搜索到
16
篇与
基础命令
的结果
-
linuxea:firewall简单使用笔记 FirewallD使用服务和区域的概念,而不是iptables规则和链。使用它,您可以配置应该允许或禁止与系统之间的通信。FirewallD使用firewall-cmd实用程序来管理防火墙配置。LinuxEA # firewall-cmd --list-all FirewallD is not running启动并启用LinuxEA # systemctl start firewalld LinuxEA # systemctl enable firewalld Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service. Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.状态已经运行LinuxEA # firewall-cmd --state running以下是FirewallD中包含的预定义区域:这些可以使用firewall-cmd --get-zones来获取drop –丢弃所有传入连接,不作任何答复,只允许传出连接。block –与区域删除相同,但所有传入连接均使用icmp-host- prohibited或icmp6-adm-prohibited消息阻止。public -它代表不可靠的公共区域。external -防火墙用作网关的外部网络。因为它是为NAT伪装而配置的,所以内部网络将保持私有但可访问。internal –仅接受选定的传入连接,用于内部网络。dmz –非军事区,内部网络可公开访问,访问受限,并且仅接受选定的传入连接。work –用于工作机。home -使用的家用机。trusted -接受所有网络连接。使用FirewallD配置防火墙默认情况下,public域是启用防火墙服务后的默认区域。LinuxEA # firewall-cmd --get-default-zone public使用--get-zones可以看到所有区域LinuxEA # firewall-cmd --get-zones block dmz drop external home internal public trusted work--get-active-zones 查看网络接口使用了哪些区域LinuxEA # firewall-cmd --get-active-zones public interfaces: eth0可以使用--set-default-zone=""和--get-default-zone来设置和查看# firewall-cmd --set-default-zone=drop 比如更改为home域或者drop域 # firewall-cmd --get-default-zone对外开放服务打开http和https临时打开对外开放http和httpsLinuxEA # firewall-cmd --zone=drop --add-service=http success LinuxEA # firewall-cmd --zone=drop --add-service=https success永久写入: --permanentLinuxEA # firewall-cmd --zone=drop --permanent --add-service=http success LinuxEA # firewall-cmd --zone=drop --permanent --add-service=https success或者这样LinuxEA # firewall-cmd --zone=drop --permanent --add-port 80/tcp success LinuxEA # firewall-cmd --zone=drop --permanent --add-port 443/tcp success如果有多个端口,比如开启:80到100端口LinuxEA # firewall-cmd --zone=drop --permanent --add-port 80-100/tcpORLinuxEA # firewall-cmd --zone=drop --permanent --add-port={80/tcp,443/tcp,8080/tcp,9000-9086/tcp} success如果有多个服务LinuxEA # firewall-cmd --zone=drop --permanent --add-service={http,https,dns,jenkins} success如果要查看这些端口,则可以使用--info-service=NAME,这些信息预置在/usr/lib/firewalld/services目录下。如下:LinuxEA # firewall-cmd --info-service=jenkins jenkins ports: 8080/tcp protocols: source-ports: modules: destination: includes: helpers: 而后重新加载LinuxEA # firewall-cmd --reload success使用--list-all查看LinuxEA # firewall-cmd --list-all drop (active) target: DROP icmp-block-inversion: no interfaces: ens33 sources: services: dns http https jenkins ports: 80/tcp 443/tcp 8080/tcp 9000-9086/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: 删除规则LinuxEA # firewall-cmd --zone=drop --permanent --remove-service=http success LinuxEA # firewall-cmd --zone=drop --permanent --remove-service=https success或者LinuxEA # firewall-cmd --zone=drop --permanent --remove-port 80/tcp success LinuxEA # firewall-cmd --zone=drop --permanent --remove-port 443/tcp successLinuxEA # firewall-cmd --reload successLinuxEA # firewall-cmd --list-all drop (active) target: DROP icmp-block-inversion: no interfaces: ens33 sources: services: dns jenkins ports: 8080/tcp 9000-9086/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: 源ip地址管理可以将区域绑定到网络接口和地址: 对于drop区域,放行172.16.100.0/24网段LinuxEA # firewall-cmd --permanent --zone=drop --add-source=172.16.100.0/24 success LinuxEA # firewall-cmd --reload success移除--remove-sourceLinuxEA # firewall-cmd --permanent --zone=drop --remove-source=172.16.100.0/24 success LinuxEA # firewall-cmd --reload success LinuxEA # firewall-cmd --list-all drop (active) target: DROP icmp-block-inversion: no interfaces: ens33 sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:还有修改-change-source可以对Mac地址进行管理 firewall-cmd --permanent --zone=drop --add-source=80-FA-5B-25-3B-1A丰富的Rich Rules由于rich规则所使用的语法很难记住,因此请记住man firewalld.richlanguage命令和最后的“示例”部分。