1.iptables: 开启防火墙:可以正常使用ssh服务,dns服务, httpd服务,chrony服务, nfs服务
(1)安装iptables-services启动工具。
[root@yangzilin ~]# yum install -y iptables-services
(2)关闭firewalld,开启iptables。
[root@yangzilin ~]# systemctl stop firewalld
[root@yangzilin ~]# systemctl start iptables
(3)添加规则:ssh服务端口22,dns服务53,httpd服务80,chrony服务123,nfs服务111。并添加一条拒绝所有。
[root@yangzilin ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
[root@yangzilin ~]# iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
[root@yangzilin ~]# iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
[root@yangzilin ~]# iptables -t filter -A INPUT -p udp --dport 123 -j ACCEPT
[root@yangzilin ~]# iptables -t filter -A INPUT -p udp --dport 111 -j ACCEPT
[root@yangzilin ~]# iptables -t filter -A INPUT -p ip -j REJECT
(4)查看规则表
[root@yangzilin ~]# iptables -vnL --line-numbers
[root@yangzilin ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 33 16462 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 1 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
7 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
9 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
10 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
11 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111
12 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 39 packets, 2589 bytes)
num pkts bytes target prot opt in out source destination
2.firewalld: 开启防火墙:可以正常使用ssh服务,dns服务, httpd服务,chrony服务, nfs服务
且实现:访问第一台机器web服务的9090端口,转发到第二台机器的80端口(永久生效)
(1)关闭iptables,开启firewalld:
[root@yangzilin ~]# systemctl stop iptables
[root@yangzilin ~]# systemctl start firewalld
(2) 允许协议访问:ssh,http,dns,chrony,nfs服务:
[root@yangzilin ~]# firewall-cmd --add-service=ssh
success
[root@yangzilin ~]# firewall-cmd --add-service=http
success
[root@yangzilin ~]# firewall-cmd --add-service=dns
success
[root@yangzilin ~]# firewall-cmd --add-port=123/udp
success
[root@yangzilin ~]# firewall-cmd --add-service=nfs
success
(3)查看firewalld服务:
[root@yangzilin ~]# firewall-cmd --list-all
[root@yangzilin ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client dns http nfs ssh
ports: 123/udp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
(4)第一台虚拟机的web服务的9090端口转发到第二台机器的80端口。
[root@yangzilin ~]# firewall-cmd -add-forward-port=port=9090:proto=tcp:toport=80:toaddr=192.168.145.111 --permanent
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments: -add-forward-port=port=9090:proto=tcp:toport=80:toaddr=192.168.145.111
[root@yangzilin ~]# firewall-cmd --reload
success