一、总结openssh免认证原理及实现过程
基于用户和口令登录认证
基于密钥的登录方式
操作步骤:
ssh-keygen #在客户端生成公玥、私钥对
ssh-copy-id root@192.168.0.1 #复制客户端公钥至服务器
二、总结sudo文件配置格式
sudo配置文件存放位置:
etc/sudoers
etc/sudoers.d/
sudo修改配置文件常用命令:
visudo
sudoers授权规则:
用户 登录主机=(代表用户) 命令
user host = (runas) command
root ALL=(ALL) ALL
wheel ALL=(ALL) ALL
范例:
wang ALL=(root) ALL #授权wang用户以root权限使用所有命令
wang 10.0.0.3=(root) /sbin/ifconfig #授权wang用户在10.0.0.3主机上可以以root身份使用ifconfig命令
groupmems -a wang -g wheel #为wang用户添加附加组wheel
三、总结PAM架构及原理
PAM原理:
系统安装的各类服务调用的认证文件统一格式存放在/lib64/security/pam_*.so文件内,通过在/etc/pam.d/下创建的中间配置文件对复数.so文件的调用以实现认证
PAM架构:
service(服务) --> /etc/pam.d/<service>(服务的中间配置文件) --> /lib64/security(具体的认证文件)
四、总结PAM配置文件格式
PAM配置文件范例:
[root@Rocky-test pam.d]# cat sudo
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
PAM常用模块pam_limits.so:
pam_limits.so功能:在用户级别实现对其可使用的资源的限制
临时修改限制--ulimit命令:
[root@Rocky-test ~]# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 6904
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 6904
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
[root@Rocky-test ~]# ulimit -n 2046
[root@Rocky-test ~]# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 6904
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 2046
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 6904
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
永久修改限制--修改配置文件:
[wang@Rocky-test ~]$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 6904
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 2046
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 6904
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited[root@Rocky-test ~]# vim /etc/security/limits.conf
wang - stack 2048[wang@Rocky-test ~]$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 6904
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 2046
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 2048
cpu time (seconds, -t) unlimited
max user processes (-u) 6904
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
五、实现私有时间服务器
[root@Rocky-test etc]# yum -y install chrony
[root@Rocky-test etc]# vim chrony.conf
sever ntp.aliyun.com iburst
sever ntp1.aliyun.com iburst
allow 10.0.0.0/24
# Serve time even if not synchronized to a time source.
local stratum 10
[root@Rocky-test etc]# systemctl enable --now chronyd
Created symlink /etc/systemd/system/multi-user.target.wants/chronyd.service → /usr/lib/systemd/system/chronyd.service.
六、总结DNS域名三级结构
域名为树状结构,全球13个根节点(.)作为域名的起始点,一级域名为职能或国家划分(cn,hk),二级域名为具体域名名称,三级、四级域名为上一级域名的子域。
七、总结DNS工作原理
DNS工作原理:用户访问域名时会将请求发送至本地DNS服务器,服务器会优先查询本地缓存记录,若查询无对应IP会返回至根DNS服务器进行溯源,找到域名对应的一级DNS服务器后会逐级向下查询本地缓存直至查询到域名对应的IP并将结果返回给用户
递归查询:DNS服务器收到用户请求后,必须反馈一个准确的查询结果
迭代查询:DNS服务器收到用户请求后,返回上级DNS服务器IP,用户向上级DNS服务器发送查询请求若无继续返回该服务器的上级DNS服务器IP,直到用户收到查询结果
八、实现私有DNS
#DNS主服务器 10.0.0.152
#WEB服务器 10.0.0.151
#客户端 10.0.0.150
[root@Rocky-test ~]# yum -y install bind bind-utils
[root@Rocky-test ~]# systemctl enable --now named #安装并启动DNS服务
[root@Rocky-test ~]# vim /etc/named.conf #配置DNS主配置文件// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };zone "wlm.org" IN {
type master;
file"wlm.org.zone";
};[root@Rocky-test ~]# named-checkconf #检查主配置文件
[root@Rocky-test ~]# cd /var/named/
[root@Rocky-test named]# cp -p named.localhost wlm.org.zone
[root@Rocky-test named]# vim wlm.org.zone #编辑地址解析配置
$TTL 86400
@ IN SOA master admin.wlm.org. (
