防火墙作业

实验要求

1、web server主机监听8080端口,client通过80端口访问web服务  
2、web server主机监听22端口,client通过2345端口远程管理web主机  
3、web server只提供www和ssh访问

选择VMnet4虚拟网卡

VMnet4配置信息

配置en16777736

TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
UUID=ed486609-f625-4ac9-bd81-2768492fdb53
DEVICE=eno16777736
ONBOOT=yes
IPADDR=192.168.116.2
PREFIX=24

:wq

重启网络

[root@localhost Desktop]# systemctl restart network
[root@localhost Desktop]# ip addr show eno16777736 
2: eno16777736:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:3c:01:c0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.116.2/24 brd 192.168.116.255 scope global eno16777736
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe3c:1c0/64 scope link 
       valid_lft forever preferred_lft forever

测试网络

[root@localhost Desktop]# ping 192.168.116.1
PING 192.168.116.1 (192.168.116.1) 56(84) bytes of data.
64 bytes from 192.168.116.1: icmp_seq=1 ttl=64 time=0.607 ms
64 bytes from 192.168.116.1: icmp_seq=2 ttl=64 time=0.572 ms
64 bytes from 192.168.116.1: icmp_seq=3 ttl=64 time=0.463 ms
^C
--- 192.168.116.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.463/0.547/0.607/0.064 ms

选择镜像

启动光驱

挂载光驱安装httpd及依赖包

[root@localhost ~]# mount /dev/cdrom /mnt
mount: /dev/sr0 is write-protected, mounting read-only
[root@localhost ~]# cd /mnt/Packages/
[root@localhost Packages]# rpm -ivh mailcap-2.1.41-2.el7.noarch.rpm httpd-tools-2.4.6-40.el7.centos.x86_64.rpm httpd-2.4.6-40.el7.centos.x86_64.rpm 
warning: mailcap-2.1.41-2.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:httpd-tools-2.4.6-40.el7.centos  ################################# [ 33%]
   2:mailcap-2.1.41-2.el7             ################################# [ 67%]
   3:httpd-2.4.6-40.el7.centos        ################################# [100%]

设置httpd监听8080端口

[root@localhost Packages]# vi /etc/httpd/conf/httpd.conf 

#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See  for detailed information.
# In particular, see
# 
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
# with ServerRoot set to '/www' will be interpreted by the
# server as '/www/log/access_log', where as '/log/access_log' will be
# interpreted as '/log/access_log'.

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used.  If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/etc/httpd"

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the 
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 8080  //原来这里是80,现在改变成80

#
# Dynamic Shared Object (DSO) Support
#
:wq

启动httpd,并查看监听的端口号

[root@localhost Packages]# systemctl start httpd.service 
[root@localhost Packages]# netstat -utpln | grep httpd
tcp6       0      0 :::8080                 :::*                    LISTEN      50660/httpd         
[root@localhost Packages]#

将网卡添加到internal zone当中

[root@localhost Packages]# firewall-cmd --zone=internal --change-interface=eno16777736 
success
[root@localhost Packages]# firewall-cmd --zone=internal --list-all
internal (active)
  interfaces: eno16777736
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

[root@localhost Packages]#

设置客户端80端口映射为服务器8080端口(方法一)

[root@localhost Packages]# firewall-cmd --zone=internal --add-forward-port=port=80:proto=tcp:toport=8080
success
[root@localhost Packages]# firewall-cmd --zone=internal --list-all
internal (active)
  interfaces: eno16777736
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8080:toaddr=
  icmp-blocks: 
  rich rules: 

[root@localhost Packages]#

测试

测试成功

rich rule添加端口映射(方法二)

[root@localhost Packages]# firewall-cmd --complete-reload 
success
[root@localhost Packages]# firewall-cmd --zone=internal --add-rich-rule 'rule family="ipv4" source address="192.168.116.1/32" forward-port port="80" protocol="tcp" to-port="8080"'
success
[root@localhost Packages]# firewall-cmd --zone-internal --list-all
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments: --zone-internal
[root@localhost Packages]# firewall-cmd --zone=internal --list-all
internal (active)
  interfaces: eno16777736
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="192.168.116.1/32" forward-port port="80" protocol="tcp" to-port="8080"
[root@localhost Packages]#

internal.xml 添加rich rule(方法三)



  Internal
  ...//此处省略了description
  
  
  
    
    
  
  
    
    
  


"internal.xml" 15L, 585C

:wq

查看

[root@localhost zones]# firewall-cmd --zone=internal --list-all
internal (active)
  interfaces: eno16777736
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="192.168.116.1/32" forward-port port="80" protocol="tcp" to-port="8080"
    rule family="ipv4" source address="192.168.116.1/32" forward-port port="2345" protocol="tcp" to-port="22"
[root@localhost zones]#

添加成功

编辑测试页

[root@localhost html]# vi index.html  //在这里写入测试内容
[root@localhost html]# pwd
/var/www/html
[root@localhost html]# vi index.html
[root@localhost html]# cat index.html 


Hello C101


this is test



[root@localhost html]#

测试

图形化界面修改(方法四)

2345映射为22

80映射为8080

添加完映射后

添加rich rule

添加完rich rule

在internal zone中添加http服务

results matching ""

    No results matching ""