Fatal编程技术网

Routing 防火墙配置

routing centos

Routing 防火墙配置,routing,centos,centos7,firewalld,Routing,Centos,Centos7,Firewalld,我有一台CentOS 7机器,我正在尝试启用FirewallD,使其比现在更安全。目前,它被用作在单个接口上配置的11个不同子网和第二个接口之间的路由器,以允许外部流量进入VPN。我遵循了几条在互联网上设置防火墙的指南,除了ping之外,似乎什么都没有通过。下面是我当前的配置 firewall cmd--zone=internal--list all internal interfaces: eth0 sources: 192.168.0.0/16 services: adws dh

我有一台CentOS 7机器,我正在尝试启用FirewallD,使其比现在更安全。目前,它被用作在单个接口上配置的11个不同子网和第二个接口之间的路由器,以允许外部流量进入VPN。我遵循了几条在互联网上设置防火墙的指南,除了ping之外,似乎什么都没有通过。下面是我当前的配置

firewall cmd--zone=internal--list all

internal
  interfaces: eth0
  sources: 192.168.0.0/16
  services: adws dhcpv6-client dns http https ipp-client kerberos ldap ldaps mdns ms-gc ms-gc-ssl ms-wbt msrpc mssql ntp samba samba-client smtp ssh
  ports: 49152-65535/tcp 49152-65535/udp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

public (active)
  interfaces: eth1
  sources: 
  services: dhcpv6-client ssh
  ports: 81/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:
firewall cmd--zone=public--list all

internal
  interfaces: eth0
  sources: 192.168.0.0/16
  services: adws dhcpv6-client dns http https ipp-client kerberos ldap ldaps mdns ms-gc ms-gc-ssl ms-wbt msrpc mssql ntp samba samba-client smtp ssh
  ports: 49152-65535/tcp 49152-65535/udp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

public (active)
  interfaces: eth1
  sources: 
  services: dhcpv6-client ssh
  ports: 81/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:
防火墙cmd--直接--获取所有规则

ipv4 filter INPUT 0 -i eth1 -p tcp --dport 1723 -j ACCEPT
ipv4 filter INPUT 0 -p gre -j ACCEPT
ipv4 filter POSTROUTING 0 -t nat -o eth1 -j MASQUERADE
ipv4 filter FORWARD 0 -i ppp+ -o eth1 -j ACCEPT
ipv4 filter FORWARD 0 -i eth1 -o ppp+ -j ACCEPT

ipv4 filter INPUT 0 -i eth1 -p tcp --dport 1723 -j ACCEPT
ipv4 filter INPUT 0 -p gre -j ACCEPT
ipv4 filter POSTROUTING 0 -t nat -o eth1 -j MASQUERADE
ipv4 filter FORWARD 0 -i ppp+ -o eth1 -j ACCEPT
ipv4 filter FORWARD 0 -i eth1 -o ppp+ -j ACCEPT
ipv4 filter FORWARD 0 -i eth0 -o eth0 -j ACCEPT
ip地址显示

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:50:56:33:c8:b0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.1/24 brd 192.168.20.255 scope global ens160:1
       valid_lft forever preferred_lft forever
    inet 192.168.33.1/24 brd 192.168.33.255 scope global ens160:2
       valid_lft forever preferred_lft forever
    inet 192.168.10.1/24 brd 192.168.10.255 scope global ens160:3
       valid_lft forever preferred_lft forever
    inet 192.168.25.1/24 brd 192.168.25.255 scope global ens160:4
       valid_lft forever preferred_lft forever
    inet 192.168.55.1/24 brd 192.168.55.255 scope global ens160:5
       valid_lft forever preferred_lft forever
    inet 192.168.18.1/24 brd 192.168.18.255 scope global ens160:6
       valid_lft forever preferred_lft forever
    inet 192.168.88.1/24 brd 192.168.88.255 scope global ens160:7
       valid_lft forever preferred_lft forever
    inet 192.168.137.1/24 brd 192.168.137.255 scope global ens160:8
       valid_lft forever preferred_lft forever
    inet 192.168.181.1/24 brd 192.168.181.255 scope global ens160:9
       valid_lft forever preferred_lft forever
    inet 192.168.182.1/24 brd 192.168.182.255 scope global ens160:10
       valid_lft forever preferred_lft forever
    inet 192.168.26.1/24 brd 192.168.26.255 scope global ens160:11
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:50:56:8b:62:3d brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.10/24 brd 172.16.0.255 scope global dynamic ens192
       valid_lft 4718sec preferred_lft 4718sec

