内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
本文档介绍防火墙在实际场景中的应用案例。
风哥提示:
Part01-Web服务器防火墙
1.1 Web服务器配置
$ sudo firewall-cmd –permanent –zone=public –add-service=http
$ sudo firewall-cmd –permanent –zone=public –add-service=https
$ sudo firewall-cmd –permanent –zone=public –add-service=ssh
# 限制SSH访问
$ sudo firewall-cmd –permanent –zone=public –remove-service=ssh
$ sudo firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept’
# 防止SYN攻击
$ sudo firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 0 -p tcp –syn -m limit –limit 1/s –limit-burst 3 -j ACCEPT
# 防止端口扫描
$ sudo firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 1 -m recent –name portscan –rcheck –seconds 300 -j DROP
$ sudo firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 2 -m recent –name portscan –remove
# 限制HTTP连接速率
$ sudo firewall-cmd –permanent –zone=public –add-rich-rule=’rule service name=”http” limit value=”100/s” accept’
# 应用配置
$ sudo firewall-cmd –reload
# 查看配置
$ sudo firewall-cmd –zone=public –list-all
Part02-数据库服务器防火墙
2.1 数据库服务器配置
# 创建数据库区域
$ sudo firewall-cmd –permanent –new-zone=database
$ sudo firewall-cmd –reload
# 绑定接口
$ sudo firewall-cmd –zone=database –change-interface=eth1
# 允许MySQL
$ sudo firewall-cmd –permanent –zone=database –add-service=mysql
# 限制访问源
$ sudo firewall-cmd –permanent –zone=database –add-source=192.168.2.0/24
# 允许特定应用服务器访问
$ sudo firewall-cmd –permanent –zone=database –add-rich-rule=’rule family=”ipv4″ source address=”192.168.2.10″ port port=”3306″ protocol=”tcp” accept’
$ sudo firewall-cmd –permanent –zone=database –add-rich-rule=’rule family=”ipv4″ source address=”192.168.2.11″ port port=”3306″ protocol=”tcp” accept’
# 允许SSH管理
$ sudo firewall-cmd –permanent –zone=database –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept’
# 应用配置
$ sudo firewall-cmd –reload
# 查看配置
$ sudo firewall-cmd –zone=database –list-all
Part03-网关防火墙
3.1 网关服务器配置
$ sudo sysctl -w net.ipv4.ip_forward=1
$ echo “net.ipv4.ip_forward = 1″ | sudo tee -a /etc/sysctl.conf
# 配置NAT
$ sudo firewall-cmd –permanent –zone=external –add-masquerade
# 配置端口转发
$ sudo firewall-cmd –permanent –zone=external –add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.2.10
# 配置负载均衡
$ sudo firewall-cmd –permanent –zone=external –add-rich-rule=’rule family=”ipv4″ forward-port port=”80″ protocol=”tcp” to-port=”80″ to-addr=”192.168.2.10″‘
$ sudo firewall-cmd –permanent –zone=external –add-rich-rule=’rule family=”ipv4″ forward-port port=”80″ protocol=”tcp” to-port=”80″ to-addr=”192.168.2.11″‘
# 配置内部区域
$ sudo firewall-cmd –permanent –zone=internal –add-source=192.168.2.0/24
$ sudo firewall-cmd –permanent –zone=internal –add-service=dns
$ sudo firewall-cmd –permanent –zone=internal –add-service=dhcp
# 配置DMZ区域
$ sudo firewall-cmd –permanent –new-zone=dmz
$ sudo firewall-cmd –permanent –zone=dmz –add-interface=eth2
$ sudo firewall-cmd –permanent –zone=dmz –add-service=http
$ sudo firewall-cmd –permanent –zone=dmz –add-service=https
# 应用配置
$ sudo firewall-cmd –reload
Part04-邮件服务器防火墙
4.1 邮件服务器配置
$ sudo firewall-cmd –permanent –zone=public –add-service=smtp
$ sudo firewall-cmd –permanent –zone=public –add-service=smtps
$ sudo firewall-cmd –permanent –zone=public –add-service=imap
$ sudo firewall-cmd –permanent –zone=public –add-service=imaps
$ sudo firewall-cmd –permanent –zone=public –add-service=pop3
$ sudo firewall-cmd –permanent –zone=public –add-service=pop3s
# 限制SMTP连接速率
$ sudo firewall-cmd –permanent –zone=public –add-rich-rule=’rule service name=”smtp” limit value=”10/s” accept’
# 防止SMTP滥用
$ sudo firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 0 -p tcp –dport 25 -m connlimit –connlimit-above 20 -j DROP
# 允许管理访问
$ sudo firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept’
# 应用配置
$ sudo firewall-cmd –reload
# 查看配置
$ sudo firewall-cmd –zone=public –list-all
Part05-VPN服务器防火墙
5.1 VPN服务器配置
# 允许OpenVPN
$ sudo firewall-cmd –permanent –zone=public –add-service=openvpn
# 允许IPSec
$ sudo firewall-cmd –permanent –zone=public –add-service=ipsec
# 允许IKE
$ sudo firewall-cmd –permanent –zone=public –add-port=500/udp
$ sudo firewall-cmd –permanent –zone=public –add-port=4500/udp
# 配置NAT
$ sudo firewall-cmd –permanent –zone=public –add-masquerade
# 允许VPN网络访问内部网络
$ sudo firewall-cmd –permanent –zone=trusted –add-source=10.8.0.0/24
# 配置VPN区域
$ sudo firewall-cmd –permanent –new-zone=vpn
$ sudo firewall-cmd –permanent –zone=vpn –add-interface=tun0
$ sudo firewall-cmd –permanent –zone=vpn –add-service=dns
$ sudo firewall-cmd –permanent –zone=vpn –add-service=http
$ sudo firewall-cmd –permanent –zone=vpn –add-service=https
# 应用配置
$ sudo firewall-cmd –reload
# 查看配置
$ sudo firewall-cmd –zone=public –list-all
$ sudo firewall-cmd –zone=vpn –list-all
1. 根据服务类型配置规则
2. 限制访问源地址
3. 配置连接速率限制
4. 使用区域管理网络
5. 定期审查和优化规则
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
