Shulou(Shulou.com)06/01 Report--

Firewall and iptables

Only one firewall and iptables can be opened by default.

Fire Wall:

Configuring Fire Wall firewall-config in the form of graphical Interface

Configure a firewall using a command line interface

Check the status of firewalld: firewall-cmd-- state

View the currently active areas with a list of interfaces currently assigned to them:

# firewall-cmd-get-active-zones

Check the default area: # firewall-cmd-- get-default-zone

View all available zones: # firewall-cmd-- get-zones

List all settings for the specified domain: # firewall-cmd-- zone=public-- list-all

List the settings for all zones: # firewall-cmd-- list-all-zones

Set the default area: # firewall-cmd-- set-default-zone=trusted

Set the network address to the specified area:

# firewall-cmd-permanent-zone=tursted-add-source=172.25.15.0/24

(the-- permanent parameter indicates a permanent setting. If the-- zone parameter is not specified, the default area will be added)

Delete the network address in the specified area:

# firewall-cmd-permanent-zone=trusted-remove-source=172.25.0.0/24

Add, change, delete network interfaces:

# firewall-cmd-permanent-zone=trusted-add-interface=eth0

# firewall-cmd-permanent-zone=trusted-change-interface=eth0

# firewall-cmd-permanent-zone=trusted-remove-interface=eth0

Add or remove services:

# firewall-cmd-permanent-zone=public-add-service=smtp

# firewall-cmd-permanent-zone=public-remove-service=smtp

List, add, delete ports:

# firewall-cmd-zone=public-list-ports

# firewall-cmd-permanent-zone=public-add-port=8080/tcp

# firewall-cmd-permanent-zone=public-remove-port=8080/tcp

Reload the firewall:

# firewall-cmd-reload

(note: this will not break the established connection, if you intend to, you can use the-- complete-reload option)

For example, if you are connecting to the host in ssh, the host can still operate the host if the firewall ssh is not disconnected.

If-- complete-reload, the ssh disconnects.

List all preset services: # firewall-cmd-get-services

In / usr/lib/firewalld/services/, you can view the service name. Note: the configuration file is named after the service itself

Service-name. Xml is as follows

Take http as an example

The default port is 80. If you want to change the port, you can change it here.

Direct Rules

Firewall-cmd-direct-add-rule ipv4 filter INPUT 0-p tcp-- dport 22-s 172.25.15.10-j REJECT

Add rule to deny 172.25.15.10 host access to port 22 (ssh)

Firewall-cmd-- direct-- get-all-rules view all rule

Firewall-cmd-- direct-- remove-rule ipv4 filter INPUT 0-p tcp-- dport 22-s 172.25.15.10-j REJECT (deleted from the above view)

Firewall-cmd-- direct-- add-rule ipv4 filter INPUT 0-p tcp-- dport 22! -s 172.25.15.10-j REJECT

Add rule to deny any host connection except 172.25.15.10 host

Rich Rules

Use Rul

Firewall-cmd-remove-service=ssh (access to ssh services is prohibited)

Firewall-cmd-add-rich-rule='rule family= "ipv4" source address= "172.25.15.10" accept'

Allow all connections to the 172.25.15.10 host.

Firewall-cmd-permanent-add-rich-rule='rule protocol value=icmp drop' (ping prohibited)

Discard all icmp packets

Port forwarding: (the external network passes through the terminal. Port forwarding connection private network)

325: enable address translation function

326: access port 80 of this machine and forward to port 22 of 15.10 host

Camouflage: (the intranet accesses the public network through ip camouflage)

Requirement: a single network card 172.25.15.10. One dual network card as the gateway 172.25.15.11 172.25.254.115

Dual network card: firewall-cmd-add-masquerade

Firewall-cmd-add-rich-rule='rule family=ipv4 source address=172.25.254.115'

(address disguised as 254.115)

Then a single network card machine can ping the 254th network segment.

IPTABLES

Iptables-nL View Policy

Iptables-t filter-nL's strategy for viewing filter tables

Iptables-t nat-nL's strategy for viewing nat tables

Iptables-F Refresh Policy (empty)

Iptables-save > / etc/sysconfig/iptables (save modified policy)

How to write a policy:

Line 131: write allows the host to connect to any port

Line 133: write allows lo loopback to connect to any port

Line 135: deny all writes

Line 137: allow access to port 22

Line 139: delete line 4 from INPUT

Line 141: insert allow access to port 22 to the third line

Line 143: modify denied access to port 22 on the third line

Line 145: delete the third line policy

The policy has a top-to-bottom order problem: deny all access on the third line, allow access to port 22 on the fourth line, and as a result, port 22 cannot be accessed. Because of the order of the policy.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.