamd.conf/example Find related commands

1. Add an aggregation connection Team0 #加队取名定模式

[[email protected] ~]# NMCLI connection Add type team con-name TEAM0 ifname team0 config ' {"runner": {"name": "Activeback Up "}} '

Connection ' Team0 ' (3d3cdab0-e8aa-4db0-90de-7863c6d9f798) successfully added.

[Email protected] ~]# CAT/ETC/SYSCONFIG/NETWORK-SCRIPTS/IFCFG-TEAM0

Device=team0

team_config= "{\" Runner\ ": {\" name\ ": \" Activebackup\ "}}"

Devicetype=team

Bootproto=dhcp

Defroute=yes

Peerdns=yes

Peerroutes=yes

Ipv4_failure_fatal=no

Ipv6init=yes

Ipv6_autoconf=yes

Ipv6_defroute=yes

Ipv6_peerdns=yes

Ipv6_peerroutes=yes

Ipv6_failure_fatal=no

Name=team0

uuid=3d3cdab0-e8aa-4db0-90de-7863c6d9f798

Onboot=yes

[Email protected] ~]# ifconfig

Team0:flags=4099<up,broadcast,multicast> MTU 1500

Ether 6a:1f:d4:35:9f:2b Txqueuelen 0 (Ethernet)

RX Packets 0 Bytes 0 (0.0 B)

RX errors 0 dropped 0 overruns 0 frame 0

TX Packets 0 Bytes 0 (0.0 B)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Add a NIC in 2.team0 #slave slave add slave pick card

[Email protected] ~]# nmcli connection Add type Team-slave ifname eth1 master Team0

Connection ' team-slave-eth1 ' (E0DEB3CE-ED1B-4001-9616-BF483E3240F7) successfully added.

[Email protected] ~]# nmcli connection Add type Team-slave ifname eth2 master Team0

Connection ' Team-slave-eth2 ' (275238d8-df7a-4761-8635-0815a6510b6f) successfully added.

3. Configure the IP address of the TEAM0

[Email protected] ~]# NMCLI connection modify TEAM0 ipv4.method manual ipv4.addresses 192.168.1.1/24 connection.autoconn ECT Yes

4. Activating TEAM0 and each NIC

[Email protected] ~]# NMCLI connection up team-slave-eth1

Connection successfully activated (D-bus active path:/ORG/FREEDESKTOP/NETWORKMANAGER/ACTIVECONNECTION/4)

[Email protected] ~]# NMCLI connection up Team-slave-eth2

Connection successfully activated (D-bus active path:/ORG/FREEDESKTOP/NETWORKMANAGER/ACTIVECONNECTION/5)

[Email protected] ~]# NMCLI connection up Team0

Connection successfully activated (D-bus active path:/ORG/FREEDESKTOP/NETWORKMANAGER/ACTIVECONNECTION/6)

5. Verification

[Email protected] ~]# Teamdctl TEAM0 State

Setup

Runner:activebackup

Ports

Eth2

Link watches:

Link Summary:up

INSTANCE[LINK_WATCH_0]:

Name:ethtool

Link:up

Eth1

Link watches:

Link Summary:up

INSTANCE[LINK_WATCH_0]:

Name:ethtool

Link:up

Runner

Active Port:eth2

Delete Related Settings

NMCLI Connection Delete Team-slave-eth1

NMCLI Connection Delete Team-slave-eth2

NMCLI Connection Delete Team0

####################################################################################

Custom commands

[Email protected] ~]# VIM/ROOT/.BASHRC #影响root文件

Alias hello= ' echo Hello '

[Email protected] ~]# VIM/HOME/STUDENT/.BASHRC #影响student文件

Alias hi= ' echo Hi '

[Email protected] ~]# VIM/ETC/BASHRC #影响全局配置

Alias xixi= ' Echo Xixi '

Log out of remote connection and re-login

[[Email protected] ~]# exit

Log out

[[Email protected] Desktop]# s

Last login:wed Nov 1 08:33:41 from 172.25.0.250

Verify

[email protected] ~]# Hello

Hello

[Email protected] ~]# Xixi

Xixi

[email protected] ~]# hi

Bash:hi: Command not found ...

Change to user student authentication

[email protected] root]$ hi

Hi

[Email protected] root]$ Xixi

Xixi

[email protected] root]$ Hello

Bash:hello: Command not found ...

