防火墙技术

tech2024-07-24  51

防火墙技术

配置主机名

节点配置主机名: [root@localhost ~]# hostnamectl set-hostname user1 //退出并重新连接虚拟机 [root@user1 ~]# hostnamectl Static hostname: user1 Icon name: computer-vm Chassis: vm Machine ID: 17d24d21f1c34b699c19d5e84762b3fe Boot ID: 6ea800f863564e11afc5d91d65fafb3f Virtualization: vmware Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-327.el7.x86_64 Architecture: x86-64redis2节点配置主机名: [root@localhost ~]# hostnamectl set-hostname user2 //退出并重新连接虚拟机 [root@user2 ~]# hostnamectl Static hostname: user2 Icon name: computer-vm Chassis: vm Machine ID: 17d24d21f1c34b699c19d5e84762b3fe Boot ID: d6c808d94d6b4501b5ad740429e23aa4 Virtualization: vmware Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-327.el7.x86_64 Architecture: x86-64

将centos镜像上传并挂载,所有节点配置yum源 所有节点配置本地yum源。

[root@user1 ~]# mkdir /opt/centos [root@user1 ~]# mount CentOS-7-x86_64-DVD-1511.iso /opt/centos mount: /dev/loop0 is write-protected, mounting read-only [root@user1 ~]# rm -rf /etc/yum.repos.d/* [root@user1 ~]# cat /etc/yum.repos.d/local.repo [centos] name=centos baseurl=file:///opt/centos gpgcheck=0 enabled=1

在两个节点安装并启动httpd和mariadb服务,并在user2上新建一个网页。

[root@user1 ~]# yum install mariadb-server httpd -y [root@user1 ~]# systemctl start httpd [root@user1 ~]# systemctl start mariadb [root@user2 ~]# yum install mariadb-server httpd -y [root@user2 ~]# systemctl start httpd [root@user2 ~]# systemctl start mariadb [root@user2 ~]# echo welcome to beijing > /var/www/html/index.html

此时user2主机进行控制其他机器访问。

[root@user2 ~]# iptables -A INPUT -s 192.168.20.1,127.0.0.1 -j ACCEPT //允许本地windows系统访问 [root@user2 ~]# iptables -A INPUT -j REJECT //拒绝其他所有主机访问本机 [root@user2 ~]# iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 8 560 ACCEPT all -- * * 192.168.20.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3 packets, 308 bytes) num pkts bytes target prot opt in out source destination [root@user2 html]# iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 15 1012 ACCEPT all -- * * 192.168.20.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 8 packets, 1568 bytes) num pkts bytes target prot opt in out source destination

此时user1主机无法访问user2主机。

[root@user1 ~]# curl 192.168.20.20 curl: (7) Failed connect to 192.168.20.20:80; Connection refused 此时只允许user1用户访问本机的httpd服务。 [root@user2 ~]# iptables -I INPUT 3 -s 192.168.20.10 -p tcp --dport 80 -j ACCEPT [root@user2 ~]# iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 126 9352 ACCEPT all -- * * 192.168.20.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 0 0 ACCEPT tcp -- * * 192.168.20.10 0.0.0.0/0 tcp dpt:80 4 1 60 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 7 packets, 772 bytes) num pkts bytes target prot opt in out source destination 此时user1主机通过TCP协议就可以访问user2主机的httpd服务内容。 [root@user1 ~]# curl 192.168.20.20 welcome to beijing

在user2主机将mysql数据库允许user1主机访问。

[root@user2 ~]# iptables -I INPUT 3 -s 192.168.20.10 -p tcp --dport 3306 -j ACCEPT [root@user2 ~]# iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 220 16328 ACCEPT all -- * * 192.168.20.1 0.0.0.0/0 2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 3 0 0 ACCEPT tcp -- * * 192.168.20.10 0.0.0.0/0 tcp dpt:3306 4 6 397 ACCEPT tcp -- * * 192.168.20.10 0.0.0.0/0 tcp dpt:80 5 1 60 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 13 packets, 1580 bytes) num pkts bytes target prot opt in out source destination

在user2主机将mysql数据库允许user1主机访问,并验证。

[root@user2 ~]# mysql -e "grant all on *.* to test@'192.168.20.%' identified by 'centos'" [root@user1 ~]# mysql -utest -pcentos -h192.168.20.20 //在user1节点验证 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 6 Server version: 5.5.44-MariaDB MariaDB Server Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>
最新回复(0)