Shulou(Shulou.com)06/03 Report--

Introduction to Firewalld

Dynamic firewall management tools that support network connections and interface security levels defined by the network area support IPv4, IPv6 firewall settings and Ethernet bridge support services or applications directly add firewall rule interfaces have two configuration modes

(1) Runtime configuration

(2) permanent configuration

The packet filtering function system of netfilter located in the Linux kernel is called the "kernel state" of Linux firewall.

Friewalld/iptablesCentos7 's default tool for managing firewall rules (Firewalld) is called the "user state" of the Linux firewall.

The difference between Friewalld and iptables

Iptables

Four watches and five chains! (important)

The chain is the location: there are five, incoming routing (PRUROUTING), inbound system (INPUT), forwarding (FORWORD), outgoing system (OUTPUT), and POSTROUTING; the table is the storage rule; when the packet reaches the chain, it will go to the query rule in the table and decide whether to release, discard, forward or modify and so on.

The table contains multiple chains, and the chain contains multiple rules!

Four specific tables:

Filter table: filter packet Nat table: for network address translation (IP, port) Mangle table: modify the service type of the packet, TTL, and can configure the routing implementation QOSRaw table: determine whether the packet is processed by the state tracking mechanism

Specific five chains: INPUT chain: incoming packets apply policy OUTPUT chain in this rule chain: outgoing packets apply policy forward chain in this rule chain: apply policy PREROUTING chain in this rule chain when forwarding packets: apply rules in this chain before routing packets (all packets come in with this chain processing first) POSTROUTING chain: apply this chain before routing packets Rules in the chain (this chain is processed first when all packets come out) iptables [- t table name] option [chain name] [condition] [- j control type]-p set default policy: iptables-P:INPUT (DROP | ACCEPT)-F: clear the rule chain-L: view the rule chain-A: add a new rule at the end of the rule chain-I:num add a new rule at the head of the rule chain-D: delete A rule-s: matches the source address IP/MASK Add "!" Indicates that in addition to this ip-d: match destination address-I: network card name matches data flowing in from this network card-o: network card name matches data outflow from this network card-p: matching protocols such as tcp, udp, icmp--dport num match destination port number-sport num matches source port number

The default all ports are stored in the public area.

Access rights range from high to low. High access and low access.

Run-time configuration

It takes effect in real time and continues until firewalld restarts or reloads the configuration. The service configuration cannot be modified without breaking the prior connection.

Permanent configuration does not take effect immediately unless the Firewalld restart or reload configuration interrupts the existing connection and modifies the service configuration

Graphical interface operation is not introduced too much, character interface operation: [root@localhost~] # systemctl option firewalld option: start stop restart status

Firewall management operation

The firewall-cmd command supports all firewall features. For state and query mode, the command only returns status and has no other output-- permanent parameter: carrying this parameter indicates permanent configuration, otherwise it means runtime configuration [--zone=] option: do not carry this option means to operate on the default zone, otherwise on the specified area

Query Firewalld status systemctl status firewalld

Firewall-cmd-reload reloads the configuration of firewalld

Displays the default area of a network connection or interface

Firewall-cmd-get-default-zone

Set the default area of a network connection or interface to internal

Firewall-cmd-set-default-zone=internal

Show all activated areas

Firewall-cmd-get-active-zones

Displays the area bound by the ens33 interface

Firewall-cmd-get-zone-of-interface=ens33

Bind the work area for the ens33 interface

Firewall-cmd-zone=work-add-interface=ens33

Change the network interface ens33 bound for the work area

Firewall-cmd-zone=work-change-interface=ens33

Delete the bound network interface ens33 for the work area

Firewall-cmd-zone=work-remove-interface=ens33

Show left and right areas and rules

Firewall-cmd-list-all-zones

Show all rules for the internal area

Firewall-cmd-zones=internal-list-all

Now all the rules of the default area

Firewall-cmd-list-all

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.