Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of "how to use iptables and firewalld to manage the firewall". The editor shows you the operation process through the actual case. The operation method is simple, fast and practical. I hope this article "how to use iptables and firewalld to manage the firewall" can help you solve the problem.

Firewalls

A firewall is a set of rules. When a packet enters or leaves a protected network area, the content in and out, especially information about its source, destination, and protocol used, is detected according to firewall rules to determine whether it is allowed to pass. Here is a simple example:

Firewalls can filter requests based on protocols or target-based rules.

On the one hand, iptables is a tool for managing firewall rules on Linux machines.

On the other hand, firewalld is also a tool for managing firewall rules on Linux machines.

Well, I admit the whole thing is a little funny, so let me explain. It all starts with Netfilter, which controls access to the network stack at the Linux kernel module level. For decades, the main command-line tool for managing Netfilter hooks was the iptables rule set.

Because the syntax required to invoke these rules seems a bit obscure, various user-friendly implementations, such as ufw and firewalld, have been introduced as higher-level Netfilter interpreters. However, ufw and firewalld are mainly designed to solve the problems faced by individual computers. Building a full range of network solutions usually requires iptables, or since 2014, its replacement nftables (nft command line tool).

Iptables has not disappeared and is still widely used. In fact, as an administrator, you should use iptables to protect the network for many years to come. But nftables brings some important new features by manipulating the classic Netfilter toolset.

From now on, I'll show you how firewalld and iptables solve simple connection problems with examples.

Configure HTTP access using firewalld

As you can guess from its name, firewalld is part of the systemd family. Firewalld can be installed on Debian/Ubuntu machines, but it is installed on RedHat and CentOS by default. If the site is not accessible, then firewalld is working.

You can use the firewall-cmd tool to manage firewalld settings from the command line. Adding the-state parameter returns the status of the current firewall:

# firewall-cmd-staterunning

By default, firewalld is running and rejects all incoming traffic, with a few exceptions, such as SSH. This means that your site will not have too many visitors, which will undoubtedly save you a lot of data transmission costs. However, this is not your requirement for the web server, you want to open the HTTP and HTTPS ports, which are traditionally specified as 80 and 443, respectively. Firewalld provides two ways to do this. One is through the-add-port parameter, which refers directly to the port number and the network protocol it will use (in this case, TCP). The other is through the-permanent parameter, which tells firewalld to load this rule each time the server starts:

# firewall-cmd-permanent-add-port=80/tcp# firewall-cmd-permanent-add-port=443/tcp

The-reload parameter applies these rules to the current session:

# firewall-cmd-reload

To view the settings on the current firewall, run-list-services:

# firewall-cmd-list-servicesdhcpv6-client http https ssh

Assuming you have added browser access as mentioned earlier, the HTTP, HTTPS, and SSH ports should now be as open as dhcpv6-client-- it allows Linux to request IPv6 IP addresses from the local DHCP server.

Configure locked customer kiosks using iptables

I'm sure you've seen kiosks-tablets, touchscreens and ATM computers in boxes at airports, libraries and businesses that invite customers and passers-by to browse content. The problem with most kiosks is that you usually don't want users to treat them as their own devices as if they were at home. They are not usually used to browse, watch YouTube videos or launch denial-of-service attacks on the Pentagon. Therefore, to make sure they are not abused, you need to lock them down.

One way is to apply some kind of kiosk mode, whether through clever use of the Linux display manager or control at the browser level. But to make sure you've plugged all the loopholes, you may also want to add some hard network controls through the firewall. In the next section, I'll show you how to do this using iptables.

There are two important things to keep in mind about using iptables: the order of the rules you give is critical; the iptables rules themselves will not be maintained after a restart. I will explain this one at a time.

Information kiosk project

To illustrate all this, let's imagine that we work for a large chain store called BigMart. They have been around for decades; in fact, our imaginary grandparents may have been shopping there and growing up there. But these days, people at BigMart's headquarters may just be counting the time Amazon will kick them out forever.

Nevertheless, BigMart's IT department is doing its best to provide solutions, and they have issued you some WiFi-enabled kiosk devices that you use in strategic locations throughout the store. The idea is to log in to the BigMart.com product page and allow you to find product features, aisle locations, and inventory levels. The kiosk also allows access to bigmart-data.com, where a lot of image and video media information is stored.

