1.网络规划
| 主机 | 公网IP | 私网(心跳)IP | 虚拟ip | scan-ip |
|---|---|---|---|---|
| rac1 | 172.18.238.65 | 3.33.3.1 | 172.18.238.67 | 172.18.238.69 |
| rac2 | 172.18.238.66 | 3.33.3.2 | 172.18.238.68 | 172.18.238.69 |
[root@rac1 ~]# cat /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4::1 localhost localhost.localdomain localhost6 localhost6.localdomain6172.18.238.65 rac1172.18.238.66 rac2172.18.238.67 rac1-vip172.18.238.68 rac2-vip3.33.3.1 rac1-prv3.33.3.2 rac2-prv172.18.238.69 rac-scan
2.防火墙配置
1)开启防火墙服务
# firewall-cmd --state //查看防火墙运行状态
# systemctl start firewalld.service //启动防火墙
# systemctl enable firewalld //设置防火墙随系统启动
# firewall-cmd --list-ports //查看所有打开的端口
# firewall-cmd --list-all //查看防火墙开放端口及服务列表
2)将心跳网卡添加到trusted组中
内网网卡 zone=trusted 是受信任区域 可接受所有的网络连接
# firewall-cmd --zone=trusted --permanent --add-interface=ens192
# firewall-cmd --reload
# firewall-cmd --zone=trusted --list-interfaces
备注:
# firewall-cmd --zone=trusted --remove-interface=virbr0 --permanent --永久删除接口
# firewall-cmd --get-zone-of-interface=virbr0 --查看接口
3)将vip和scan-ip 都加入白名单
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.18.238.65" accept'
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.18.238.66" accept'
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.18.238.67" accept'
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.18.238.68" accept'
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.18.238.69" accept'
# firewall-cmd --reload
4)开放1521端口
# firewall-cmd --zone=public --permanent --add-port=1521/tcp
# firewall-cmd --reload
5)备份iptables
[root@rac1 network-scripts]# iptables -t filter -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
72613 49M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
6789 4022K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
20841 58M INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
20841 58M INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
20841 58M INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1464 217K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 75389 packets, 68M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
15646 18M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
75404 68M OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens256 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_trusted all -- ens192 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * ens256 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_trusted all -- * ens192 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_trusted (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_trusted_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_trusted_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_trusted_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_trusted_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_trusted_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_trusted_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_trusted (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_trusted_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_trusted_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_trusted_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_trusted_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_trusted_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_trusted_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
1555 223K IN_public all -- ens256 * 0.0.0.0/0 0.0.0.0/0 [goto]
19283 58M IN_trusted all -- ens192 * 0.0.0.0/0 0.0.0.0/0 [goto]
3 541 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
1558 223K IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
1558 223K IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
1558 223K IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
2 233 ACCEPT all -- * * 172.18.238.65 0.0.0.0/0
90 5615 ACCEPT all -- * * 172.18.238.66 0.0.0.0/0
0 0 ACCEPT all -- * * 172.18.238.67 0.0.0.0/0
0 0 ACCEPT all -- * * 172.18.238.68 0.0.0.0/0
0 0 ACCEPT all -- * * 172.18.238.69 0.0.0.0/0
1 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1521 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain IN_trusted (1 references)
pkts bytes target prot opt in out source destination
19283 58M IN_trusted_log all -- * * 0.0.0.0/0 0.0.0.0/0
19283 58M IN_trusted_deny all -- * * 0.0.0.0/0 0.0.0.0/0
19283 58M IN_trusted_allow all -- * * 0.0.0.0/0 0.0.0.0/0
19283 58M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_trusted_allow (1 references)
pkts bytes target prot opt in out source destination
Chain IN_trusted_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_trusted_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
6)补充命令
#查看防火墙规则(只显示/etc/firewalld/zones/public.xml中防火墙策略)
firewall-cmd --list-all
#查看所有的防火墙策略(即显示/etc/firewalld/zones/下的所有策略)
firewall-cmd --list-all-zones
若有收获,就点个赞吧
0 人点赞
