重庆思庄Oracle、Redhat认证学习论坛

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 3650|回复: 3
打印 上一主题 下一主题

[基础命令] Centos7/RHEL7-单实例firewalld设置访问规则

[复制链接]
跳转到指定楼层
楼主
发表于 2020-12-9 13:36:21 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
操作系统版本
[oracle@strong ~]$ cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
官网地址
http://www.firewalld.org/
1firewalld的基本使用
启动: systemctl start firewalld
关闭: systemctl stop firewalld
查看状态: systemctl status firewalld
开机禁用   systemctl disable firewalld
开机启用   systemctl enable firewalld
查看开机是否启用   systemctl is-enabled firewalld
2、配置firewalld-cmd
查看版本: firewall-cmd --version
查看帮助: firewall-cmd --help
显示状态: firewall-cmd --state
查看所有打开的端口: firewall-cmd --zone=public --list-ports
更新防火墙规则: firewall-cmd --reload
查看区域信息:  firewall-cmd --get-active-zones
查看指定接口所属区域: firewall-cmd --get-zone-of-interface=eth0
拒绝所有包:firewall-cmd --panic-on
取消拒绝状态: firewall-cmd --panic-off
查看是否拒绝: firewall-cmd --query-panic
禁止1521端口号
[root@strongservices]# firewall-cmd --permanent --remove-port=1521/tcp  --permanent  (永久禁用)
success
[root@strong services]# firewall-cmd--list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
  ports: 1521/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@strong services]# firewall-cmd--reload
success
[root@strong services]# firewall-cmd--list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@strong services]#
验证
[oracle@sztech ~]$ sqlplussys/oracle@192.168.0.145:1521/orcl as sysdba
SQL*Plus: Release 11.2.0.4.0 Production onWed Nov 25 14:47:56 2020
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
ERROR:
ORA-12543: TNS:destination host unreachable
Enter user-name:
允许1521端口连接
[root@strong services]#firewall-cmd --permanent --add-port=1521/tcp --permanent  
success
[root@strong services]#  firewall-cmd --reload
success
[root@strong services]# firewall-cmd--list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
  ports: 1521/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
验证
[oracle@sztech ~]$ sqlplussys/oracle@192.168.0.145:1521/orcl as sysdba
SQL*Plus: Release 11.2.0.4.0 Production onWed Nov 25 14:51:17 2020
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise EditionRelease 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining andReal Application Testing options
SQL> select name from v$database;
NAME
---------
ORCL
SQL>
禁止192.168.0.156访问
[root@strongservices]# firewall-cmd --permanent --add-rich-rule="rulefamily="ipv4" source address="192.168.0.156" reject"
success
[root@strong services]#  firewall-cmd --reload  立即生效
success
[root@strong services]#  firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports: 1521/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
        rulefamily="ipv4" source address="192.168.0.156" reject
[root@strong services]#
验证
[oracle@sztech ~]$ ping 192.168.0.145
PING 192.168.0.145 (192.168.0.145) 56(84)bytes of data.
From 192.168.0.145 icmp_seq=1 DestinationPort Unreachable
From 192.168.0.145 icmp_seq=2 DestinationPort Unreachable
From 192.168.0.145 icmp_seq=3 DestinationPort Unreachable
From 192.168.0.145 icmp_seq=4 DestinationPort Unreachable
[oracle@sztech ~]$sqlplus sys/oracle@192.168.0.145:1521/orcl as sysdba
SQL*Plus: Release 11.2.0.4.0 Production onWed Nov 25 14:58:04 2020
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
ERROR:
ORA-12541: TNS:no listener
Enter user-name:
其他IP连接测试
C:\Users\Administrator>sqlplussys/oracle@192.168.0.145:1521/orcl as sysdba
SQL*Plus: Release 11.2.0.1.0 Production on 星期三 11 25 15:16:242020
Copyright (c) 1982, 2010, Oracle.  All rights reserved.
连接到:
Oracle Database 11g Enterprise EditionRelease 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Miningand Real Application Testing options
SQL>
恢复192.168.0.156访问
[root@strong services]# firewall-cmd--permanent --add-rich-rule="rule family="ipv4" sourceaddress="192.168.0.156" accept"
success
[root@strong services]# firewall-cmd--reload
success
[root@strong services]# firewall-cmd--permanent --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 1521/tcp
  protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
       rulefamily="ipv4" source address="192.168.0.156" reject
        rule family="ipv4" sourceaddress="192.168.0.156" accept
[root@strong services]#
验证
[oracle@sztech admin]$ sqlplussys/ORACLE@192.168.0.145:1521 as sysdba
SQL*Plus: Release 11.2.0.4.0 Production onWed Nov 25 15:23:21 2020
Copyright (c) 1982, 2013, Oracle.  All rights reserved.
ERROR:
ORA-12541: TNS:nolistener
Enter user-name:
报错没有监听,是因为富规则的优先级关系
rulefamily="ipv4" source address="192.168.0.156" reject
rulefamily="ipv4" source address="192.168.0.156" accept
解决办法:移除禁止IP的规则
[root@strongservices]# firewall-cmd --permanent --remove-rich-rule="rulefamily="ipv4" source address="192.168.0.156" reject"
success
[root@strongservices]# firewall-cmd --reload
success
[root@strongservices]#  firewall-cmd --permanent--list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports: 1521/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" sourceaddress="192.168.0.156" accept
[root@strongservices]#
[oracle@sztechadmin]$ sqlplus sys/oracle@192.168.0.145:1521/orcl as sysdba
SQL*Plus:Release 11.2.0.4.0 Production on Wed Nov 25 15:27:39 2020
Copyright(c) 1982, 2013, Oracle.  All rightsreserved.
Connectedto:
OracleDatabase 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
Withthe Partitioning, OLAP, Data Mining and Real Application Testing options
SQL>