[Email protected] root]$

#######################################################################################

Firewall Policy Management

Build a basic Web service

Service-side Apache httpd

1 Installing HTTPD Software

Yum-y Install httpd

2 Restart HTTPD Service Setup Boot

[Email protected] ~]# systemctl restart httpd

[Email protected] ~]# Systemctl enable httpd

3 Designing a simple Web page

[Email protected] ~]# vim/var/www/html/index.html

<marquee><font Color=green>

[email protected] ~]# Firefox 172.25.0.11

4 Construction of FTP service #FTP做文件传输服务

[Email protected] ~]# yum-y install VSFTPD

[Email protected] ~]# systemctl restart VSFTPD

[Email protected] ~]# Systemctl enable VSFTPD

5 Testing

[email protected] ~]# Firefox ftp://172.25.0.11

Firewall

View firewall status

[Email protected] ~]# systemctl status Firewalld.service

firewalld.service-firewalld-dynamic Firewall daemon

Loaded:loaded (/usr/lib/systemd/system/firewalld.service; enabled)

Active:active (running) since three 2017-11-01 08:28:25 CST; 7h ago

Main pid:481 (FIREWALLD)

CGroup:/system.slice/firewalld.service

└─481/usr/bin/python-es/usr/sbin/firewalld--nofork--...

November 08:28:25 localhost systemd[1]: Started firewalld-dynamic ....

Hint:some lines were ellipsized, use-l to show on full.

Preset security Zones

Public

Trusted

Block

Drop

##################################################################################

Rules for firewall judgments: matching and stopping

1. First look at the source IP address in the request (client), whether there is a policy to change the IP address in all regions, if there is a request to enter the zone

2. Go to the default zone

Virtual Machine desktop0:

# Firefox http://172.25.0.11 #访问失败

# Firefox ftp://172.25.0.11 #访问失败

Virtual Machine Server0:

# Firewall-cmd--get-default-zone #查看默认区域

# Firewall-cmd--zone=public--list-all

# firewall-cmd--zone=public--add-service=http #添加服务

# firewall-cmd--zone=public--list-all #查看区域规则信息

Virtual Machine desktop0:

# Firefox http://172.25.0.11 #访问成功

# Firefox ftp://172.25.0.11 #访问失败

Virtual Machine Server0:

# Firewall-cmd--zone=public--add-service=ftp

# Firewall-cmd--zone=public--list-all

Virtual Machine desktop0:

# Firefox ftp://172.25.0.11 #访问成功

#####################################################

--permanent Options: Implementing Permanent settings

Virtual Machine Server0:

# Firewall-cmd--reload #重新加载防火墙

# Firewall-cmd--zone=public--list-all

# firewall-cmd--permanent--zone=public--add-service=ftp

# firewall-cmd--permanent--zone=public--add-service=http

# Firewall-cmd--reload #重新加载防火墙

# Firewall-cmd--zone=public--list-all

####################################################

Modify the default zone and do not need to add--permanent

Virtual Machine desktop0:

# ping 172.25.0.11 #可以通信

Virtual Machine Server0:

# Firewall-cmd--set-default-zone=block #修改默认区域

# Firewall-cmd--get-default-zone #查看默认区域

Virtual Machine desktop0:

# ping 172.25.0.11 #不可以通信

Virtual Machine Server0:

# Firewall-cmd--set-default-zone=drop

# Firewall-cmd--get-default-zone

Virtual Machine desktop0:

# ping 172.25.0.11 #通信无反馈

######################################################

Virtual Machine Server0:

# firewall-cmd--permanent--zone=public--add-source=172.25.0.10

# Firewall-cmd--zone=public--list-all

# Firewall-cmd--reload

# Firewall-cmd--zone=public--list-all

Virtual Machine desktop0:

# Firefox http://172.25.0.11

##################################################

Implementing a native port mapping

Port redirection for on-premises applications (port 1 and Port 2)

– Automatically map to native port 2 from client Access port 1 requests

– For example, visit the following two addresses to see the same page:

Virtual Machine desktop0:

# Firefox http://172.25.0.11:5423-------"172.25.0.11:80

Virtual Machine Server0:

# Firewall-cmd--permanent--zone=public

--add-forward-port=port=5423:proto=tcp:toport=80

# Firewall-cmd--reload

# Firewall-cmd--zone=public--list-all

Virtual Machine desktop0:

# Firefox http://172.25.0.11:5423

Linux Firewall Basics