Shulou(Shulou.com)06/01 Report--

Editor to share with you how to use iptable and Firewalld tools to manage Linux firewall connection rules, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Firewalls

A firewall is a set of rules. When a packet enters or leaves protected network space, the contents of the packet are tested according to firewall rules (especially information about its source, destination, and planned protocol) to determine whether the packet should be allowed to pass. Here is a simple example:

Firewalls can filter requests based on protocols or target-based rules.

On the one hand, iptables is a tool for managing firewall rules on Linux machines.

On the other hand, firewalld is also a tool for managing firewall rules on Linux machines.

Do you have a problem with that? What if I told you there was another tool out there called nftable?

Well, I admit the whole thing smells a little weird, so let me explain. It all starts with Netfilter, where Netfilter controls access to the network stack at the Linux kernel module level. For decades, the main command-line tool for managing Netfilter hooks was the iptables rule set.

Because the syntax required to invoke these rules may be a bit mysterious, various user-friendly implementations of UFW and the introduction of Firewalld as an advanced Netfilter interpreter. However, UFW and Firewalld are mainly designed to solve the problems faced by stand-alone computers. Building full-size network solutions often requires the additional capabilities of iptables, or its replacement nftable (via the nft command-line tool) since 2014.

Iptables doesn't go anywhere and is still widely used. In fact, you should encounter iptables-protected networks in the work of administrators for many years to come. But nftable brings some important new features by adding to the classic Netfilter toolset.

From now on, I'll demonstrate how Firewalld and iptables solve simple connection problems with examples.

Configure HTTP access using Firewalld

As you might guess from its name, Firewalld is a systemd family. Firewalld can be installed on Debian/Ubuntu machines, but it is the default on RedHat and CentOS. If you have a Web server like Apache running on your computer, you can confirm that the firewall is working properly by browsing the server's Web root directory. If the site is unreachable, then Firewalld is doing its job.

You will use the firewall-cmd tool to manage Firewalld settings on the command line. Add the-state parameter to return the current firewall status:

# firewall-cmd-staterunning

By default, Firewalld will be active and all incoming traffic will be rejected, with several exceptions, such as SSH. This means that your website will not have too many visitors, which will certainly save you a lot of data transmission costs. However, since this may not be what you think of the Web server, you need to open the HTTP and HTTPS ports, which are designated as 80 and 443, respectively, by convention. Firewalld provides two ways to do this. One is through the-add-port parameter, which refers directly to the port number and the network protocol it will use (in this case, TCP). This, this, that, that-permanent parameter tells Firewalld to load this rule each time the server starts:

# firewall-cmd-permanent-add-port=80/tcp# firewall-cmd-permanent-add-port=443/tcp

The-reload parameter applies these rules to the current session:

# firewall-cmd-reload

Are you curious about the current settings on the firewall? Run-list-services:

# firewall-cmd-list-servicesdhcpv6-client http https ssh

Assuming you have added the browser access described earlier, the HTTP, HTTPS, and SSH ports should now be open dhcpv6-client, which allows Linux to request IPv 6 IP addresses from the local DHCP server.

Configure locked customer kiosks using iptables

I'm sure you've seen kiosks-tablets, touchscreens and ATM-like PCs-in a box, airports, libraries and business rooms are everywhere, inviting customers and passers-by to browse the content. The feature of most kiosks is that you usually don't want users to think of themselves as their own devices at home. They are not usually used to browse, watch youtube videos or launch denial-of-service attacks on the Pentagon. So, to make sure they are not abused, you need to lock them up.

One way is to apply some kind of Kiosk mode, whether by using the Linux display manager cleverly or at the browser level. However, to ensure that all the vulnerabilities are plugged, you may also need to add some hard network controls through the firewall. In the next section, I'll describe how to implement it using iptable.

There are two important things to remember about using iptables: the order of the rules you give is critical, and by itself, Iptable rules will not survive a restart. I'll say it again and again here.

Pavilion project

To illustrate all this, let's imagine that we work in a large chain store called BigMart. They have been around for decades; in fact, our imaginary grandparents probably grew up shopping there. But these days, people at BigMart's headquarters may just be counting the hours before Amazon (AMZN) kicked them out forever.

Nevertheless, BigMart's IT department is doing its best, and they have just sent you some information kiosks prepared by WiFi that you can install in strategic locations throughout the store. The idea is that they will display a web browser logged into the BigMart.com product page, allowing them to find product features, aisle locations, and inventory levels. These kiosks also require access to bigmart-data.com, where many images and video media are stored.

