Shulou(Shulou.com)06/01 Report--

What is the concept of Firewalld and commonly used commands, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

The following is mainly from the concept and architecture, core composition, common commands and other aspects of a detailed introduction of Firewalld, and additional introduction of the knowledge of iptables4 tables and 5 chains and netfilter.

A brief introduction

1. Firewalld provides more intelligent firewall management rules, optimizes policy configuration, supports network "zones", and assigns trust levels to the network and its associated links, interfaces or sources. Different trust levels default to different open services.

2. Support IPV4,IPV6, Ethernet bridge and IPSET firewall settings.

3. The runtime is separated from the permanent configuration, which can be changed manually and reset to return to the permanent configuration (file configuration).

4. Optimize iptables add rules and support graphical interface (not covered in this article). In addition to iptables, there are ip6tables and ebtables rules.

2 concept and framework

The spatial architecture is divided into two layers.

1. Upper layer: firewalld D-Bus: commands the main interface and modifies the main way of firewall configuration.

Firewall-cmd: the main command line operation mode.

Firewall-config: offline command line operation mode, because it acts directly in the permanent configuration of firewalld, direct operation is not recommended when firewall is running.

Firewall-config: graphic configuration mode.

Firewall-applet: firewall Mini Program.

2. Lower layer (core layer): responsible for handling configuration and back-end, and contains iptables,ip6tables,ebtables,ipset module loader.

Spatial structure diagram

It is recommended to use NetworkManager, although firewalld does not rely on it, but NetworkManager will solve some problems such as notification of network device renaming.

3. Firewalld supports zones,services,IPsets and ICMP types. Three core components 1, ZONE (firewall zone defines the trust level of link, interface or source address binding), a total of 10 (and one for default), directly for the network domain species of other computers to establish trust relations, do not have to carry out troublesome configuration operations, only need to select a zone, if not meet the needs, you can also manually add trust services.

Drop: any incoming network packets are discarded

Block: any packets coming into the network are rejected (including ICMP) and can only start the network link

Public: use in public areas, close to accepting selected incoming links (default: ssh or dhcpv6-client service links only)

External: used for camouflage, outgoing ipv4 network links are camouflaged and forwarded through this area (default: only ssh service links are accepted)

Dmz: restrictions on internal network access (default: only ssh service links are accepted)

Work: for workspaces (default: only ssh,ipp-client or dhcpv6-client service links are accepted)

Home: for home area (default: only ssh,mdns,ipp-client,samba-client or dhcpv6-client service links are accepted)

Internal: internal, high trust to other computers on the network, default to most services

Trusted: the highest level of trust, accepting all web links

Public configuration (/ etc/firewalld/zones)

2. The significance of the existence of NetworkManager

1) NetworkManager (interface manager) cannot handle network links. Its function is to tell firewalld to assign the network interface used for this link to the area defined in the configuration of the link. Of course, there are systems with network configuration that support ifcfg files.

2) Network links are handled by network scripts

3. Configuration rules (of course, rules look complicated and tedious, and there are only a few commonly used) rules:

The version= "string" version is available

Target= "ACCEPT |% REJECT%% | DROP" accepts, rejects or discards every packet that does not match any rules (ports, services, etc.)

Short optional start and end tags for name comments

Description optional start and end tags to describe comments

Interface optional empty element tag with only one name attribute, which generally binds the name= "string" mode to the interface of the zone

Source optional empty element tag that can be used multiple times. It can be used to bind a source address, address feedback, MAC address, or ipset to a zone. The attributes are as follows:

The address= "address[ / mask]" source is an IP address or a network IP address with an IPv4 or IPv6 mask

The mac= "MAC" source is the MAC address. It must be in xx:xx:xx:xx:xx:xx form

The ipset= "ipset" source is an ipset

Port optional empty element tag that can be used multiple times with multiple port entries. The attributes are as follows:

The port= "portid [- portid]" port can be a single port number portid or a port range portid-portid

Protocol= "tcp | udp" protocol can be divided into TCP/UDP

Protocol optional empty element tag that can be used multiple times with multiple protocol entries. The attributes are as follows:

Value= "string"

Icmp-block optional empty element tags that can be used multiple times with multiple entries, with only one mandatory attribute per icmp-block tag:

Name= "string"

The icmp-block-inversion optional empty element tag can only be used once in the zone configuration. This flag reverses icmp block processing. Accept only enabled ICMP types and reject all other types in the zone

Masquerade camouflage, optional empty element tag. It can only be used once in the zone configuration and cannot be used in IPV6.