202404 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS master
master IN A 10.0.0.152 #Rocky-test
www IN A 10.0.0.151 #Rocky-240220
[root@Rocky-test named]# named-checkzone wlm.org wlm.org.zone #检查地址解析配置
zone wlm.org/IN: loaded serial 0
OK[root@Rocky-test named]# rndc reload #DNS配置生效
server reload successful
[root@rocky-240220 ~]# yum -y install httpd[root@rocky-240220 ~]# systemctl enable --now httpd #安装httpd服务并启动
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
[root@rocky-240220 ~]# echo www.wlm.org > /var/www/html/index.html#Ubuntu客户端检测
root@ubuntu-2004:~# cat /etc/netplan/00-installer-config.yaml
# This is the network config written by 'subiquity'
network:
ethernets:
ens33:
addresses: [10.0.0.150/24]
gateway4: 10.0.0.2
nameservers:
addresses: [10.0.0.152]
version: 2
root@ubuntu-2004:~# curl www.wlm.org
www.wlm.org
root@ubuntu-2004:~# ping www.wlm.org
PING www.wlm.org (10.0.0.151) 56(84) bytes of data.
64 bytes from 10.0.0.151 (10.0.0.151): icmp_seq=1 ttl=64 time=0.593 ms
64 bytes from 10.0.0.151 (10.0.0.151): icmp_seq=2 ttl=64 time=0.762 ms
64 bytes from 10.0.0.151 (10.0.0.151): icmp_seq=3 ttl=64 time=0.905 ms
九、总结DNS服务器配置
DNS服务器类型:
主DNS服务器--管理和维护所负责解析的域内解析库的服务器
从DNS服务器--复制主服务器解析库,作为备份
缓存DNS服务器--将DNS请求转发至指定的DNS服务而非根服务器,并将结果进行缓存
DNS解析答案:
肯定答案--存在对应的查询结果
否定答案--请求答案不存在等导致的无法返回结果
权威答案--直接由存有此查询结果的DNS服务器返回的答案
非权威答案--由非权威服务器返回的答案
资源记录定义
SOA:起始授权记录,必须有且为第一条记录
A:域名解析至IP(正向解析)
PTR:IP解析至域名(反向解析)
NS:标明当前区域的DNS服务器
@ IN SOA master admin.wlm.org. (
202404 ; 版本号
1D ; 刷新时间
1H ; 重试时间
1W ; 撤销时间
3H ) ; 否定答案的TTL值@--引用当前域名此处可写为wlm.org.
master--代表master.wlm.org. ,此处不加"."默认进行补全
admin.wlm.org.--代表当前管理员邮箱地址,此处admin代替@符号
www IN A 10.0.0.151 #A记录
151.0.0.10.in-addr.arpa. IN PTR www.wlm.org. #PTR记录
十、实现DNS主从同步
#DNS主服务器 10.0.0.152
#DNS从服务器 10.0.0.151
#WEB服务器 10.0.0.152
#客户端 10.0.0.150
#关闭10.0.0.151的WEB服务,10.0.0.152保持主服务器配置
[root@rocky-240220 ~]# yum -y install bind bind-utils #为从服务器安装DNS服务
[root@rocky-240220 ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@rocky-240220 ~]# vim /etc/named.conf
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };[root@rocky-240220 ~]# named-checkconf #检查主配置文件
[root@rocky-240220 ~]# vim /etc/named.rfc1912.zones #配置从服务器
zone "wlm.org" IN {
type slave;
masters {10.0.0.152;};
file "slaves/wlm.org.slave.zone";
};[root@rocky-240220 ~]# rndc reload #重启服务
server reload successful
[root@rocky-240220 ~]# cd /var/named/slaves/
[root@rocky-240220 slaves]# ls #查看数据文件是否生成
wlm.org.slave.zone
#为主服务器重新配置WEB服务器[root@Rocky-test etc]# vim /var/named/wlm.org.zone
$TTL 86400
@ IN SOA master admin.wlm.org. (
20240402 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS master
IN NS slave
master IN A 10.0.0.152
slave IN A 10.0.0.151
www IN A 10.0.0.152
[root@Rocky-test etc]# named-checkzone wlm.org /var/named/wlm.org.zone
zone wlm.org/IN: loaded serial 20240402
OK[root@Rocky-test etc]# echo www.wlm.org > /var/www/html/index.html
[root@Rocky-test etc]# rndc reload
server reload successful#客户端验证DNS服务
root@ubuntu-2004:~# vim /etc/netplan/00-installer-config.yaml
network:
ethernets:
ens33:
addresses: [10.0.0.150/24]
gateway4: 10.0.0.2
nameservers:
addresses: [10.0.0.152,10.0.0.151]
version: 2root@ubuntu-2004:~# netplan apply
root@ubuntu-2004:~# curl www.wlm.org
www.wlm.org
root@ubuntu-2004:~# ping www.wlm.org
PING www.wlm.org (10.0.0.152) 56(84) bytes of data.
