双网卡设置防火墙过滤规则,达到带外管理的目的
第一步:查找双网卡名称;
第二步:将不同的网卡添加到不同的域,并配置不同的端口访问权限
第三步:重新加载防火墙
/etc/resolv.conf # DNS配置文件
/etc/hosts #主机名到IP地址的映射 ,不该主机名基本不会动他。
/etc/sysconfig/network #所有的网络接口和路由信息,网关只有最后一个有效。
/etc/sysconfig/network-script/ifcfg-<interface-name> #每一个网络接口的配置信息
enp125s0f4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.130.223 netmask 255.255.255.0 broadcast 192.168.130.255
inet6 fe80::25b7:b944:2135:6be1 prefixlen 64 scopeid 0x20<link>
ether a0:1c:8d:1a:ed:ad txqueuelen 1000 (Ethernet)
RX packets 30960280 bytes 633765172129 (590.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 31566791 bytes 47194152858 (43.9 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp125s0f5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.223 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::abdf:a084:7a1d:f393 prefixlen 64 scopeid 0x20<link>
ether a0:1c:8d:1a:ed:ae txqueuelen 1000 (Ethernet)
RX packets 417 bytes 45536 (44.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 133 bytes 23519 (22.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
=====================防火墙命令============================
systemctl start firewalld.service //启动firewalld服务
firewall-cmd --zone=work --add-port=8080/tcp --permanent
firewall-cmd --zone=work --add-port=80/tcp --permanent
firewall-cmd --zone=block --add-port=18181/tcp --permanent
firewall-cmd --zone=block --add-port=111/tcp --permanent
firewall-cmd --zone=block --add-port=6000/tcp --permanent
firewall-cmd --zone=block --add-interface=enp125s0f4 //将网卡加入到区域
firewall-cmd --list-all-zones
firewall-cmd --zone=work --list-service
firewall-cmd --zone=work --remove-service=ssh --permanent
firewall-cmd --get-active-zones
systemctl restart firewalld.service
systemctl status firewalld.service
firewall-cmd --reload
firewall-cmd --get-zone-of-interface=enp125s0f5
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" interface="enp125s0f5" port="22" protocol="tcp" reject'
firewall-cmd --get-zone-of-interface=enp125s0f5
firewall-cmd --zone=work --change-interface=enp125s0f5
======================区域===========================
drop: 丢弃所有进入的包,而不给出任何响应
block: 拒绝所有外部发起的连接,允许内部发起的连接
public: 允许指定的进入连接
external: 同上,对伪装的进入连接,一般用于路由转发
dmz: 允许受限制的进入连接
work: 允许受信任的计算机被限制的进入连接,类似 workgroup
home: 同上,类似 homegroup
internal: 同上,范围针对所有互联网用户
trusted: 信任所有连接
=====================过滤规则============================
source: 根据源地址过滤
interface: 根据网卡过滤
service: 根据服务名过滤
port: 根据端口过滤
icmp-block: icmp 报文过滤,按照 icmp 类型配置
masquerade: ip 地址伪装
forward-port: 端口转发
rule: 自定义规则
浙公网安备 33010602011771号