In addition, you need to allow downloading of package updates. Finally, you want to allow access to SSH only from your local workstation and prevent others from logging in. The following figure shows how it will work:

* the business flow of information kiosks is controlled by iptables. *

Script

Here is the content of the Bash script:

#! / bin/bashiptables-An OUTPUT-p tcp-d bigmart.com-j ACCEPTiptables-An OUTPUT-p tcp-d bigmart-data.com-j ACCEPTiptables-An OUTPUT-p tcp-d ubuntu.com-j ACCEPTiptables-An OUTPUT-p tcp-d ca.archive.ubuntu.com-j ACCEPTiptables-An OUTPUT-p tcp-dport 80-j DROPiptables-An OUTPUT-p tcp-dport 443-j DROPiptables-An INPUT-p tcp-s 10.0.3.1-dport 22-j ACCEPTiptables-An INPUT- P tcp-s 0.0.0.0amp 0-- dport 22-j DROP

Let's start with the basic rule-A, which tells iptables that we want to add rules. OUTPUT means that this rule should be part of the output chain. -p means that the rule only uses packets of the TCP protocol, and as-d tells us, the destination address is bigmart.com. The function of the-j parameter is that the action to be taken when the packet conforms to the rules is ACCEPT. The first rule means to allow (or accept) a request. However, under the rules you can see requests that are discarded (or rejected).

The order of rules is very important. Because iptables iterates through each rule for a request until a matching rule is encountered. An outgoing browser request, such as accessing bigmart.com, is passed because the request matches the first rule, but when it reaches the dport 80 or dport 443rule-depending on whether it is a HTTP or HTTPS request-it will be discarded. When a match is encountered, iptables no longer checks further.

On the other hand, a system request for a software upgrade to ubuntu.com will be passed as long as its appropriate rules are met. Obviously, what we are doing here is that only HTTP or HTTPS requests are allowed to be sent to our BigMart or Ubuntu, not to other destinations.

The last two rules will handle the SSH request. Because it does not use port 80 or 443, it uses port 22, so the previous two discard rules will not reject it. In this case, login requests from my workstation will be accepted, but requests from anywhere else will be denied. Of course, this is no big deal, because in the current configuration, just restart the server and all the iptables rules will be lost. If you use the LXC container as the server and log in from the LXC host, connect the container using the host IP address instead of its public address.

If the IP of the machine changes, remember to update this rule; otherwise, you will be denied access.

Play at home (on some kind of disposable virtual machine)? Great. Create your own script. Now I can save the script, use chmod to make it executable, and run it as sudo. Don't worry about errors like "igmart-data.com couldn't be found"-of course not; it doesn't exist.

Chmod + X scriptname.shsudo. / scriptname.sh

You can use the cURL command line to test the firewall. The request for ubuntu.com works, but the request for manning.com fails

Curl ubuntu.comcurl manning.com configures iptables to load at system startup

Now, how do I make these rules load automatically every time the kiosk starts? The first step is to save the current rule. Use the iptables-save tool to save the rule file. This creates a file that contains a list of rules in the root directory. The pipe is followed by the tee command, which is the second part of applying my sudo permissions to the string: actually saving the file to an otherwise restricted root directory.

Then I can tell the system to run a related tool called iptables-restore every time it starts. The regular LCTT tasks we saw in the previous chapter are not applicable because they run at a set time, but we don't know when our computers may decide to crash and restart.

There are many ways to deal with this problem. Here is one:

On my Linux machine, I will install a program called anacron, which will provide us with a file called anacrontab in the / etc/ directory. I'll edit the file and add the iptables-restore command, telling it to load the current contents of that .rule file. When booted, the rules are loaded into iptables at 01:01 every day (if necessary). (LCTT translation note: anacron complements the cron task that was missed because the machine is not running, so even if the machine does not start at 01:01, the task will be performed as soon as possible when the machine starts up.) I will give the task an identifier (iptables-restore) and then add the command itself. If you do this with me at home, you should test it by rebooting the system.

Sudo iptables-save | sudo tee / root/my.active.firewall.rulessudo apt install anacronsudo nano / etc/anacrontab1 1 iptables-restore iptables-restore 's content on "how to use iptables and firewalld to manage firewalls" ends here. Thank you for reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.