Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to analyze firewalld and iptables. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

There are several firewalls coexisting in RHEL7: firewalld, iptables, ebtables. By default, firewalld is used to manage the netfilter subsystem, but the underlying command is still iptables, and so on.

Firewalld has at least two advantages over iptables:

1. Firewalld can dynamically modify a single rule, instead of having to refresh all the rules before it can take effect, as iptables did.

2. Firewalld is much more humanized than iptables in use, and most functions can be achieved even if you don't understand the "five tables and five chains" and don't understand the TCP/IP protocol.

The downside of firewalld compared to iptables is that each service needs to be set up before it can be released, because the default is reject. The default in iptables is that each service is allowed and only those that need to be rejected are restricted.

Firewalld itself does not have the function of a firewall, but needs to be implemented through the kernel netfilter like iptables, that is to say, firewalld, like iptables, is used to maintain rules, and the real netfilter that uses rules is the kernel netfilter, but the structure and usage of firewalld and iptables are different.

An important concept: regional management

By dividing the network into different areas, the access control policies between different regions are developed to control the data flow between different program regions. For example, the Internet is an untrusted zone, while the internal network is a highly trusted area. The network security model can be initialized during installation, initial startup, and network connection establishment for the first time. The model describes the trust level of the entire network environment to which the host is connected, and defines how to handle the new connection. There are several different initialization areas:

Blocking area (block): any incoming network packets will be blocked.

Work area (work): believe that other computers on the network will not damage your computer.

Home area (home): trust that other computers on the network will not damage your computer.

Public area (public): do not trust any computer on the network, only choose to accept incoming network connections.

Isolated area (DMZ): an isolated area, also known as a non-military area, serves as a buffer by adding a layer of network between internal and external networks. For isolated areas, you can only choose to accept incoming network connections.

Trust zone (trusted): all network connections are acceptable.

Drop area (drop): any incoming network connection is rejected.

Internal area (internal): trust other computers on the network without harming your computer. Only choose to accept incoming network connections.

External area (external): do not trust other computers on the network and will not damage your computer. Only choose to accept incoming network connections.

Note: the default area for FirewallD is public.

Firewalld provides nine zone configuration files by default: block.xml, dmz.xml, drop.xml, external.xml, home.xml, internal.xml, public.xml, trusted.xml, work.xml, all of which are stored in the "/ usr/lib / firewalld/zones/" directory.

Configuration method

There are three main ways to configure firewalld: firewall-config, firewall-cmd and directly edit xml files, of which firewall-config is a graphical tool, firewall-cmd is a command line tool, and for linux we should be more accustomed to using command line operations, so we will not introduce firewall-config to you.

Installation configuration:

1. Install firewalld

Root executes # yum install firewalld firewall-config

2. Run, stop, and disable firewalld

Launch: # systemctl start firewalld

Check status: # systemctl status firewalld or firewall-cmd-- state

Stop: # systemctl disable firewalld

Disable: # systemctl stop firewalld

Systemctl mask firewalld

Systemctl unmask firewalld

4. Configure firewalld

View version: $firewall-cmd-- version

Check out help: $firewall-cmd-help

View the settings:

Display status: $firewall-cmd-- state

View area information: $firewall-cmd-- get-active-zones

View the area to which the specified API belongs: $firewall-cmd-- get-zone-of-interface=eth0

Reject all packages: # firewall-cmd-- panic-on

Cancel rejection status: # firewall-cmd-panic-off

Check whether to reject: $firewall-cmd-- query-panic

Update firewall rules: # firewall-cmd-reload

# firewall-cmd-complete-reload

The difference between the two is that the first one does not need to be disconnected, that is, one of the firewalld features is to dynamically add rules, and the second one needs to be disconnected, similar to restarting the service.

Add the interface to the zone. The default interface is in public.

# firewall-cmd-zone=public-add-interface=eth0

Permanently in force plus-- permanent and then reload firewall

Set the default interface area

# firewall-cmd-set-default-zone=public

Effective immediately, no need to restart

Open the port (it seems that this is the most commonly used)

View all open ports:

# firewall-cmd-zone=dmz-list-ports

Add a port to the area:

# firewall-cmd-zone=dmz-add-port=8080/tcp

To be permanently effective, the method is the same as above.