64 bytes from 10.0.0.152 (10.0.0.152): icmp_seq=1 ttl=64 time=0.664 ms
64 bytes from 10.0.0.152 (10.0.0.152): icmp_seq=2 ttl=64 time=0.703 ms
#关闭主DNS服务测试[root@Rocky-test etc]#systemctl stop named
root@ubuntu-2004:~# curl www.wlm.org
www.wlm.org
root@ubuntu-2004:~# ping www.wlm.org
PING www.wlm.org (10.0.0.152) 56(84) bytes of data.
64 bytes from 10.0.0.152 (10.0.0.152): icmp_seq=1 ttl=64 time=1.63 ms
十一、实现DNS子域授权
#DNS父域服务器 10.0.0.152
#DNS子域服务器 10.0.0.151
#父域WEB服务器 10.0.0.152
#子域WEB服务器 10.0.0.151
#客户端 10.0.0.150
#DNS父域服务器配置
[root@Rocky-test ~]# vim /etc/named.conf
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };dnssec-enable no;
dnssec-validation no;zone "wlm.org" IN {
type master;
file"wlm.org.zone";
};[root@Rocky-test ~]# named-checkconf
[root@Rocky-test ~]# vim /var/named/wlm.org.zone
$TTL 86400
@ IN SOA master admin.wlm.org. (
20240403 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS master
beijing IN NS beijing
master IN A 10.0.0.152
beijing IN A 10.0.0.151
www IN A 10.0.0.152
[root@Rocky-test ~]# named-checkzone wlm.org /var/named/wlm.org.zone
zone wlm.org/IN: beijing.wlm.org/NS 'beijing.wlm.org' (out of zone) has no addresses records (A or AAAA)
zone wlm.org/IN: loaded serial 20240403
OK
[root@Rocky-test ~]# rndc reload
server reload successful[root@Rocky-test ~]# echo www.wlm.org > /var/www/html/index.html
#DNS子域服务器配置
[root@rocky-240220 slaves]# vim /etc/named.rfc1912.zones
zone "beijing.wlm.org"
{
type master;
file "beijing.wlm.org.zone";
};
[root@rocky-240220 slaves]# cd /var/named/
[root@rocky-240220 named]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@rocky-240220 named]# cp -p named.localhost beijing.wlm.org.zone
[root@rocky-240220 named]# vim beijing.wlm.org.zone
$TTL 86400
@ IN SOA master admin.wlm.org. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS master
master IN A 10.0.0.151
www IN A 10.0.0.151
[root@rocky-240220 named]# rndc reload
server reload successful
[root@rocky-240220 named]# echo www.beijing.wlm.org > /var/www/html/index.html
#客户端验证DNS服务root@ubuntu-2004:~# curl www.wlm.org
www.wlm.org
root@ubuntu-2004:~# curl www.beijing.wlm.orgwww.beijing.wlm.org
root@ubuntu-2004:~# ping www.wlm.org
PING www.wlm.org (10.0.0.152) 56(84) bytes of data.
