Shulou(Shulou.com)06/01 Report--

This article mainly explains "firewalld firewall how to configure IP camouflage and port forwarding", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to configure IP camouflage and port forwarding in firewalld Firewall.

IP address masquerading and port forwarding both belong to NAT (Network address Translation).

The differences between address masquerading and port forwarding are as follows:

IP address camouflage:

1. Through address camouflage, the NAT device forwards the packet passing through the device to the designated receiver, and at the same time transmits the passed packet

2. The source address is changed to the interface address of its NAT device. When the returned packet arrives, the destination address is modified

3. Address and route the original host. Address camouflage can realize that multiple addresses in the local area network share a single public network address to access the Internet.

4. Similar to Port Multiplexing (PAT) in NAT technology. IP address masquerading only supports ipv4, not ipv6.

Port forwarding:

It can also be called destination address translation or port mapping. Through port forwarding, traffic from specified IP addresses and ports is forwarded to different ports on the same computer, or to ports on different computers. In general, the servers in the company's intranet use private network addresses, and then publish the servers using private network addresses to the public network through port forwarding.

In firewalld, there is a concept of rich language. Firewalld's rich language provides a mechanism for configuring complex firewall rules through a high-level language that does not need to understand iptables syntax. Through this language, custom firewall rules that cannot be implemented in the basic syntax of firewalld can be expressed.

Rich rules can be used to express basic allow / deny rules, as well as to configure records (for syslog and auditd), as well as port forwarding, masquerading, and rate limiting.

There is a timeout tool in the firewalld firewall configuration, and when a rule containing a timeout is added to the firewall, the timer begins the countdown to that rule, and once the countdown reaches 0 seconds, the rule is removed from the runtime configuration.

When testing a more complex rule set, if the rule is valid, then we can add the rule again, if the rule does not achieve the desired effect, and may even lock our administrator so that it cannot enter the system, then the rule will be automatically deleted so that our operators can continue to test.

When using firewall-cmd to configure rules, append the option-timeout= at the end of the command. The reference to this option in help is as follows (in seconds, minutes, hours):

Enable an option for timeval time, where timeval is a number followed by one of letters's'or'm' or'h' Usable for options marked with [T]

Firewall-cmd has four options for handling rich rules, all of which can be combined with the regular-- permanent or-- zone= options, as follows:

Any configured rich rules are displayed in the output of firewall-cmd-- list-all and firewall-cmd-- list-all-zone. The grammatical explanation is as follows:

Examples of rich rule configuration:

Use new ipv4 and ipv6 connections [root@localhost /] # firewall-cmd-- add-rich-rule='rule protocol value=ah accept' to allow new ipv4 and ipv6 connections to ftp for authentication header protocol AH, and use audit to record [root@localhost /] # firewall-cmd-- add-rich-rule='rule service name=ftp log limit value=1/m audit accept' allows ipv4 connections from the TFTP protocol at 192.168.1.0 And use the Syslog to record [root@localhost /] # firewall-cmd-- add-rich-rule='rule family= "ipv4" source address= "192.168.1.0 Universe 24" service name= "tftp" log prefix= "tftp" level= "info" limit value= "1 image" accept' for radius to reject all new ipv6 connections from 1add-rich-rule='rule family= 2VH 3VV 4V 6V: with log prefix "dns" and level "info", and record up to 3 times per minute. Accept new ipv6 connections from other initiators: [root@localhost /] # firewall-cmd-- add-rich-rule='rule family= "ipv6" source address= "1, 3, 4, 4, 6:" service name= "radius" log prefix= "dns" level= "info" limit value= "3Aga" reject' [root@localhost /] # firewall-cmd-- add-rich-rule='rule family= "ipv6" service name= "radius" accept' adds the source 192.168.2.2 address to the whitelist To allow all connections from this source address: [root@localhost /] # firewall-cmd-- add-rich-rule='rule family= "ipv4" source address= "192.168.2.2" accept' denies all traffic from IP address 192.168.0.11 in the public area: [root@localhost /] # firewall-cmd-- zone=public-- add-rich-rule='rule family=ipv4 source address=192.168.0.11/32 reject' discards traffic from the default area All incoming ipsec esp packets anywhere: [root@localhost /] # firewall-cmd-- add-rich-rule='rule protocol value= "esp" drop' in the DMZ area of the 192.168.1.0 and 24 subnets Receive all TCP packets on port 790007905: [root@localhost /] # firewall-cmd-- zone=dmz-- add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=7900-1905 protocol=tcp accept' receives a new connection from the work area to the SSH Log new connections to syslog at the notice level and with up to three messages per minute: [root @ localhost /] # firewall-cmd-- zone=work-- add-rich-rule='rule service name=ssh log prefix= "ssh" level= "notice" limit value= "3level=" accept' in the following 5min (via the-- timeout=300 configuration item), reject new connections to DNS from subnet 192.168.2.0 in the default area, and rejected connections will be logged to the audit system And no more than one message per hour. [root@localhost /] # firewall-cmd-- add-rich-rule='rule family=ipv4 source address=192.168.2.0/24 service name=dns audit limit value= "1ripple h" reject'-- timeout=300 here, I believe you have a better understanding of "how to configure IP camouflage and port forwarding in firewalld firewall". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.