1:lo:mtu 65536 qdisc noqueue状态未知
链接/环回00:00:00:00:00 brd 00:00:00:00:00:00:00
inet 127.0.0.1/8范围主机lo
永远有效\u lft首选\u lft永远有效
2:ens160:mtu 1500 qdisc pfifo_快速状态升级qlen 1000
链接/以太00:50:56:33:c8:b0 brd ff:ff:ff:ff:ff:ff:ff
inet 192.168.20.1/24 brd 192.168.20.255范围全局ens160:1
永远有效\u lft首选\u lft永远有效
inet 192.168.33.1/24 brd 192.168.33.255范围全局ens160:2
永远有效\u lft首选\u lft永远有效
inet 192.168.10.1/24 brd 192.168.10.255范围全局ens160:3
永远有效\u lft首选\u lft永远有效
inet 192.168.25.1/24 brd 192.168.25.255范围全局ens160:4
永远有效\u lft首选\u lft永远有效
inet 192.168.55.1/24 brd 192.168.55.255范围全局ens160:5
永远有效\u lft首选\u lft永远有效
inet 192.168.18.1/24 brd 192.168.18.255范围全局ens160:6
永远有效\u lft首选\u lft永远有效
inet 192.168.88.1/24 brd 192.168.88.255范围全局ens160:7
永远有效\u lft首选\u lft永远有效
inet 192.168.137.1/24 brd 192.168.137.255范围全局ens160:8
永远有效\u lft首选\u lft永远有效
inet 192.168.181.1/24 brd 192.168.181.255范围全局ens160:9
永远有效\u lft首选\u lft永远有效
inet 192.168.182.1/24 brd 192.168.182.255范围全局ens160:10
永远有效\u lft首选\u lft永远有效
inet 192.168.26.1/24 brd 192.168.26.255范围全局ens160:11
永远有效\u lft首选\u lft永远有效
3:ens192:mtu 1500 qdisc pfifo_快速状态升级qlen 1000
链接/以太00:50:56:8b:62:3d brd ff:ff:ff:ff:ff:ff:ff
inet 172.16.0.10/24 brd 172.16.0.255范围全局动态ens192
有效\u lft 4718秒优先\u lft 4718秒
VPN规则工作正常,我可以在172.16.0.10:81点击管理页面,但eth0上的所有内容都不会通过icmp以外的方式获取任何数据包。如果你想了解更多细节,请告诉我

编辑:我还尝试将eth0移动到受信任区域,这允许通信,因此我知道这不是接口配置错误

编辑2:通过进一步测试,我发现CentOS机器接受允许服务的直接连接(例如ssh、dns),但不会像防火墙关闭时那样将流量路由到其他子网上的目的地。

在卸载FirewallD并下载和安装iptables services pkg后,尝试仅使用iptables,并成功配置前向链以正确路由流量,我重新评估了
--direct
的防火墙配置,发现有一行我遗漏了

firewall cmd--direct--添加规则ipv4筛选器转发0-i eth0-o eth0-j ACCEPT

防火墙cmd--直接--获取所有规则

ipv4 filter INPUT 0 -i eth1 -p tcp --dport 1723 -j ACCEPT
ipv4 filter INPUT 0 -p gre -j ACCEPT
ipv4 filter POSTROUTING 0 -t nat -o eth1 -j MASQUERADE
ipv4 filter FORWARD 0 -i ppp+ -o eth1 -j ACCEPT
ipv4 filter FORWARD 0 -i eth1 -o ppp+ -j ACCEPT

ipv4 filter INPUT 0 -i eth1 -p tcp --dport 1723 -j ACCEPT
ipv4 filter INPUT 0 -p gre -j ACCEPT
ipv4 filter POSTROUTING 0 -t nat -o eth1 -j MASQUERADE
ipv4 filter FORWARD 0 -i ppp+ -o eth1 -j ACCEPT
ipv4 filter FORWARD 0 -i eth1 -o ppp+ -j ACCEPT
ipv4 filter FORWARD 0 -i eth0 -o eth0 -j ACCEPT