64 bytes from 10.0.0.152 (10.0.0.152): icmp_seq=1 ttl=64 time=0.945 ms
root@ubuntu-2004:~# ping www.beijing.wlm.org
PING www.beijing.wlm.org (10.0.0.151) 56(84) bytes of data.
64 bytes from 10.0.0.151 (10.0.0.151): icmp_seq=1 ttl=64 time=0.660 ms
十二、基于acl实现智能DNS
原理:
1,用户发起域名访问请求,无本地缓存时发送请求至DNS服务器
2,服务器收到查询到域名请求后会转发至对应的zone内
3,根据内部的ACL命令会将响应较快的解析地址返回给用户
十三、总结防火墙分类
按照保护范围划分:
主机防火墙--服务范围为当前主机
网络防火墙--服务范围为防火墙一侧的局域网
按实现方式划分:
硬件防火墙--在专用硬件部分和部分软件进行防火墙的实现
软件防火墙--运行在通用硬件平台的防火墙应用软件
按网络协议划分:
网络层防火墙--对数据包进行分析过滤以实现防火墙功能
应用层防火墙--将防火墙两侧的网络隔开通过代理链接实现访问
十四、总结iptable 5表5链基本使用
五表(优先级由低到高):
fliter--根据规则条件过滤数据包
nat--地址转换规则表
mangle--修改数据标记位规则表
raw--关闭连接跟踪机制,加快过墙速度
security--Linux的SELINUX模块
五链:
PRE_ROUTING
INPUT
FORWARD
OUTPUT
POST_ROUTING
十五、总结iptables规则优化
15.1,iptables规则使用方法
基本规则:
iptables -nvL 显示所有规则
iptables -t table 指定表{table=filter(默认)nat,raw,mangle}
iptables -N 新建自定义规则链
iptables -X 删除自定义规则链
iptables -A 追加指定的规则
iptables -R 替换指定链上的指定规则编号
iptables -I 追加指定链上的指定规则编号
iptables -F 清空指定的规则
处理动作:-j
ACCEPT 接受
DROP 丢弃
REJECT 拒绝
REDIRECT 端口重定向
DNAT 目标地址转换
SNAT 源地址转换
MASQUEREAD 地址伪装
匹配条件:
-s 指定源IP地址
-d 指定目标IP地址
-p 指定协议
-sport 指定源端口号
-dport 指定源目的口号
调用函数:-m
multiport --dports 调用多个不连续端口
iprange --src-range 源地址范围
iprange --dst-range 目的地址范围
mac --mac-source 指定源MAC地址
string --algo { bm | kmp } 字符串匹配算法
--from 开始偏移的字符串
--to 结束偏移的字符串
time --datestart 日期开始范围
--timestop 时间结束范围
limit --limit-burst 前多少个包不限制
范例
[root@rocky-client ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinationChain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinationChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination[root@rocky-client ~]# iptables -A INPUT -s 10.0.0.152 -j REJECT
[root@rocky-client ~]# iptables -I INPUT -s 10.0.0.151 -j ACCEPT
[root@rocky-client ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 10.0.0.151 0.0.0.0/0
2 0 0 REJECT all -- * * 10.0.0.152 0.0.0.0/0 reject-with icmp-port-unreachableChain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destinationChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
#测试规则[root@rocky-240220 ~]# hostname -I
10.0.0.151
[root@rocky-240220 ~]# ping 10.0.0.154
PING 10.0.0.154 (10.0.0.154) 56(84) bytes of data.
64 bytes from 10.0.0.154: icmp_seq=1 ttl=64 time=1.14 ms
64 bytes from 10.0.0.154: icmp_seq=2 ttl=64 time=0.598 ms
[root@Rocky-test ~]# hostname -I
10.0.0.152
[root@Rocky-test ~]# ping 10.0.0.154
PING 10.0.0.154 (10.0.0.154) 56(84) bytes of data.