格式如下:firewall-cmd --add-rich-rule 'rule ...'允许172.16.100.107所有的连接请求。--add-rich-rulefirewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="172.16.100.107" accept" log 可以使用log选项记录日志到 /var/log/messagesfirewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="172.16.100.107" log accept" 使用--list-allLinuxEA # firewall-cmd --list-all drop (active) target: DROP icmp-block-inversion: no interfaces: ens33 sources: services: dns jenkins ports: 8080/tcp 9000-9086/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="172.16.100.107" accept rule family="ipv4" source address="172.16.100.107" log accept或者这样添加ip段 172.16.100.0/24LinuxEA # firewall-cmd --permanent --zone=drop --add-rich-rule='rule family="ipv4" source address="172.16.100.0/24" port port="22-23" protocol="tcp" accept' success LinuxEA # firewall-cmd --reload success删除允许172.16.100.107所有的连接请求。 --remove-rich-rulefirewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="172.16.100.107" accept" 允许ip和拒绝ip# 根据ip接受所有端口 firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="172.16.100.107" accept" # 根据ip拒绝所有端口 firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="172.16.100.107" drop" 禁用pingfirewall-cmd --permanent --zone=drop --add-rich-rule='rule protocol value=icmp drop'删除zone删除/etc/firewalld/zones下的zone命名的xml文件而后重新加载即可Direct rulesfirewall-cmd工具中的--direct选项可以在运行时添加和删除链。直接接口模式可以让服务或者程序在运行时候添加特定的防火墙。作用于文件 /etc/firewalld/direct.xml将规则添加到INPUT链,放行8090端口LinuxEA # firewall-cmd --direct --permanent --zone=drop --add-rule ipv4 filter INPUT 0 -p tcp --dport 8090 -j ACCEPT success查看iptablesLinuxEA # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8090用firewall查看LinuxEA # firewall-cmd --direct --get-all-rules ipv4 filter INPUT 0 -p tcp --dport 8090 -j ACCEPT请注意,此命令(该--get-rules选项)仅列出以前使用该--add-rule选项添加的规则。它没有列出通过其他方式添加的现有iptables规则。删除LinuxEA # firewall-cmd --direct --permanent --zone=drop --remove-rule ipv4 filter INPUT 0 -p tcp --dport 8090 -j ACCEPT如果你在初始化系统这条命令可以放行sshfirewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTip set管理firewall有ipset的功能。 ipset是一组IP地址或网络。不同的区域类别,属于hash:ip或hash:net。配置黑名单ip创建ip组:blacklist1LinuxEA # firewall-cmd --permanent --zone=drop --new-ipset=blacklist1 --type=hash:ip success LinuxEA # firewall-cmd --reload success添加ip成员注意:添加--option=family=inet6以创建IPv6 ipset。LinuxEA # firewall-cmd --permanent --ipset=blacklist1 --add-entry=172.16.100.101 success LinuxEA # firewall-cmd --permanent --ipset=blacklist1 --add-entry=172.16.100.3 success添加拒绝规则LinuxEA # firewall-cmd --permanent --add-rich-rule='rule source ipset=blacklist1 drop' success获取blacklist1成员LinuxEA # firewall-cmd --info-ipset=blacklist1 blacklist1 type: hash:ip options: entries: 172.16.100.101 172.16.100.3删除组内ip成员LinuxEA # firewall-cmd --ipset=blacklist1 --remove-entry=172.16.100.101 success LinuxEA # firewall-cmd --ipset=blacklist1 --get-entries 172.16.100.3配置黑名单ip段创建新的黑名单netblacklist,类型hash:netLinuxEA # firewall-cmd --permanent --new-ipset=netblacklist --type=hash:net --option=family=inet --option=hashsize=4096 --option=maxelem=200000 successLinuxEA # firewall-cmd --reload successLinuxEA # firewall-cmd --info-ipset=netblacklist netblacklist type: hash:net options: family=inet hashsize=4096 maxelem=200000 entries: 添加两个网段LinuxEA # firewall-cmd --permanent --ipset=netblacklist --add-entry=172.16.100.0/24 successLinuxEA # firewall-cmd --permanent --ipset=netblacklist --add-entry=192.168.2.0/24 successLinuxEA # firewall-cmd --info-ipset=netblacklist netblacklist type: hash:net options: family=inet