Forward-port optional empty element tag that can be used multiple times with multiple ports or packet forwarding entries. Forward-port has mandatory and optional attributes:

Mandatory attributes: port= "portid [- portid]", protocol= "tcp | udp"

Optional attribute: for local forwarding, added only to the port.

The destination port or port range to which the to-port= "portid [- portid]" is forwarded.

To-addr= "address" destination IPv4 address

Source-port optional empty element tag that can be used multiple times with multiple source port entries. All attributes of the source port are required:

Port= "portid [- portid]"

Protocol= "tcp | udp"

Examples of common rules:

Rule exampl

Home For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

Service example

FTP FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.

IPSet example

Mac-list 00:11:22:33:44:55

Helper (helper sample) is used to safely use the link tracking helper

ICMP type, restricting the exchange of ICMP information in Internet protocol (IP), responding or not responding, etc.

Echo Request (ping) This message is used to test if a host is reachable mostly with the ping utility.

In general, there is no need to modify the rules in the configuration. If you need to modify it, you can use common commands to specify rules.

More rules: see the four commonly used https://firewalld.org/documentation/man-pages/firewalld.richlanguage commands for details

1. Basic command

Firewall-cmd-- state # View the status of firewalld firewall-cmd-- get-active-zones # View the currently active area And attach a list of interfaces currently assigned to them firewall-cmd-- get-defailt-zone # View the default area firewall-cmd-- set-default-zone=dmz # set the default area firewall-cmd-- get-zones # View all available domain firewall-cmd-- permanent-- zone=internal-- add-source=172.25.254.60/24 # set the zone of the source address (--permanent parameter indicates the permanent setting If the-- zone parameter is not specified, it means to add to the default area) firewall-cmd-- permanent-- zone=internal-- remove-source=172.25.254.60/24 # Delete the network address firewall-cmd-- reload # overload configuration, and will not interrupt the service firewall-cmd-- complete-reload # completely overload, will interrupt the service

2. Add services

Firewall-cmd-- zone=public-- add-service=http # opens the http service firewall-cmd-- permanent-- zone=public-- add-service=http # permanent setting in the public area of the runtime environment, opens the http service in the public area 3, and uses the-direct option Add or remove chains (iptables four tables and five chains) firewall-cmd-- direct-- add-rule ipv4filter IN_public_allow 0-p tcp-- dport 80-j ACCEP # add rules at runtime Specify to run all links to port 80 firewall-cmd-- direct-- remove-ruleipv4 filter IN_public_allow 0-p tcp-- dport 80-j ACCEPT # Delete rule firewall-cmd-- direct--get-all-rules # list rule 4, create a new service using existing files (if you are not familiar with configuration commands and their rules This method is not recommended) firewall-cmd-permanent-new-service-from-file=myservice.xml-name=mynewservice five additional knowledge points (iptables four tables and five chains, netfilter) 1, the internal relationship between firewall and iptables

In short, iptables is the cornerstone of a firewall. Firewall has a set of rules that are followed and composed when making packet filtering decisions. These rules are stored in special packet filtering tables, which are integrated in the Linux kernel. In the packet filtering table, rules are grouped in what we call a chain.

Netfilter/iptables adds, edits and removes IP filtering rules.

The netfilter component, also known as kernel space, is part of the kernel and consists of packet filtering tables that contain the set of rules that the kernel uses to control packet filtering processing.

The Iptables component is a tool and user space that makes it easy to insert, modify, and remove rules from packet filtering tables.

Linux kernel filter structure

2. Iptables four tables and five chains

Filter table-three chains: INPUT, FORWARD, OUTPUT

Function: filter packet kernel module: iptables_filter.

Nat table-three chains: PREROUTING, POSTROUTING, OUTPUT

Function: for network address translation (IP, port) kernel module: iptable_nat

Mangle table-five chains: PREROUTING, POSTROUTING, INPUT, OUTPUT, FORWARD

Purpose: modify the service type of the packet, TTL, and configure routing to implement the QOS kernel module: iptable_mangle (don't look at this table so troublesome, we hardly use it when setting policies)

Raw table-two chains: OUTPUT, PREROUTING

Function: determine whether the packet is processed by the state tracking mechanism kernel module: iptable_raw

Corresponding relation of four tables and five chains

3. Linked list processing logic

INPUT-incoming packets apply policies in this rule chain

OUTPUT-outgoing packets apply policies in this rule chain

FORWARD-apply policies in this rule chain when forwarding packets

PREROUTING-apply the rules in this chain before routing packets

Remember! All packets are handled by this chain first when they come in)

POSTROUTING-rules in this chain are applied after routing packets

(all packets are handled by this chain when they come out.)

Linked list processing logic

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.