From 10.0.0.154 icmp_seq=1 Destination Port Unreachable
From 10.0.0.154 icmp_seq=2 Destination Port Unreachable#规则已生效
[root@rocky-client ~]# iptables -R INPUT 2 -s 10.0.0.152 -p tcp --dport 22 -j DROP
#替换第2条规则为禁止10.0.0.152访问本机TCP 22端口[root@rocky-240220 ~]# ssh 10.0.0.154
The authenticity of host '10.0.0.154 (10.0.0.154)' can't be established.
ECDSA key fingerprint is SHA256:QnmDHlWyP+C6d1rY5gZZmxwhWREaSPpPHi44wx0i8Kc.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
[root@Rocky-test ~]# ssh 10.0.0.154
^C
[root@Rocky-test ~]# ping 10.0.0.154
PING 10.0.0.154 (10.0.0.154) 56(84) bytes of data.
64 bytes from 10.0.0.154: icmp_seq=1 ttl=64 time=0.876 ms#规则已生效
[root@rocky-client ~]# iptables -A OUTPUT -d 10.0.0.151 -p tcp -m multiport --dports 22,80 -j REJECT
#添加禁止本机访问10.0.0.151的TCP22,80端口规则[root@rocky-client ~]# ping 10.0.0.151
PING 10.0.0.151 (10.0.0.151) 56(84) bytes of data.
64 bytes from 10.0.0.151: icmp_seq=1 ttl=64 time=0.906 ms[root@rocky-client ~]# ssh 10.0.0.151
ssh: connect to host 10.0.0.151 port 22: Connection refused#规则已生效
iptables规则优化:
包含关系的规则,应将范围小放在前面,
无包含关系的规则,应将范围大放在前面,提高效率
15.2,iptables规则保存方法
[root@rocky-client ~]# iptables-save > /home/iptables/iptables202404 #保存规则
[root@rocky-client ~]# ll /home/iptables/iptables202404
-rw-r--r--. 1 root root 385 Apr 19 11:19 /home/iptables/iptables202404
[root@rocky-client ~]# iptables -F
[root@rocky-client ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinationChain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinationChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@rocky-client ~]# iptables-restore < /home/iptables/iptables202404 #恢复规则#Centos7,8可以安装启用iptables-services实现开机自动加载规则
[root@rocky-client ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 384 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 10.0.0.151 0.0.0.0/0
0 0 DROP tcp -- * * 10.0.0.152 0.0.0.0/0 tcp dpt:22Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinationChain OUTPUT (policy ACCEPT 5 packets, 472 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 10.0.0.151 multiport dports 22,80 reject-with icmp-port-unreachable
十六、总结NAT转换原理,设计实现DNAT/SNAT
NAT原理:通过配置命令实现内/外网IP地址转发
SNAT原理:将内网的源IP请求转换为外网防火墙IP
DNAT原理:将外网的源IP请求转发给内网的目的主机IP
#10.0.0.152服务器A(Rocky-client)
#10.0.0.151服务器B(Rocky-client)
#10.0.0.154防火墙(Rocky-client)
#192.168.100.100外网服务器(ubuntu)
#前期配置
#外网服务器ubuntu配置(配置网卡为仅主机)
root@ubuntu-2004:~# apt update
root@ubuntu-2004:~# apt install nginx
root@ubuntu-2004:~# systemctl enable --now nginxroot@ubuntu-2004:~# vim /etc/netplan/00-installer-config.yaml
network:
ethernets:
ens33:
addresses: [192.168.10.100/24]
#gateway4: 10.0.0.2
#nameservers:
# addresses: [10.0.0.2]
version: 2
root@ubuntu-2004:~# netplan apply
root@ubuntu-2004:~# cd /var/www/html/root@ubuntu-2004:/var/www/html# hostname -I
192.168.10.100
root@ubuntu-2004:/var/www/html# echo 192.168.10.100 > index.nginx-debian.html
#防火墙配置(添加网卡为仅主机)[root@rocky-client ~]# cd /etc/sysconfig/network-scripts/