hashsize=4096 maxelem=200000 entries: 172.16.100.0/24 192.168.2.0/24或者添加一个ip文件列表LinuxEA # cat > iplist.txt <<EOL > 10.10.1.0/23 > 192.168.0.3 > 172.16.100.0/24 > 172.16.90.0/24 > EOL--add-entries-from-file添加,改成--remove-entries-from-file就删除LinuxEA # firewall-cmd --permanent --ipset=netblacklist --add-entries-from-file=iplist.txt successfirewall-cmd --permanent --ipset=netblacklist --remove-entries-from-file=iplist.txt单个添加和单个删除LinuxEA # firewall-cmd --permanent --ipset=netblacklist --add-entry=172.16.100.118 successfirewall-cmd --permanent --ipset=netblacklist --remove-entry=172.16.100.118LinuxEA # firewall-cmd --reload successLinuxEA # firewall-cmd --info-ipset=netblacklist netblacklist type: hash:net options: family=inet hashsize=4096 maxelem=200000 entries: 172.16.100.0/24 192.168.2.0/24 10.10.1.0/23 192.168.0.3 172.16.90.0/24没有丢弃参数,没有iptables命令,也没有与IP数据包相关的内容。这是因为使用的是firewalld的源功能,当一个IP地址与源(源接口,源IP甚至源MAC地址)匹配时,上述规则会将IP地址重定向到特定区域,在这种情况下为“阻止”。作用到某个区域firewall-cmd --permanent --zone=drop --add-source=ipset:netblacklist从区域内删除firewall-cmd --permanent --zone=drop --remove-source=ipset:netblacklist管理命令查看ipsetLinuxEA # firewall-cmd --permanent --get-ipsets blacklist1 netblacklist查看ipset表LinuxEA # firewall-cmd --permanent --info-ipset=netblacklist netblacklist type: hash:net options: family=inet hashsize=4096 maxelem=200000 entries: 172.16.100.0/24 192.168.2.0/24 10.10.1.0/23 192.168.0.3 172.16.90.0/24LinuxEA # firewall-cmd --permanent --info-ipset=blacklist1 blacklist1 type: hash:ip options: entries: 端口转发sysctl -w net.ipv4.ip_forward=1如果防火墙是您的网络网关,并且不希望所有人都知道您的内部地址,则可以设置两个区域,一个称为内部区域,另一个称为外部区域,并在外部区域上配置伪装。 这样,所有数据包都将获取您的防火墙IP地址作为源地址。端口转发是一种将特定端口的入站网络流量转发到另一个内部地址或备用端口的方法端口转发需要masquerading ,因此创建LinuxEA # firewall-cmd --zone=external --add-masquerade success如果希望暂时将所有要发送给端口22的数据包转发到端口tcp 3753LinuxEA # firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753 success把80端口转发到后端的172.25.100.2 8080firewall-cmd --permanent --add-forward port=80:proto=tcp:toaddr=172.25.100.2:toport=8080要删除端口转发,使用-remove-forward-port选项firewall-cmd --zone=external --remove-forward-port=port=22:proto=tcp:toport=3753如果要定义目标IP地址:LinuxEA # firewall-cmd --permanent --zone=external --add-forward-port=port=22:proto=tcp:toport=3753:toaddr=172.16.100.101 success LinuxEA # firewall-cmd --reload success--permanent永久生效示例:假如现在希望通过SSH从public (10.10.1.0/24)访问dmz网络(10.8.8.0/24)上的服务器。为此,我们需要放置一些端口转发规则。以下规则配置端口转发,以便将与10.10.1.79:2271的连接转发到10.8.8.71:22,并进行SSH日志记录# firewall-cmd --permanent --zone=public --add-forward-port='port=2271:proto=tcp:toport=22:toaddr=10.8.8.71' # firewall-cmd --permanent --zone=public --add-rich-rule='rule service name=ssh log prefix="SSH_" level="debug" limit value=1/m reject' # firewall-cmd --reload普通配置示例# 创建linuxea区域 firewall-cmd --permanent --new-zone=linuxea firewall-cmd --reload删除zone只需要删除/etc/firewalld/zones下的zone命名的xml文件而后重新加载即可# 修改默认域为linuxea firewall-cmd --set-default-zone=linuxea # 放行https,http firewall-cmd --permanent --zone=linuxea --add-service={http,https} # 运行172.16.100.101登录ssh firewall-cmd --permanent --zone=linuxea --add-rich-rule='rule family="ipv4" source address="172.16.100.101" port port="22" protocol="tcp" accept' # 允许10.100.10.0/24网段访问8080端口 firewall-cmd --permanent --zone=linuxea --add-rich-rule='rule family="ipv4" source address="10.100.10.0/24" port port="8080" protocol="tcp" accept' # 拒绝10.100.100.4访问80端口 firewall-cmd --permanent --zone=linuxea --add-rich-rule='rule family="ipv4" source address="10.100.100.4" port port="80" protocol="tcp" drop'# 重载 LinuxEA # firewall-cmd --reload success # 查看规则 LinuxEA # firewall-cmd --list-all linuxea (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: http https ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="172.16.100.101" port port="22" protocol="tcp" accept rule family="ipv4" source address="10.100.100.4" port port="80" protocol="tcp" drop rule family="ipv4" source address="10.100.10.0/24" port port="8080" protocol="tcp" accept紧急模式firewall-cmd --panic-on 执行端口所有连接 firewall-cmd --panic-off 关闭 firewall-cmd --query-panic 查询 -
