Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how to analyze the firewall of the Linux system, which may not be well understood by many people. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

The firewall can effectively protect the installation of the system. The firewall of Linux mainly works in the network layer and implements filtering and restriction on TCP/IP packets, which is a typical packet filtering firewall.

1. Brief introduction of Linux Firewall the firewall of Linux mainly works in the network layer and implements filtering and restriction on TCP/IP packets, which is a typical packet filtering firewall.

Linux software firewall function firewall can individually / batch prohibit / allow data from one / more ports to pass through, or forward data from one port to another port / ip.

3. Linux software firewall tools are mainly used in Centos 6:

Iptables (command management tool); the operation is more complex.

In Centos 7, the main use is:

Firewall-config (graphical management tool)

Firewall-cmd (Command Management tool) is widely used in production environment.

This article mainly introduces Centos7 Firewalld firewall.

Introduction to Firewalld (1) A dynamic firewall management tool that supports the security level of network connections and interfaces defined in the network area

(2) support IPv4,IPv6 firewall settings

(3) support services or applications to directly add firewall rule interfaces

(4) have two configuration modes

Runtime configuration and permanent configuration.

Firewalld Firewall Zone introduction to simplify management, firewalld Firewall divides all network traffic into multiple areas, each with varying degrees of rules. By default, the public public area is the default area, which contains all interface network cards.

4.2 the workflow of firewalld Firewall checks the source address of the data source:

If the source address is associated with a specific area, the rules specified by that area are executed

If the source address is not associated to a specific area, the area passed into the network interface is used and the rules specified in that area are enforced

If the network interface is not associated to a specific area, the default zone is used and the rules specified by that area are executed.

Configuration method of Firewalld Firewall 5.1 Runtime configuration takes effect in real time and continues until Firewalld restarts or reloads the configuration

Do not break the existing connection

The service configuration cannot be modified.

5.2 permanent configuration does not take effect immediately unless Firewalld restarts or reloads the configuration

Break an existing connection

You can modify the service configuration.

6. Firewall-config graphic tool Firewal-config is the graphics management tool of firewalld firewall, which can be started directly with the command firewall-config and can easily complete a lot of complex firewall settings.

[root@localhost ~] # firewall-config 1

7. Firewall-cmd character tool firewall-cmd is a character management tool that comes with firewalld firewall, which can be used to set various rules of firewall.

Features:

(1) support all firewall features

(2)-permanent parameter: this parameter indicates permanent configuration, otherwise it indicates runtime configuration.

(3) [- zone=] option: not carrying this option means to operate for the default region, otherwise for the specified region.

7.1 Firewall process operation command [root@localhost ~] # systemctl option firewalld 1 option: start stop restart status (start, stop, restart, status)

Common instructions are as follows:

7.2 Firewall zone operation command (1) displays all zones and their rules

[root@localhost ~] # firewall-cmd-- list-all-zones 1 (2) displays all the rules in the internal area

[root@localhost ~] # firewall-cmd-- zone=internal-- list-all 1 (3) displays all rules for the default area

[root@localhost ~] # firewall-cmd-- list-all 1 (4) shows the default area of a network connection or interface

[root@localhost ~] # firewall-cmd-- get-default-zone public 12 (5) sets the default area of a network connection or interface to internal

[root@localhost ~] # firewall-cmd-- set-default-zone=internal success [root@localhost ~] # firewall-cmd-- get-default-zone internal' # default area has been changed to internal' [root@localhost ~] # 12345 (6) shows all active areas

Activation condition: the area is associated with at least one interface or one source address / network segment

[root@localhost ~] # firewall-cmd-- get-active-zones internal interfaces: ens33 [root@localhost ~] # 1234 (7) shows the area bound to the interface of the ens33 Nic

[root@localhost ~] # firewall-cmd-- get-zone-of-interface=ens33 internal'# bound in the default area'[root@localhost ~] # 123 (8) change the bound network interface ens33 for the work region

[root@localhost ~] # firewall-cmd-- zone=work-- change-interface=ens33'# change interface 'The interface is under control of NetworkManager, setting zone to work. Success [root@localhost ~] # firewall-cmd-- get-zone-of-interface=ens33'# shows the interface binding area 'work' # changed successfully '123456 (9) remove the bound interface ens33 for the work region

[root@localhost ~] # firewall-cmd-- zone=work-- remove-interface=ens33'# Delete interface 'The interface is under control of NetworkManager, setting zone to default. Success [root@localhost ~] # firewall-cmd-- get-zone-of-interface=ens33'# shows the interface binding area 'internal' # unbound successfully'[root@localhost ~] # 1234567 (10) query whether the area contains ens33 interface

[root@localhost ~] # firewall-cmd-- zone=work-- query-interface=ens33 no [root@localhost ~] # 12347.3 Firewall Zone Operation Command Summary

7.4 Firewall port operation command (1) enable TCP protocol combination for port 22 in internal area

[root@localhost ~] # firewall-cmd-- zone=internal-- add-port=22/tcp-- timeout=5m success 12-timeout=5m: delete the port after 5 minutes.

(2) display the port numbers allowed to be accessed in the internal area

[root@localhost ~] # firewall-cmd-- zone=internal-- list-ports 22/tcp 123 (3) disable TCP protocol combination for port 22 in internal area

[root@localhost ~] # firewall-cmd-- zone=internal-- remove-port=22/tcp success 12 (4) query whether port 22 TCP is enabled in the internal area

[root@localhost ~] # firewall-cmd-- zone=internal-- query-port=22/tcp no 127.5 Firewall Port Operation Command Summary

7.6 Firewall blocking ICMP operation command (1) set the blocking echo-request type ICMP for the work locale

[root@localhost ~] # firewall-cmd-- zone=work-- add-icmp-block=echo-request success 12 (2) shows all ICMP types blocked in the work area

[root@localhost ~] # firewall-cmd-- zone=work-- list-icmp-blocks echo-request [root@localhost ~] # 123 (3) Delete ICMP of blocked echo-request type in work area

[root@localhost ~] # firewall-cmd-- zone=work-- remove-icmp-block=echo-request success 12 (4) query whether ICMP of type echo-request in work region is blocked

[root@localhost ~] # firewall-cmd-- zone=work-- query-icmp-block=echo-request no 127.7 Firewall blocking ICMP Operation Command Summary

After reading the above, do you have any further understanding of how to parse the Linux system firewall? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.