据我所知,添加规则主要有两种方式firewalld,普通“区域”规则和丰富规则。另外,我知道当我们设置 时target="DROP,所有新的传入连接都将被丢弃,除非我们添加规则以允许选定的传入流量。
我想问firewalld当我们使用常规区域规则与丰富规则添加新规则时,是否有任何标准模式可以将规则应用于传入数据包?
firewalld例如,这是否是规则始终应用的顺序:
- 正常规则
- 丰富的规则
- 默认丢弃策略规则
我想使用firewalld设置以下逻辑
- 当主机尝试通过端口 22 从 Internet 访问服务器时:
- 丢弃和
- 将他们的 IP 添加到名为“trap”的 ipset(24 小时超时)
- 当 IP 位于“陷阱”列表中的主机尝试连接到任何端口时:DROP。
我读过很多文档页面,但不知道如何实现上面的 1.2。
我这里有两台服务器,一台是 Qemu VM 主机,另一台是某种存储盒。
它们是 hetzner 机器,我通过 vSwitch 将它们连接起来。
Server1 vSwitch 接口:
3: local@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 10:7b:44:b1:5b:7d brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global local
valid_lft forever preferred_lft forever
Server1(VM主机)ip路由:
default via <redacted-public-ip> dev eth0 proto static metric 100
<redacted-public-ip> dev eth0 proto static scope link metric 100
192.168.10.0/24 dev virbr0 proto kernel scope link src 192.168.10.254 metric 425 <-- virbr0 network
192.168.10.253 via 192.168.100.2 dev local <-- srv02 IP to fit in virbr0 net space
Server2 vSwitch 接口:
3: local@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UP group default qlen 1000
link/ether 08:60:6e:44:d6:2a brd ff:ff:ff:ff:ff:ff
inet 192.168.100.2/24 brd 192.168.100.255 scope global local
valid_lft forever preferred_lft forever
inet 192.168.10.253/24 brd 192.168.10.255 scope global local
valid_lft forever preferred_lft forever
Server2 ip路由:
default via <redacted-public-ip> dev eth0 proto static metric 100
<redacted-public-ip> dev eth0 proto static scope link metric 100
192.168.10.0/24 dev local proto kernel scope link src 192.168.10.253 <-- to access virbr0 via vSwitch
我猜我的路由设置是正确的——因为在firewalld服务关闭的情况下一切正常。
但是,如果我打开它,问题就开始了。
这些是 Server1 上的防火墙区域(当我禁用 firewalld 时,一切正常)
libvirt (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: virbr0
sources:
services: dhcp dhcpv6 dns ssh tftp
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 local
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
我曾尝试同时在其中的每一个上打开伪装,但无济于事。我正在使用从 Server2 到 virbr0 上的一个虚拟机的简单 ping 来“测试”它
我在这里有什么明显的遗漏吗?
谢谢大家。
我已经配置了firewalld,这样防火墙也会阻止传出连接。我需要通过添加特定规则将传出流量列入白名单。这工作正常。
但现在我想知道,是否有传出连接当前仍被防火墙阻止。要检查这一点,我已设置并LogDenied重新all启动/重新加载 firewalld。现在我可以看到许多防火墙消息,/var/log/messages用于REJECT接收消息,例如
Mar 5 19:45:29 kvm011 kernel: FINAL_REJECT: IN=br0-enp3s0 OUT= MAC=80:ee:73:9d:59:09:98:9b:cb:bf:c3:7e:08:00 SRC=192.168.1.254 DST=192.168.1.3 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55873 DF PROTO=TCP SPT=41047 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
但似乎不会记录被阻止的传出流量。我已经对其进行了测试: SMTP 端口 25 未针对传出流量列入白名单。因此,如果我尝试发送电子邮件,该电子邮件被标记为“延迟”,并且我在邮件日志中看到该电子邮件无法发送:
Mar 5 19:46:21 kvm011 postfix/smtp[3240]: connect to xxx.xxx.org[193.111.xxx.xxx]:25: Connection timed out
但是/var/log/messages文件中没有防火墙消息(对于端口 25 上的阻塞连接)。我必须在firewalld中激活这些消息吗?如果是这样,我该怎么做?