[root@rocky-client network-scripts]# vim ifcfg-ens160
TYPE=Ethernet
BOOTPROTO=static
IPADDR=10.0.0.154
PREFIX=24
NAME=ens160
UUID=4d1547f3-8dc9-4a5a-9b93-8724d9f32e3a
DEVICE=ens160
ONBOOT=yes
[root@rocky-client network-scripts]# vim ifcfg-ens192TYPE=Ethernet
BOOTPROTO=static
IPADDR=192.168.10.8
PREFIX=24
NAME=ens192
UUID=ac1ee18e-3d15-4168-b7b5-ea80c2259ae5
DEVICE=ens192
ONBOOT=yes
[root@rocky-client network-scripts]# nmcli connection reload[root@rocky-client network-scripts]# nmcli connection up ens160 ens192
[root@rocky-client network-scripts]# nmcli connection show
NAME UUID TYPE DEVICE
ens160 4d1547f3-8dc9-4a5a-9b93-8724d9f32e3a ethernet ens160
ens192 ac1ee18e-3d15-4168-b7b5-ea80c2259ae5 ethernet ens192
[root@rocky-client network-scripts]# hostname -I
10.0.0.154 192.168.10.8[root@rocky-client network-scripts]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1[root@rocky-client network-scripts]# sysctl -p
net.ipv4.ip_forward = 1
#服务器A,B保持原配置,仅将网关变更至10.0.0.154#SNAT配置
#配置防火墙
[root@rocky-client network-scripts]# iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j SNAT --to-source 192.168.10.8
[root@rocky-client network-scripts]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinationChain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinationChain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 10.0.0.0/24 !10.0.0.0/24 to:192.168.10.8Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
#检查SNAT功能实现[root@Rocky-test ~]# curl 192.168.10.100
192.168.10.100
[root@rocky-240220 ~]# curl 192.168.10.100
192.168.10.100#DNAT配置
#配置防火墙
[root@rocky-client network-scripts]# iptables -t nat -A PREROUTING -d 192.168.10.8 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.152:80
[root@rocky-client network-scripts]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 120 DNAT tcp -- * * 0.0.0.0/0 192.168.10.8 tcp dpt:80 to:10.0.0.152:80#检查DNAT功能实现
root@ubuntu-2004:/var/www/html# curl 192.168.10.8
www.wlm.org
十七、通过REDIRECT重定向案例
#配置防火墙
[root@rocky-client network-scripts]# iptables -t nat -A PREROUTING -d 192.168.10.8 -p tcp --dport 90 -j DNAT --to-destination 10.0.0.151:90
[root@rocky-client network-scripts]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 120 DNAT tcp -- * * 0.0.0.0/0 192.168.10.8 tcp dpt:80 to:10.0.0.152:80
1 60 DNAT tcp -- * * 0.0.0.0/0 192.168.10.8 tcp dpt:90 to:10.0.0.151:90#配置REDIRECT
[root@rocky-240220 ~]# iptables -t nat -A PREROUTING -d 10.0.0.151 -p tcp --dport 90 -j REDIRECT --to-port 80
#检查REDIRECT功能实现
root@ubuntu-2004:/var/www/html# curl 192.168.10.8:90
www.beijing.wlm.org
十八、总结firewalld常见区域
区域名称 | 默认配置 |
trusted | 允许所有流量 |
home | 仅允许传出流量和预定义服务ssh,mdsn,ipp-client,samba-client,dhcpv6-client的传入流量 |
internal | 同home |
work | 仅允许传出流量和预定义服务ssh,ipp-client,dhcpv6-client的传入流量 |
public | 仅允许传出流量和预定义服务ssh,dhcpv6-client的传入流量,新网卡默认为public |
external | 仅允许传出流量和预定义服务ssh的传入流量,该区域流量传出地址会伪装成传出的网卡 |
dmz | 仅允许传出流量和预定义服务ssh的传入流量 |
block | 仅允许传出流量 |
drop | 仅允许传出流量(不对ICMP错误进行回应) |