Open a service, which is similar to visualizing the port. The service needs to be added to the configuration file. There is a services folder in the / etc/firewalld directory. Please refer to the documentation for details.

# firewall-cmd-zone=work-add-service=smtp

Remove a service

# firewall-cmd-zone=work-remove-service=smtp

There are also port forwarding function, custom complex rule function, lockdown

Iptables is an IP packet filtering system integrated with the latest version 3.5 Linux kernel. If a Linux system connects to the Internet or LAN, a server or a proxy server that connects LAN to the Internet, the system facilitates better control of IP packet filtering and firewall configuration on the Linux system.

Examples of using iptables basic commands

1. Basic operation of chain and NAT

1. Clear all rules.

1) clear all rules in the chain of rules in the preset table filter.

# iptables-F

2) clear the rules in the user-defined chain in the preset table filter.

# iptables-X

# iptables-Z

3) clear NAT rules

# iptables-F-t nat

4) display of NAT table

# iptables-t nat-nL

2. Set the default policy of the chain. There are usually two ways.

1) allow all bags first, and then prohibit dangerous bags from passing through the arson wall.

# iptables-P INPUT ACCEPT

# iptables-P OUTPUT ACCEPT

# iptables-P FORWARD ACCEPT

2) first disable all packets, and then allow specific packets to pass through the firewall according to the required services.

# iptables-P INPUT DROP

# iptables-P OUTPUT DROP

# iptables-P FORWARD DROP

3. List all the rules in the table / chain. Only the filter table is listed by default.

# iptables-L

4. Add rules to the chain. The following statement is used to open the network interface:

# iptables-An INPUT-I lo-j ACCEPT

# iptables-An OUTPUT-o lo-j ACCEPT

# iptables-An INPUT-I eth0-j ACEPT

# iptables-An OUTPUT-o eth2-j ACCEPT

# iptables-A FORWARD-I eth2-j ACCEPT

# iptables-A FORWARD-0 eth2-j ACCEPT

Note: since the local process does not pass through the FORWARD chain, the loopback interface lo only works on the INPUT and OUTPUT chains.

5. User-defined chain.

# iptables-N custom

# iptables-A custom-s 0 DROP 0-d 0 icmp-j DROP

# iptables-An INPUT-s 0 DROP 0-d 0 DROP

Second, set up basic rule matching

1. Specify a protocol match.

1) match the specified protocol.

# iptables-An INPUT-p tcp

2) match all protocols except the specified protocol.

# iptables-An INPUT-p! tcp

2. The specified address matches.

1) specify a matching host.

# iptables-An INPUT-s 192.168.0.18

2) specify a matching network.

# iptables-An INPUT-s 192.168.2.0 Universe 24

3) match an address other than the specified host.

# iptables-A FORWARD-s! 192.168.0.19

4) match a network other than the specified network.

# iptables-A FORWARD-s! 192.168.3.0 Universe 24

3. Specify the matching of network interfaces.

1) specify a single network interface match.

# iptables-An INPUT-I eth0

# iptables-A FORWARD-o eth0

2) specify the matching of network interfaces of the same type.

# iptables-A FORWARD-o ppp+

4. The specified port matches.

1) specify a single port match.

# iptables-An INPUT-p tcp-- sport www

# iptables-An INPUT-p udp-dport 53

2) match a port other than the specified port.

# iptables-An INPUT-p tcp-dport! 22

3) match the port range.

# iptables-An INPUT-p tcp-sport 22:80

4) match ICMP port and ICMP type.

# iptables-An INOUT-p icmp-icimp-type 8

5) specify ip fragments.

Every

Each network interface has a MTU (maximum transmission unit), which defines the maximum size of packets that can pass. If a packet is larger than this parameter value, the system divides it into smaller packets

(called ip fragments) to transmit, and the recipient reassembles these ip fragments to restore the entire packet. This leads to a problem: when the system divides large packets into ip fragments for transmission, the first fragment contains

Complete header information (IP+TCP, UDP, and ICMP), but subsequent fragments contain only part of the header information (such as source address, destination address). Therefore, check the head of the ip fragment at the back (like

TCP, UDP and ICMP) are impossible. If there is such a rule:

# iptables-A FORWARD-p tcp-s 192.168.1.0 take 24-d 192.168.2.100-dport 80-j ACCEPT

And when the policy of FORWARD is DROP, the system will only allow the first ip fragment to pass, while the remaining fragments cannot pass because the header information is incomplete. You can use the-fragment/-f option to specify a second and subsequent ip fragment to solve the above problem.