我试图弄清楚为什么防火墙没有像我认为我要求的那样运行,因此试图弄清楚如何以firewalld类似于iptables配置文件的某种格式显示其完整的规则集。或者其他一些格式——我不太在意——只要它至少与iptablesorpf配置一样具有可读性(即,这是一个非常低的清除标准!)。
firewall-cmd --list-all诸如“列出为区域添加或启用的所有内容”之类的命令。但这只是列出了接口、服务等,没有进一步的细节。我看不到--list-all-no-really-everything选项。- 我以为我在阅读
direct规则时发现了它,但我发现这只适用于作为额外“直接”规则添加的规则,而不是它首次出现的进入机舱的活板门。 - 我看到了配置文件
/etc/firewalld和/usr/lib/firewalld. 但是,虽然这乍一看很有希望,而且评论很漂亮,但它似乎并没有真正告诉我关于当前状态的太多信息。像这样的问题是关于导出规则(用于移动到其他地方),并表明这就是全部(我猜公共区域中提到的服务中提到的端口被阻止传入......?)。
我的理解(如果我错了,请纠正我)是firewalld里面有类似 iptables 的东西,它正在做所有的实际工作,它有某种可以找到的状态--reload,嗯,……重新加载。这就是我希望找到的状态。
也许我很模糊,但我发现整体的间接性和帮助性firewall-cmd完全无法理解。是的,著名的“计算科学中的每个问题都可以通过添加另一层间接来解决”,但有时这可能会走极端。
我可能根本没有防火墙问题,但我无法充分了解防火墙状态以排除这种情况。是否有切换到 iptables 的情况(我绝望地想知道)?设置起来比较麻烦,而且很容易出错,但至少我知道发生了什么。
我非常愿意接受挑战,或者被告知我在找错树。
我有两个防火墙区域配置如下:
zone: ssh-access
source: 1.2.3.4
ports: 9999/tcp
zone: other-access
source: 5.6.7.8
ports: 8888/tcp
我们暂时想取消限制对端口 9999/tcp 上的 ssh-access 区域的访问,因此我们替换源,以便区域配置如下:
zone: ssh-access
source: 0.0.0.0/0
ports: 9999/tcp
这对该区域具有预期的效果ssh-access。
但是,一旦我们这样做,源 5.6.7.8 for zoneother-access将无法通过端口 8888/tcp 进行通信,直到0.0.0.0/0源 forssh-access恢复到其原始值。
我觉得我忽略了一些简单的东西......
tl;dr:我们希望允许任何源通过端口 9999/tcp 进行通信,但将其限制为端口 8888/tcp 的定义源。
我很难从运行浮士德脚本的客户端连接到运行 Kafka 的机器。脚本如下所示:
import faust
import logging
from asyncio import sleep
class Test(faust.Record):
msg: str
app = faust.App('myapp', broker='kafka://10.0.0.20:9092')
topic = app.topic('test', value_type=Test)
@app.agent(topic)
async def hello(messages):
async for message in messages:
print(f'Received {message.msg}')
@app.timer(interval=5.0)
async def example_sender():
await hello.send(
value=Test(msg='Hello World!'),
)
if __name__ == '__main__':
app.main()
当我运行脚本时:
# faust -A myapp worker -l info
┌ƒaµS† v0.8.1─┬─────────────────────────────────────────────────┐
│ id │ myapp │
│ transport │ [URL('kafka://10.0.0.20:9092')] │
│ store │ memory: │
│ web │ http://hubbabubba:6066 │
│ log │ -stderr- (info) │
│ pid │ 260765 │
│ hostname │ hubbabubba │
│ platform │ CPython 3.8.10 (Linux x86_64) │
│ drivers │ │
│ transport │ aiokafka=0.7.2 │
│ web │ aiohttp=3.8.1 │
│ datadir │ /Git/faust-kafka/myapp-data │
│ appdir │ /Git/faust-kafka/myapp-data/v1 │
└─────────────┴─────────────────────────────────────────────────┘
[2022-01-28 13:09:57,018] [260765] [INFO] [^Worker]: Starting...