In addition, you want to allow updates and package downloads if necessary. Finally, you want to allow access to the inbound SSH only from the local workstation and block everyone else. The following figure shows how all this works:

The traffic flow of the kiosk is controlled by iptable.

Script

Here's how to put all of this into a Bash script:

#! / bin/bashiptables-An OUTPUT-p tcp-d bigmart.com-j ACCEPTiptables-An OUTPUT-p tcp-d bigmart-data.com-j ACCEPTiptables-An OUTPUT-p tcp-d ubuntu.com-j ACCEPTiptables-An OUTPUT-p tcp-d ca.archive.ubuntu.com-j ACCEPTiptables-An OUTPUT-p tcp-dport 80-j DROPiptables-An OUTPUT-p tcp-dport 443-j DROPiptables-An INPUT-p tcp-s 10.0.3.1-dport 22-j ACCEPTiptables-An INPUT- P tcp-s 0.0.0.0amp 0-- dport 22-j DROP

The basic anatomy of our rules is to tell iptables from-A that we want to add the following rules. OUTPUT this means that this rule should be part of the output chain. -p indicates that this rule applies only to packets that use the tcp protocol, where-d tells us that the destination is bigmart.com. This, this, that, that-j flag points to ACCEPT as the action to be taken when the packet matches the rule. In the first rule, the action is to allow or accept requests. However, in a lower scope, you can see the requests that will be deleted or rejected.

Remember, order is important. This is because iptables will run a request that exceeds each of its rules, but only if it gets a match. So a browser request sent out, for example, youtube.com will pass the first four rules, but when it reaches the-dport 80 or-dport 443 rule-depending on whether it is an HTTP request or a HTTPS request-it will be deleted. Iptable won't bother to check again, because it's a match.

On the other hand, if the system requests ubuntu.com for a software upgrade, it will pass when it meets the appropriate rules. Obviously, what we are doing here is to allow only HTTP or HTTPS requests to be sent to our BigMart or Ubuntu destinations, not to other destinations.

The last two rules will handle incoming SSH requests. Because they do not use port 80 or 443, they use 22, so they are not rejected by the previous two DROP rules. In this case, the login request from my workstation will be accepted, but the request anywhere else will be deleted. This is important: make sure that the IP address used for the port 22 rule matches the address of the machine used to log in-if you don't, you will be locked out immediately. Of course, this is no big deal, because in the current configuration, you can simply restart the server and the iptables rules will be removed. If you use the LXC container as your server and log in from your LXC host, use the IP address that your host uses to connect to the container, not its public address.

If the IP of my machine has changed, you need to remember to update this rule; otherwise, you will be locked out.

Play at home (hopefully on a discarded VM)? Great. Create your own script. Now I can save the script, use chmod to make it executable, and run it as sudo. Don't worry about the bigmart-data.com not found error-of course you can't find it; it doesn't exist.

Chmod + X scriptname.shsudo. / scriptname.sh

You can use cURL on the command line. The request for ubuntu.com is valid, but manning.com failed.

Curl ubuntu.comcurl manning.com

Configure iptables to load at system startup

Now, how do I make these rules automatically load each time the vending machine starts? The first step is to use the iptables-save tool. This creates a file that contains a list of rules in the root directory. This pipe, followed by the tee command, is the second part of applying my sudo permissions to the string: actually saving the file to another restricted root directory.

Then I can tell the system to run an iptables-restore every time it starts. Regular cron jobs like those we saw in the previous module won't help because they run at a set time, but we don't know when our computers will decide to crash and restart.

There are many ways to deal with this problem. Here is one:

On my Linux machine, I will install a file called anacron, which will provide a file named anacrontab in the / etc/ directory. I'll edit the file and add the following iptables-restore command, telling it to load the current value of the .Rule file into iptables every day (if necessary) one minute after startup. I will give the job an identifier (iptables-restore) and then add the command itself. Since you are playing with me at home, you should restart your system to test it all.

Sudo iptables-save | sudo tee / root/my.active.firewall.rulessudo apt install anacronsudo nano / etc/anacrontab1 1 iptables-restore iptables-restore < / root/my.active.firewall.rules

I hope these practical examples have shown how to use iptables and Firewalld to manage connections on Linux-based firewalls.

These are all the contents of the article "how to use iptable and Firewalld tools to manage Linux Firewall connection rules". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.