PV unknown device VG处理 如:WARNING: Device for PV ZKBljh-qpd7-IhOp-9pSg-1270-kOe0-HZOuYi not found or rejected by a filter PV unknown device VG MKVG lvm2 [100.00 GiB / 100.00 GiB free][root@linuxea-Node49 ~]# vgscan -P PARTIAL MODE. Incomplete logical volumes will be processed. Reading all physical volumes. This may take a while... WARNING: Device for PV ZKBljh-qpd7-IhOp-9pSg-1270-kOe0-HZOuYi not found or rejected by a filter. WARNING: Device for PV L1x9c0-sItt-Wk79-NfGN-dkE8-fl4T-46oJld not found or rejected by a filter. WARNING: Device for PV W8c11Z-bZiH-NzYf-edTw-fghk-uhiK-oKmRXE not found or rejected by a filter. Found volume group "MKVG" using metadata type lvm2查看[root@linuxea-Node49 ~]# pvscan -P PARTIAL MODE. Incomplete logical volumes will be processed. WARNING: Device for PV ZKBljh-qpd7-IhOp-9pSg-1270-kOe0-HZOuYi not found or rejected by a filter. WARNING: Device for PV L1x9c0-sItt-Wk79-NfGN-dkE8-fl4T-46oJld not found or rejected by a filter. WARNING: Device for PV W8c11Z-bZiH-NzYf-edTw-fghk-uhiK-oKmRXE not found or rejected by a filter. WARNING: Device for PV ZKBljh-qpd7-IhOp-9pSg-1270-kOe0-HZOuYi not found or rejected by a filter. WARNING: Device for PV L1x9c0-sItt-Wk79-NfGN-dkE8-fl4T-46oJld not found or rejected by a filter. WARNING: Device for PV W8c11Z-bZiH-NzYf-edTw-fghk-uhiK-oKmRXE not found or rejected by a filter. PV /dev/xvda2 VG MKVG lvm2 [14.50 GiB / 0 free] PV unknown device VG MKVG lvm2 [100.00 GiB / 100.00 GiB free] PV unknown device VG MKVG lvm2 [20.01 GiB / 20.01 GiB free] PV unknown device VG MKVG lvm2 [20.01 GiB / 20.01 GiB free] Total: 4 [154.51 GiB] / in use: 4 [154.51 GiB] / in no VG: 0 [0 ]直接--removemissing[root@linuxea-Node49 ~]# vgreduce --removemissing -v MKVG Finding volume group "MKVG" WARNING: Device for PV ZKBljh-qpd7-IhOp-9pSg-1270-kOe0-HZOuYi not found or rejected by a filter. WARNING: Device for PV L1x9c0-sItt-Wk79-NfGN-dkE8-fl4T-46oJld not found or rejected by a filter. WARNING: Device for PV W8c11Z-bZiH-NzYf-edTw-fghk-uhiK-oKmRXE not found or rejected by a filter. There are 3 physical volumes missing. There are 3 physical volumes missing. Trying to open VG MKVG for recovery... Found same device /dev/xvda2 with same pvid jIyyxh6U9R3ev3PcOApJognXuKPlWkWQ WARNING: Device for PV ZKBljh-qpd7-IhOp-9pSg-1270-kOe0-HZOuYi not found or rejected by a filter. WARNING: Device for PV L1x9c0-sItt-Wk79-NfGN-dkE8-fl4T-46oJld not found or rejected by a filter. WARNING: Device for PV W8c11Z-bZiH-NzYf-edTw-fghk-uhiK-oKmRXE not found or rejected by a filter. There are 3 physical volumes missing. There are 3 physical volumes missing. Archiving volume group "MKVG" metadata (seqno 8). Removing PV with UUID ZKBljh-qpd7-IhOp-9pSg-1270-kOe0-HZOuYi from VG MKVG Removing PV with UUID L1x9c0-sItt-Wk79-NfGN-dkE8-fl4T-46oJld from VG MKVG Removing PV with UUID W8c11Z-bZiH-NzYf-edTw-fghk-uhiK-oKmRXE from VG MKVG Creating volume group backup "/etc/lvm/backup/MKVG" (seqno 9). Wrote out consistent volume group MKVG在查看[root@linuxea-Node49 ~]# vgscan -P PARTIAL MODE. Incomplete logical volumes will be processed. Reading all physical volumes. This may take a while... Found volume group "MKVG" using metadata type lvm2