[2022-01-28 13:09:57,021] [260765] [INFO] [^-App]: Starting...
[2022-01-28 13:09:57,021] [260765] [INFO] [^--Monitor]: Starting...
[2022-01-28 13:09:57,021] [260765] [INFO] [^--Producer]: Starting...
[2022-01-28 13:09:57,022] [260765] [INFO] [^---ProducerBuffer]: Starting...
[2022-01-28 13:09:57,024] [260765] [ERROR] Unable connect to "10.0.0.20:9092": [Errno 113] Connect call failed ('10.0.0.20', 9092)
[2022-01-28 13:09:57,025] [260765] [ERROR] [^Worker]: Error: KafkaConnectionError("Unable to bootstrap from [('10.0.0.20', 9092, <AddressFamily.AF_INET: 2>)]")
Traceback (most recent call last):
File "/Git/faust-kafka/venv/lib/python3.8/site-packages/mode/worker.py", line 276, in execute_from_commandline
self.loop.run_until_complete(self._starting_fut)
File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
return future.result()
File "/Git/faust-kafka/venv/lib/python3.8/site-packages/mode/services.py", line 759, in start
await self._default_start()
File "/media/eric/DISK3/Git/faust-kafka/venv/lib/python3.8/site-packages/mode/services.py", line 766, in _default_start
await self._actually_start()...
File "/Git/faust-kafka/venv/lib/python3.8/site-packages/aiokafka/client.py", line 249, in bootstrap
raise KafkaConnectionError(
kafka.errors.KafkaConnectionError: KafkaConnectionError: Unable to bootstrap from [('10.0.0.20', 9092, <AddressFamily.AF_INET: 2>)]
[2022-01-28 13:09:57,027] [260765] [INFO] [^Worker]: Stopping...
[2022-01-28 13:09:57,027] [260765] [INFO] [^-App]: Stopping...
[2022-01-28 13:09:57,027] [260765] [INFO] [^-App]: Flush producer buffer...
[2022-01-28 13:09:57,028] [260765] [INFO] [^--TableManager]: Stopping...
[2022-01-28 13:09:57,028] [260765] [INFO] [^---Fetcher]: Stopping...
[2022-01-28 13:09:57,028] [260765] [INFO] [^---Conductor]: Stopping...
[2022-01-28 13:09:57,028] [260765] [INFO] [^--AgentManager]: Stopping...
[2022-01-28 13:09:57,029] [260765] [INFO] [^Agent: myapp.hello]: Stopping...
[2022-01-28 13:09:57,029] [260765] [INFO] [^--ReplyConsumer]: Stopping...
[2022-01-28 13:09:57,029] [260765] [INFO] [^--LeaderAssignor]: Stopping...
[2022-01-28 13:09:57,029] [260765] [INFO] [^--Consumer]: Stopping...
[2022-01-28 13:09:57,030] [260765] [INFO] [^--Web]: Stopping...
[2022-01-28 13:09:57,030] [260765] [INFO] [^--CacheBackend]: Stopping...
[2022-01-28 13:09:57,030] [260765] [INFO] [^--Producer]: Stopping...
[2022-01-28 13:09:57,030] [260765] [INFO] [^---ProducerBuffer]: Stopping...
[2022-01-28 13:09:57,031] [260765] [INFO] [^--Monitor]: Stopping...
[2022-01-28 13:09:57,032] [260765] [INFO] [^Worker]: Gathering service tasks...
[2022-01-28 13:09:57,032] [260765] [INFO] [^Worker]: Gathering all futures...