# iptables-A FORWARD-f-s 192.168.1.0 Universe 24-d 192.168.2.100-j ACCEPT

Note that there are many instances of ip fragmentation * *, such as DoS***, so it is a security risk to allow ip fragments to pass through, which can be restricted by iptables's matching extension.

Third, set extended rule matching (for example, the target action has been ignored)

1. Multi-port matching.

1) match multiple source ports.

# iptables-An INPUT-p tcp-m multiport-sport 22 53meme 80110

2) match multiple destination ports.

# iptables-An INPUT-p tcp-m multiport-dpoort 22, 53 and 80

3) match multiple ports (whether source port or destination port)

# iptables-An INPUT-p tcp-m multiport-port 22 53meme 80110

2. Specify the TCP matching extension

Use the-tcp-flags option to filter based on the flag bits of the tcp package.

# iptables-An INPUT-p tcp- tcp-flags SYN,FIN,ACK SYN

# iptables-A FROWARD-p tcp- tcp-flags ALL SYN,ACK

The first flag in the example above that represents SYN, ACK, and FIN is all checked, but only SYN matches. The second flag for ALL (SYN,ACK,FIN,RST,URG,PSH) is checked, but only the match between SYN and ACK is set.

# iptables-A FORWARD-p tcp-- syn

The option-syn is equivalent to the abbreviation of "--tcp-flags SYN,RST,ACK SYN".

3. Limit rate matching expansion.

1) specify the number of packets allowed to pass per unit time, which can be / second, / minute, / hour, / day, or use the first child.

# iptables-An INPUT-m limit-- limit 300/hour

2) specify the threshold for triggering the event.

# iptables-An INPUT-m limit- limit-burst 10

It is used to compare whether there are more than 10 packets flooding in at the same time, and packets exceeding this limit will be discarded directly.

3) specify both the rate limit and the trigger threshold.

# iptables-An INPUT-p icmp-m limit--limit 3-limit-burst 3

Indicates that the maximum number of packets allowed per minute is the limit rate (3 in this example) plus the current trigger threshold burst. In any case, three packets can be guaranteed to pass, and the trigger threshold burst is equal to the number of additional packets allowed.

4) State-based matching extension (connection tracking)

Each network connection includes the following information: source address, destination address, source port, destination port, called socket pair (socket pairs); protocol type, connection status (TCP protocol)

And timeouts, etc. Firewalls refer to this information as stateful. Stateful packet filtering firewall maintains a table of tracking states in memory, which is more secure than simple packet filtering firewall. the command format is as follows:

Iptables-m state-- state [!] state [, state,state,state]

Among them, the state table is a comma-separated list, which is used to specify the connection status, four types:

> NEW: this package wants to start a new connection (reconnection or connection redirection)

> RELATED: this package belongs to a new connection established by an established connection. For example:

The relationship between the data transfer connection and the control connection of FTP is the RELATED relationship.

> ESTABLISHED: this package belongs to a connection that has been established.

> INVALID: this packet does not match any connection. Usually, these packets are DROP.

For example:

(1) add a rule to the INPUT chain to match established connections or new connections made by established connections. That is, all TCP response packages are matched.

# iptables-An INPUT-m state-state RELATED,ESTABLISHED

(2) add a rule to the INPUT chain that matches all connection request packets from non-eth0 interfaces.

# iptables-An INPUT-m state-- state NEW-I! eth0

For another example, you can use the following connection tracking for ftp connections:

(1) passive (Passive) ftp connection mode.

# iptables-An INPUT-p tcp-- sport 1024:-- dport 1024:-m state-- state ESTABLISHED-j ACCEPT

# iptables-An OUTPUT-p tcp-- sport 1024:-- dport 1024:-m

State-- state ESTABLISHED,RELATED-j ACCEPT

(2) active (Active) ftp connection mode

# iptables-An INNPUT-p tcp-- sport 20-m state-- state ESTABLISHED,RELATED-j ACCEPT

# iptables-An OUTPUT-p tcp-OUTPUT-p tcp-dport 20-m state-- state ESTABLISHED-j ACCEPT

On how to analyze firewalld and iptables to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.