分享到:  QQ好友和群QQ好友和群 QQ空间QQ空间 腾讯微博腾讯微博 腾讯朋友腾讯朋友
收藏收藏 支持支持 反对反对
回复

使用道具 举报

沙发
发表于 2020-12-9 15:52:06 | 只看该作者
如果想设置几个白名单IP,怎么设置呢 ?
回复 支持 反对

使用道具 举报

板凳
 楼主| 发表于 2020-12-13 09:16:40 | 只看该作者
本帖最后由 jiawang 于 2020-12-13 09:24 编辑
郑全 发表于 2020-12-9 15:52
如果想设置几个白名单IP,怎么设置呢 ?

编辑iptables配置文件,将文件内容更改为如下,则具备了ip地址白名单功能
#vim /etc/sysconfig/iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-N whitelist -A whitelist -s 192.168.0.0/24 -j ACCEPT
-A whitelist -s 192.168.0.141 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j whitelist
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j whitelist
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j whitelist
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

6~8 行是添加白名单列表,可以是ip段或者单个ip地址
10~12行 注意的是“-j whitelist”而不是“-j ACCEPT”,前者将该端口访问权限限制在白名单内,后者为不限制
13行 任何ip地址都能ping通该主机,因为“-j ACCEPT”没有做相应限制
配置完毕后,运行命令重启防火墙使规则生效
#systemctl restart iptables.service

回复 支持 反对

使用道具 举报

地板
发表于 2020-12-18 14:48:51 | 只看该作者
如果在rhel8.0以上这种版本,没有 iptables这种模块呢
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|手机版|小黑屋|重庆思庄Oracle、Redhat认证学习论坛 ( 渝ICP备12004239号-4 )

GMT+8, 2024-11-24 21:32 , Processed in 0.128599 second(s), 19 queries .

重庆思庄学习中心论坛-重庆思庄科技有限公司论坛

© 2001-2020

快速回复 返回顶部 返回列表