Shulou(Shulou.com)06/03 Report--

Through the introduction of firewalld firewall to ensure the security of Linux system, we can understand the firewalld firewall of Linux system in detail, and we can write some relatively simple firewall rules. The Linux firewall can act as a router (gateway). The NAT technology on the router can also be realized through the Linux firewall. Address camouflage and port forwarding are NAT technologies in routers.

A brief introduction to address camouflage and port forwarding

Firewalld Firewall supports two types of NAT:

(1) address camouflage

Address camouflage: based on the source address translation, through address camouflage, the NAT device forwards the packet passing through the device to the designated receiver, while changing the source address of the passed packet to its own interface address. When the returned packet arrives, the destination address is modified to the address of the original host and routed. Address camouflage can realize that multiple IP addresses in the local area network share a single public network address to access the Internet. Similar to Port Multiplexing (PAT) in NAT technology. IP address masquerading only supports IPV4, not IPV6.

(2) Port forwarding

Port forwarding: translation based on the destination address, also known as destination address translation or port mapping. Through port forwarding, traffic from the specified IP address and port is forwarded to different ports on the same computer. Or ports on different computers, servers within the enterprise generally use private network addresses, and servers using private network addresses can be published to the public network through port forwarding for Internet users to access. Similar to static NAT in NAT technology.

II. Firewall-cmd Advanced configuration (1) Direct rules in firewalld

Direct rule features:

Allows administrators to insert manually written iptables, ip6tables, and ebtables rules into areas managed by Firewalld; through the-direct option in the firewall-cmd command; in addition to displaying the insertion mode, priority is given to matching direct rules [root@localhost ~] # firewall-cmd-- direct-- add-chain ipv4 raw blacklistsuccess [root@localhost ~] # firewall-cmd-- direct-- add-rule ipv4 raw PREROUTING 0-s 192.168.0.0A 24-j blacklistsuccess [root@localhost] # firewall-cmd-- direct-- add-rule ipv4 raw blacklist 0-m limit-- limit 1/min-j LOG-- log-prefix "blacklisted" success [root@localhost ~] # firewall-cmd-direct-add-rule ipv4 raw blacklist 1-j DROPsuccess

These are just adding the address of the 192.168.0.0 network segment to the blacklist (using direct rules)! Too much trouble!

(2) use rich language

Rich language features:

Expressive configuration language without knowledge of iptables syntax; used to express basic allow / deny rules, configuration records (for syslog and auditd), port forwarding, camouflage, and rate limit

Rich language grammar format:

Rule [family= ""] [source address= "[invert=" True "] [destination address="[invert=" True "]] [] [log [prefix="] [level="] [limit value=" rate/duration "]] [audit] [accept | reject | drop]

Each single element of the rule can take additional parameters in the form of option=value.

Common options for rich language rules:

Any configured rich rules are displayed in the output of firewall-cmd-- list-all and firewall-cmd-- list-all-zones.

Various grammatical explanations of rich language rules:

Rich language rule configuration example:

[root@localhost] # firewall-cmd-- add-rich-rule='rule protocol value=ah accept'

Success

/ / use IPV4 and IPV6 to connect [root@localhost ~] # firewall-cmd-- add-rich-rule='rule service name=ftp log limit value=1/m audit accept' for authentication packet header protocol AH

Success

/ / allow new IPV4 and IPV6 to connect to the FTP and use audit to record [root@localhost ~] # firewall-cmd-- add-rich-rule='rule family= "ipv4" source address= "192.168.0) 24" service name= "tftp" log prefix= "level=" info "limit value=" 1 image "accept'

Success

/ / allow IPV4 connections to the TFTP protocol from 192.168.0.0According to the 24 address, and use the system log to record [root@localhost ~] # firewall-cmd-- add-rich-rule='rule family= "ipv6" source address= "1, 3, 4, 6:" service name= "radius" log prefix= "dns" level= "info" limit value= "3 reject'

Success

[root@localhost ~] # firewall-cmd-- add-rich-rule='rule family= "ipv6" service name= "radius" accept'

Success

/ / for the RADIUS protocol to reject all new ipv6 connections from 1 dns, 3 3, 4 4, 6:, log prefix "dns", level "info", and record up to 3 times per minute. Accept new ipv6 connections from other initiators [root@localhost ~] # firewall-cmd-- add-rich-rule='rule family= "ipv4" source address= "192.168.2.2" accept'

Success

/ / add source 192.168.2.2 address to the whitelist to allow all connections from this source address [root@localhost ~] # firewall-cmd-- zone=public-- add-rich-rule='rule family=ipv4 source address=192.168.0.11/32 reject'

Success

/ / deny all traffic from IP address 192.168.0.11 in public area [root@localhost ~] # firewall-cmd-- add-rich-rule='rule protocol value= "esp" drop'

Success

/ / discard all incoming ipsec esp protocol packets from anywhere in the default area [root@localhost ~] # firewall-cmd-- zone=dmz-- add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=7900-1905 protocol=tcp accept'

Success

/ / in the DMZ area of the 192.168.1.0 Universe 24 subnet, receive all TCP packets [root@localhost ~] # firewall-cmd-- zone=work-- add-rich-rule='rule service name=ssh log prefix= "ssh" level= "notice" limit value= "3image" accept' on port 7900x7905.

Success

/ / receive a new connection from the work area to SSH, and log the new connection to syslog [root @ localhost ~] # firewall-cmd-- add-rich-rule='rule family=ipv4 source address=192.168.2.0/24 service name=dns audit limit value= "1mp h" reject'-- timeout=300 at the notice level and with up to three messages per minute

Success

/ / in the following 5min (through the-- timeout=300 configuration item), new connections from subnet 192.168.2.0 to DNS in the default area are rejected, and rejected connections are logged to the audit system, and the order of firewalld firewall check rules with up to one message per hour is: 1. Direct rules; 2. Rich rules; 3. Regional rule

How to configure in the actual environment, please refer to the Linux system security configuration firewalld firewall address camouflage and port forwarding examples, you can follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.