firewalld防火墙配置案例
案例一:查看默认zone
#firewall-cmd --get-default-zone案例二:修改默认zone
#firewall-cmd --set-default-zone=public案例三:在public区域添加协议
#firewall-cmd -zone=public --add-service=ftp案例四:把http协议永久加入到public区域
#firewall-cmd --permanent -zone=public --add-service=http案例五:拒绝某一个IP访问
#firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.104/32" reject'案例六:批量开放/删除端口服务演示
#firewall-cmd --permanent --zone=public --add-port=10086/tcp
#firewall-cmd --permanent --zone=public --add-port=10088/tcp
#firewall-cmd --permanent --zone=public --remove-port=10086/tcp
#firewall-cmd --permanent --zone=public --remove-port=10088/tcp案例七:屏蔽ip和删除异常ip查看屏蔽ip
#禁用的ip地址:
#firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address=112.84.0.136 reject"案例八:容许某个段的ip访问指定端口
#firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.1/24" port protocol="tcp" port="8080" accept'案例九:使用shell脚本实现房子工具异常ip自动屏蔽
#!/bin/bash
#
if [[ ! -z $1 ]];then
num=$1
else
num=50
fi
if [[ ! -z $2 ]];then
time=$2
else
time=1
fi
function check(){
iplist=`netstat -an |grep ^tcp.*:80|egrep -v 'LISTEN|127.0.0.1'|awk -F"[ ]+|[:]" '{print $6}'|sort|uniq -c|sort -rn|awk -v str=$num '{if ($1>str){print $2}}'`
if [[ ! -z $iplist ]];then
for i in $iplist
do
echo "--------------"
echo $i
#iptables -I INPUT -p tcp -s $i --dport 80 -j DROP
ipwl=`grep -w $i white_ip.txt`
if [[ ! -z $ipwl ]];then
echo "$i 在白名单中 不做处理..."
echo "$i in whiteip. please not doit ..."
else
echo "$i 不在白名单中,请处理..."
echo "$i not in whiteip. please doit ..."
#echo "$i 在不在黑名单中,不在黑名单中dd请处理,在黑名单中,说明已经处理过了"
#echo "添加到监时的文本中..."
#echo "并在iptables 添加好"
#iptables -I INPUT -p tcp -s $i --dport 80 -j DROP
ipbl=`grep -w $i black_ip.txt`
#请注下面的判断语句
#也可以通过iptable -L -n |grep $i来匹配
if [[ -z $ipbl ]];then
echo "$i 不在黑名单中。请处理..."
echo "$i not in blackip. please doit ..."
//iptables -I INPUT -p tcp -s $i --dport 80 -j DROP
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address=$i reject'
echo $i >> black_ip.txt
else
echo "$i 在黑名单中...不做处理"
echo "$i in blackip. please not doit ..."
fi
fi
done
fi
}
#echo "开始执行 ..."
echo "begin ..."
while true
do
echo "begin check ..."
check
sleep $time
done建议防火墙配置全部基于端口
firewall-cmd --add-source={192.168.31.230/32,192.168.31.100/32} --permanent --zone=internalfirewall-cmd --remove-port=9000/tcp --permanent --zone=public
firewall-cmd --reload
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.31.100/32" port port="9000" protocol="tcp" log prefix="graylog9000" level="info" accept' --permanent
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.31.127/32" port port="9000" protocol="tcp" log prefix="graylog9000" level="info" accept' --permanent
firewall-cmd --reload我们为以下几种攻击类型的添加以下目标动作的chain
- 端口扫描 chain名称是PORT_SCANNING
- IP欺骗,chain名称是SPOOFING
- sync攻击,chain名称是SYN_ATTACK
- tcp泛洪,chain名称是TCP_FLOOD
firewall-cmd --permanent --direct --add-chain ipv4 filter PORT_SCANNING
firewall-cmd --permanent --direct --add-chain ipv4 filter SPOOFING
firewall-cmd --permanent --direct --add-chain ipv4 filter SYN_ATTACK
firewall-cmd --permanent --direct --add-chain ipv4 filter TCP_FLOOD我们为上面的每条chain规则定义两个target
- 首先 -j LOG的target,表示对匹配规则的数据包的信息写入日志文件中
- 然后 -j DROP的target,表示对匹配规则的数据包最终做丢弃处理
ipv4 mangle PORT_SCANNING 0 -m recent --name portscan --rcheck --seconds 25200 -j DROP
ipv4 mangle PORT_SCANNING 1 -m recent --name portscan --remove
ipv4 mangle PORT_SCANNING 2 -p tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix port_scan:
ipv4 mangle PORT_SCANNING 3 -p tcp --dport 139 -m recent --name portscan --set -j DROP
ipv4 mangle SPOOFING 0 -j LOG --log-prefix ip_spoofing:
ipv4 mangle SPOOFING 1 -j DROP
ipv4 mangle SYN_ATTACK 0 -j LOG --log-prefix syn_attack:
ipv4 mangle SYN_ATTACK 1 -j DROP
ipv4 filter TCP_FLOOD 0 -j LOG --log-prefix tcp_flood:
ipv4 filter TCP_FLOOD 1 -j DROP之后我们将之前定义的规则修改以下
