Shulou(Shulou.com)06/02 Report--

The project of laboratory mimicry storage needs to separate the services of internal and external network through LVS-NAT mode and LVS server, so the focus of security protection is on the LVS server. The author finally chose to release the port through firewalld to achieve the requirements, because there is no small difference between firewall and the traditional iptable tools used by Linux, then record the configuration process of firewalld through the blog.

Brief introduction of 1.Firewall service:

Firewalld provides a dynamically managed firewall to support the rules of different network areas and assign a certain degree of trust to a network and its associated links and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has separate run time and permanent configuration options. It also has an interface to a service or application to directly add firewall rules.

The above is a description from the official RetHat documentation and seems to be at a loss. So the author here briefly introduces how the positioning of firewalld is different from that of traditional iptable:

Dynamic firewall

Firewalld provides dynamic firewall services. Configuration changes can be made immediately anytime, anywhere, and there is no need to save or implement them. In the part of iptable, each individual change means clearing all old rules and reading all new rules from, and firewalld's approach is relatively more flexible.

Regional isolation

Firewalld provides regional isolation services, that is to say, similar to the difference between public networks and internal networks in window, different network rule services can be realized through the configuration of corresponding rules in different areas. Through the way of regional rules, we can make the work of the firewall more flexible.

As shown in the figure, firewalld's firewall is essentially an abstraction layer built on the native iptable firewall, making use of the functions of iptable by customizing rules, so the two firewalls work in parallel, and eventually both need to land in the kernel of netfilter to achieve network packet filtering to simplify the work flow of the firewall. (the traditional iptable's "four tables and five chains" is really complicated enough ~ embarrassing rz)

two。 System environment:

As shown in the following figure, the firewall firewall needs to be deployed on the LVS server. Here, the author only briefly combs the work of a LVS server:

System platform: Centos 7

LVS server: dual network card

Public network address: 219.223.199.154 Internal network address: 192.168.1.17

External server:

Server ARV 192.168.1.11 Server BRO 192.168.1.14

Here, the port that needs to be opened above the public network address is port 10086, which is forwarded through this port. On the other hand, there are no restrictions on the intranet address, which we think is a secure network environment.

3. Configuration process:

Firewalld can be configured in three ways:

Firewall-config

A graphical user interface configuration tool

Firewall-cmd

A configuration tool for a command line user interface

Static xml file configuration

The configuration settings for firewalld are stored in the xml file in the / etc/firewalld/ directory. You can configure firewall by viewing and editing these xml files.

After that, the author's configuration process is mainly based on the firewall-cmd command, first start the firewall service:

Systemctl start firewalld.service / / start the firewalld service

Next, open the corresponding TCP port of the external network card, here the author chooses the public area, that is, the dual network card opens the port at the same time.

Firewall-cmd-zone=public-add-port=10086/tcp-permanent

This command is configured to add 10086 ports to the public area, and the subsequent parameter, permannet, represents a permanent addition. That is, a write that still takes effect after a subsequent restart. The following different region segmentation and filtering rules are supported in firewall. For different configurations, please see the following:

Region

Drop: discard all incoming packets without giving any response block: reject all externally initiated connections, allow internally initiated connections public: allow specified inbound connections external: ditto, incoming connections in disguise, generally used for routing and forwarding dmz: allow restricted inbound connections work: allow trusted computers to be restricted into connections, similar to workgrouphome: ditto, similar to homegroupinternal: ditto Scope for all Internet users trusted: trust all connections

Filtering rules

Source: filter by source address interface: filter by network card service: filter by service name port: filter by port icmp-block: icmp message filter, configure masquerade: ip address masquerade forward-port: port forwarding rule: custom rule

Then configure the forwarding mechanism through LVS. The following figure shows the forwarding mechanism configured through ipvsadm:

An attempt was made to connect to the ip address of the public network, 219.223.199.154 10086, and it was found that the service of the back-end server, that is, the server running on 192.168.1.11 and 192.168.1.14, could not be connected.

After calling the ipvsadm-lcn command, it is found that there is a problem with the forwarding of the private network:

By grabbing the packet, it is found that the communication packet of the LVS server on the private network card 192.168.1.17 has been blocked, so continue to develop the port of the internal network card through the firewalld-cmd command, and add the internal network card to the trusted area:

Firewall-cmd-zone=trusted-add-interface=enp3s0

Next, you can see that the corresponding private network Nic is opened to the trusted,trusted area to allow all communication packets to be released. Because the private network is a relatively secure environment, it does not have a great impact. Call:

Firewall-cmd-list-all-zones

The command shows the configuration result of firewall. Both public and trusted regions are in active status, and the public network service can connect to the port service of the private network normally.

You can see that in the above public settings, the corresponding ssh service is related to the dhcpv6-client service. In Firewalld, you can release the corresponding content directly through the service, that is, the above parameter service. The detailed configuration parameters need to be configured in the directory / usr/lib/firewalld/services. We try to open the content of the ssh service above:

As can be seen from the configuration above: the so-called service configuration firewall itself is also carried out by tagging protocols and ports, but is packaged with the logic of the service. As to which form to use, you all have different opinions.

Summary

Sort out the configuration process of dual network card Firewalld under LVS. The distribution of the Debian series is more or less the same, except that the Firewalld tool needs to be installed using apt-get. If there are any omissions in the above contents, I hope you will give us some advice.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.