内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
本文档风哥主要介绍生产环境防火墙规则的实战案例,包括Web服务器、数据库服务器、应用服务器等场景的防火墙配置。
Part01-基础概念与理论知识
1.1 生产环境防火墙设计原则
1. 最小权限原则:只开放必要的端口
2. 分层防护:网络层+应用层
3. 默认拒绝:默认拒绝所有,显式允许
4. 定期审查:定期检查和优化规则
Part02-生产环境规划与建议
2.1 常见服务器防火墙策略
Web服务器:80, 443, 22
数据库服务器:3306, 5432, 27017(限制源IP)
应用服务器:8080, 8443, 22
缓存服务器:6379, 11211(限制源IP)
Part03-生产环境项目实施方案
3.学习交流加群风哥微信: itpux-com1 Web服务器防火墙配置
$ sudo firewall-cmd –permanent –add-service=http
$ sudo firewall-cmd –permanent –add-service=https
$ sudo firewall-cmd –permanent –add-service=ssh
# 限制SSH访问源IP
$ sudo firewall-cmd –permanent –remove-service=ssh
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept’
# 重载配置
$ sudo firewall-cmd –reload
# 验证配置
$ sudo firewall-cmd –list-all
public (active)
services: http https
rich rules:
rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept
3.2 数据库服务器防火墙配置
# 只允许应用服务器访问
# 开放MySQL端口(限制源IP)
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.100″ port protocol=”tcp” port=”3306″ accept’
# 开放PostgreSQL端口(限制源IP)
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.100″ port protocol=”tcp” port=”5432″ accept’
# 重载配置
$ sudo firewall-cmd –reload
Part04-生产案例与实战讲解
4.1 案例:多层架构防火墙配置
# Web服务器(192.168.1.10)
$ sudo firewall-cmd –permanent –add-service=http
$ sudo firewall-cmd –permanent –add-service=https
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept’
# App服务器(192.168.1.20)
$ sudo firewall-cmd –permanent –add-port=8080/tcp
$ sudo firewall-cmd –permanent –add-rich-rufrom PG视频:www.itpux.comle=’rule family=”ipv4″ source address=”192.168.1.10″ port protocol=”tcp” port=”8080″ accept’
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″学习交流加群风哥QQ113257174 source address=”192.168.1.0/24″ service name=”ssh” accept’
# DB服务器(192.168.1.30)
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.20″ port protocol=”tcp” port=”3306″ accept’
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept’
# 重载配置
$ sudo firewall-cmd –reload
风哥提示:
Part05-风哥经验总结与分享
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