ipv4 mangle ANTI_TCP_INVALID 0 -m conntrack --ctstate INVALID -j DROP
ipv4 mangle ANTI_TCP_INVALID 1 -p tcp '!' --syn -m conntrack --ctstate NEW -j DROP
ipv4 mangle ANTI_TCP_UNORMAL_MSS 0 -p tcp -m conntrack --ctstate NEW -m tcpmss '!' --mss 536:65535 -j DROP
ipv4 mangle ANTI_FORGE_TCP_FLAG 0 -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j SYN_ATTACK
ipv4 mangle ANTI_FORGE_TCP_FLAG 1 -p tcp --tcp-flags FIN,SYN FIN,SYN -j SYN_ATTACK
ipv4 mangle ANTI_FORGE_TCP_FLAG 2 -p tcp --tcp-flags SYN,RST SYN,RST -j SYN_ATTACK
ipv4 mangle ANTI_FORGE_TCP_FLAG 3 -p tcp --tcp-flags FIN,RST FIN,RST -j SYN_ATTACK
ipv4 mangle ANTI_FORGE_TCP_FLAG 4 -p tcp --tcp-flags FIN,ACK FIN -j SYN_ATTACK
ipv4 mangle ANTI_FORGE_TCP_FLAG 5 -p tcp --tcp-flags ACK,URG URG -j SYN_ATTACK
ipv4 mangle ANTI_FORGE_TCP_FLAG 6 -p tcp --tcp-flags ACK,FIN FIN -j SYN_ATTACK
ipv4 mangle ANTI_FORGE_TCP_FLAG 7 -p tcp --tcp-flags ACK,PSH PSH -j SYN_ATTACK
ipv4 mangle ANTI_FORGE_TCP_FLAG 8 -p tcp --tcp-flags ALL ALL -j SYN_ATTACK
ipv4 mangle ANTI_FORGE_TCP_FLAG 9 -p tcp --tcp-flags ALL NONE -j SYN_ATTACK
ipv4 mangle ANTI_FORGE_TCP_FLAG 10 -p tcp --tcp-flags ALL FIN,PSH,URG -j SYN_ATTACK
ipv4 mangle ANTI_FORGE_TCP_FLAG 11 -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j SYN_ATTACK
ipv4 mangle ANTI_FORGE_TCP_FLAG 12 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j SYN_ATTACK
ipv4 mangle ANTI_IP_SPOOF 0 -s 224.0.0/3 -j SPOOFING
ipv4 mangle ANTI_IP_SPOOF 1 -s 192.0.2.0/24 -j SPOOFING
ipv4 mangle ANTI_IP_SPOOF 2 -s 169.254.0.0/16 -j SPOOFING
ipv4 mangle ANTI_IP_SPOOF 3 -s 172.16.0.0/12 -j SPOOFING
ipv4 mangle ANTI_IP_SPOOF 4 -i enp3s0 -s 192.168.0.0/16 -j SPOOFING
ipv4 mangle ANTI_IP_SPOOF 5 -s 10.0.0.0/8 -j SPOOFING
ipv4 mangle ANTI_IP_SPOOF 6 -s 0.0.0.0/8 -j SPOOFING
ipv4 mangle ANTI_IP_SPOOF 7 -s 240.0.0.0/5 -j SPOOFING
ipv4 mangle ANTI_IP_SPOOF 8 -s 127.0.0.0/8 '!' -i lo -j SPOOFING
ipv4 filter ANTI_TCP_FLOOD 0 -p tcp -m connlimit --connlimit-above 80 -j REJECT --reject-with tcp-reset
ipv4 filter ANTI_TCP_FLOOD 1 -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
ipv4 filter ANTI_TCP_FLOOD 2 -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
ipv4 filter ANTI_TCP_FLOOD 3 -p tcp --tcp-flags RST RST -j TCP_FLOOD
ipv4 mangle PREROUTING 1 -j ANTI_TCP_INVALID
ipv4 mangle PREROUTING 2 -j ANTI_TCP_UNORMAL_MSS
ipv4 mangle PREROUTING 3 -j ANTI_FORGE_TCP_FLAG
ipv4 mangle PREROUTING 4 -j ANTI_IP_SPOOF
ipv4 mangle PREROUTING 0 -i enp3s0 -j PORT_SCANNING
ipv4 filter INPUT 0 -j ANTI_TCP_FLOOD
ipv4 filter INPUT 1 -j ANTI_SSH_INTRUSION
ipv4 filter ANTI_SSH_INTRUSION 0 -p tcp --dport 9732 -m conntrack --ctstate NEW -m recent --set
ipv4 filter ANTI_SSH_INTRUSION 1 -p tcp --dport 9732 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
ipv4 mangle PORT_SCANNING 0 -m recent --name portscan --rcheck --seconds 25200 -j DROP
ipv4 mangle PORT_SCANNING 1 -m recent --name portscan --remove
ipv4 mangle PORT_SCANNING 2 -p tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix port_scan:
ipv4 mangle PORT_SCANNING 3 -p tcp --dport 139 -m recent --name portscan --set -j DROP
ipv4 mangle SPOOFING 0 -j LOG --log-prefix ip_spoofing:
ipv4 mangle SPOOFING 1 -j DROP
ipv4 mangle SYN_ATTACK 0 -j LOG --log-prefix syn_attack:
ipv4 mangle SYN_ATTACK 1 -j DROP
ipv4 filter TCP_FLOOD 0 -j LOG --log-prefix tcp_flood:
ipv4 filter TCP_FLOOD 1 -j DROPsystemctl start firewalld
开启防火墙
systemctl is-enabled firewalld
检查是否开启
firewall-cmd --list-all
展示所有预配置
cat /proc/sys/net/ipv4/ip_forward
让内核允许地址转发
firewall-cmd --add-masquerade --permanent
永久开启地址伪装(方便NAT)
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="10.0.0.0/24" forward-port port="54312" protocol="tcp" to-port="22" to-addr="172.16.1.15"' --permanent
永久配置ipv4地址转发 通过tcp协议从10.0.0.0的54312端口转发到172.16.1.15的22号端口