[2022-01-28 13:09:58,033] [260765] [INFO] [^Worker]: Closing event loop
Kafka (v.2.8.1) 在 10.0.0.20 端口 9092 上运行。Kafka 配置如下所示:
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# see kafka.server.KafkaConfig for additional details and defaults
############################# Server Basics #############################
# The id of the broker. This must be set to a unique integer for each broker.
broker.id=0
############################# Socket Server Settings #############################
# The address the socket server listens on. It will get the value returned from
# java.net.InetAddress.getCanonicalHostName() if not configured.
# FORMAT:
# listeners = listener_name://host_name:port
# EXAMPLE:
# listeners = PLAINTEXT://your.host.name:9092
listeners=PLAINTEXT://:9092
# Hostname and port the broker will advertise to producers and consumers. If not set,
# it uses the value for "listeners" if configured. Otherwise, it will use the value
# returned from java.net.InetAddress.getCanonicalHostName().
advertised.listeners=PLAINTEXT://localhost:9092
# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details
#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL
# The number of threads that the server uses for receiving requests from the network and sending responses to the network
num.network.threads=3
# The number of threads that the server uses for processing requests, which may include disk I/O
num.io.threads=8
# The send buffer (SO_SNDBUF) used by the socket server
socket.send.buffer.bytes=102400
# The receive buffer (SO_RCVBUF) used by the socket server
socket.receive.buffer.bytes=102400
# The maximum size of a request that the socket server will accept (protection against OOM)
socket.request.max.bytes=104857600
############################# Log Basics #############################
# A comma separated list of directories under which to store log files
log.dirs=/tmp/kafka-logs
# The default number of log partitions per topic. More partitions allow greater
# parallelism for consumption, but this will also result in more files across
# the brokers.
num.partitions=1
# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown.
# This value is recommended to be increased for installations with data dirs located in RAID array.
num.recovery.threads.per.data.dir=1
############################# Internal Topic Settings #############################
# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state"
# For anything other than development testing, a value greater than 1 is recommended to ensure availability such as 3.
offsets.topic.replication.factor=1
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1
############################# Log Flush Policy #############################
# Messages are immediately written to the filesystem but by default we only fsync() to sync
# the OS cache lazily. The following configurations control the flush of data to disk.
# There are a few important trade-offs here:
# 1. Durability: Unflushed data may be lost if you are not using replication.
# 2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush.
# 3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks.
# The settings below allow one to configure the flush policy to flush data after a period of time or
# every N messages (or both). This can be done globally and overridden on a per-topic basis.
# The number of messages to accept before forcing a flush of data to disk
#log.flush.interval.messages=10000
# The maximum amount of time a message can sit in a log before we force a flush
#log.flush.interval.ms=1000
############################# Log Retention Policy #############################
# The following configurations control the disposal of log segments. The policy can
# be set to delete segments after a period of time, or after a given size has accumulated.
# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens
# from the end of the log.
# The minimum age of a log file to be eligible for deletion due to age
log.retention.hours=168
# A size-based retention policy for logs. Segments are pruned from the log unless the remaining
# segments drop below log.retention.bytes. Functions independently of log.retention.hours.
#log.retention.bytes=1073741824
# The maximum size of a log segment file. When this size is reached a new log segment will be created.
log.segment.bytes=1073741824
# The interval at which log segments are checked to see if they can be deleted according
# to the retention policies
log.retention.check.interval.ms=300000
############################# Zookeeper #############################
# Zookeeper connection string (see zookeeper docs for details).
# This is a comma separated host:port pairs, each corresponding to a zk
# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002".
# You can also append an optional chroot string to the urls to specify the
# root directory for all kafka znodes.
zookeeper.connect=localhost:2181
# Timeout in ms for connecting to zookeeper
zookeeper.connection.timeout.ms=18000
############################# Group Coordinator Settings #############################
# The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance.
# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms.
# The default value for this is 3 seconds.
# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing.
# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup.
group.initial.rebalance.delay.ms=0
卡夫卡经纪人一开始就很顺利:
$ sudo bin/kafka-server-start.sh -daemon config/server.properties
我得到了这个话题:
$ bin/kafka-topics.sh --bootstrap-server localhost:9092 --create --replication-factor 1 --partitions 1 --topic test
然后我检查:
$ bin/kafka-topics.sh --bootstrap-server localhost:9092 --list
test
所以我想知道我在哪里搞砸了。顺便说一句:可以从客户端机器访问服务器:
$ ping -c 5 10.0.0.20 -p 9092
PATTERN: 0x9092
PING 10.0.0.20 (10.0.0.20) 56(84) bytes of data.
64 bytes from 10.0.0.20: icmp_seq=1 ttl=64 time=0.468 ms
64 bytes from 10.0.0.20: icmp_seq=2 ttl=64 time=0.790 ms
64 bytes from 10.0.0.20: icmp_seq=3 ttl=64 time=0.918 ms
64 bytes from 10.0.0.20: icmp_seq=4 ttl=64 time=0.453 ms
64 bytes from 10.0.0.20: icmp_seq=5 ttl=64 time=0.827 ms
--- 10.0.0.20 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4095ms
rtt min/avg/max/mdev = 0.453/0.691/0.918/0.192 ms
firewalld 中需要允许什么,以便 WireGuard 客户端可以通过 SSH 相互连接?
设置
我在 WireGuard VPN 网络上有两个客户端和一个服务器。他们都在运行 Debian 11。
CLIENT A -------- SERVER -------- CLIENT B
10.0.1.2 10.0.1.1 10.0.1.3
可以做什么
- 我可以从任一客户端通过 SSH 连接到服务器。
- 我可以从服务器通过 SSH 连接到任一客户端。
问题: 但是当我尝试 SSH 客户端到客户端时,我得到“ssh:连接到主机 10.0.1.2 端口 22:没有到主机的路由”
故障排除
- 机器之间的路径已启动,因为我可以 ping...
- 客户端到服务器,
- 服务器到客户端,
- 和客户对客户。
- 这些端口是可访问的,因为我可以远程登录...
- 从服务器到端口 22 上的任一客户端。
- 从任一客户端到端口 22 上的服务器。
问题: 但是当我尝试 telnet 客户端到客户端时,我得到“telnet:无法连接到远程主机:没有到主机的路由”
已确认的内容
- SSH 是 firewalld 上列出的服务:
firewall-cmd --list-services返回ssh - ip-foward 在内核上设置:
sysctl -a返回net.ipv4.ip_forward = 1 - 在 iptables 上设置转发:
iptables-save返回-A FORWARD -i wg0 -o wg0 -j ACCEPT - 在服务器上禁用 firewalld 确实允许两个 WireGuard 客户端之间的 SSH 连接。
感谢您的帮助和指点。
我已阅读有关服务器保护的信息,并且知道如何使用很少的保护,因为它要求不高。
我的问题是:以下哪些保护最适合服务器,哪些提供的保护可以在服务器上一起使用:
- 防火墙
- Fail2ban
- Mod_security
- Mod_Evasive
- Selinux
谢谢!
我在家里运行一个小型(centOS 7)邮件服务器,我想将端口附加到域名,而不是为服务器 IP 的每个传入连接打开。目前,当我在 FirewallD 中打开端口 25/993/587 时,它对所有人开放。因此,当我将域名指向我的服务器 IP 时,所有端口都会打开。我目前使用 mail.example.com,但我想要实现的是:
smtp.mail.example.com -> 25
imaps.mail.example.com -> 993
... 等等。我不知道这是否或如何可能,我知道这对于我的邮件服务器的功能来说不是必需的,但从理智的角度来看,这很有趣,并且当您将网络托管和邮件托管结合在一起时,它对其他情况很有用服务器,因为邮件服务器不需要端口 80/443,而 Web 服务器不需要 25/993,依此类推。
我知道 SRV 记录,但是当您使用相同的 IP 时,仍然会打开所有端口。