Shulou(Shulou.com)06/03 Report--

Blog catalogue:

I. firewalld Advanced configuration

1. NAT supported by firewalld

2. IP address camouflage

3. Port forwarding

II. Advanced configuration of firewalld-cmd

1. Understanding direct rules in firewalld

2. Use rich language

3. Rich rule command

4. Examples of rich rule configuration:

1. Firewalld Advanced configuration 1. NAT supported by firewalld

Firewalld supports two types of NAT:

IP address masquerade

Port forwarding; 2. IP address camouflage

Address camouflage: through address camouflage, a NAT device forwards packets that pass through the device to a designated receiver, while changing the source address of the passed packet to its own interface address. When the returned packet arrives, the destination address is modified to the address of the original host and routed. Address camouflage can realize that multiple addresses in the local area network share a single public network address to access the Internet. Similar to Port Multiplexing (PAT) in NAT technology. IP address masquerading only supports ipv4, not ipv6.

3. Port forwarding

Port forwarding: it can also be called destination address translation or port mapping. Through port forwarding, traffic from specified IP addresses and ports is forwarded to different ports on the same computer, or to ports on different computers. In general, the servers in the company's intranet use private network addresses, and then publish the servers using private network addresses to the public network through port forwarding, so that Internet users can access them. (for example, when receiving an HTTP request from an Internet user, the gateway server determines the destination address of the packet and the destination port, and once the specified rule is matched, the destination address is modified to the real server address of the intranet, thus establishing a valid connection.)

2. Firewalld-cmd advanced configuration 1. Understand direct rules in firewalld

Firewalld provides "direct interface" (direct port), which allows administrators to manually write iptables, ip6tables, and ebtables rules into areas managed by firewalld, applicable to applications, not users. If you are not familiar with iptables, it is not recommended to use direct interfaces, which may inadvertently cause the firewall to be blocked. Firewalld keeps track of added items, so he can also question firewalld and discover changes made by programs that use direct port mode. The direct port is implemented through the-- direct option in the firewalld-cmd command. Unless the direct rule is explicitly inserted into an area managed by firewalld, the direct rule is parsed first, and then the other firewalld rules are parsed.

Execute the following command to add some direct rules to blacklist an IP range:

[root@centos01 ~] # firewall-cmd-- direct-- permanent-- add-chain ipv4 raw blacklistsuccess [root@centos01 ~] # firewall-cmd-- direct-- permanent-- add-rule ipv4 raw PREROUTING 0-s 192.168.10.0 blacklistsuccess [root@centos01] # firewall-cmd-- direct-- permanent-- add-rule ipv4 raw blacklist 0-m limit-- limit 1/min-j LOG-- log-prefix "blacklisted" success [root@centos01 ~] # firewall-cmd- -direct-permanent-add-rule ipv4 raw blacklist 1-j DROPsuccess2, Use rich language

Firewalld's rich language provides a mechanism for configuring complex IPv4 and IPv6 firewall rules through a high-level language without knowing iptables syntax, and provides administrators with an expressive language through which custom firewall rules that are not covered in the basic syntax of firewalld can be expressed. (for example, only IP addresses routed from a single IP address and not through an area are allowed to connect to the service).

Rich rules can be used to express basic allow / deny rules, as well as to configure records (for syslog and auditd), as well as port forwarding, masquerading, and rate limiting. Let's take a brief look at the basic syntax for expressing rich rules:

Each single element of the rule can take additional parameters in the form of option=value.

1) sort by rule

Once multiple rules are added to an area (usually a firewall), the ordering of rules will greatly affect the behavior of the firewall. The basic order of the rules within the region is the same for all regions. If any rule in the zone does not match the package, the package is usually rejected, but the zone may have a different default value. (for example, the trusted zone will receive any mismatched packets. In addition, after matching a record rule, the package will continue to be processed normally.

The direct rule is an exception. Most direct rules will be parsed first and then processed by firewalld, but the direct rule syntax allows administrators to insert any rule anywhere in any area.

2) testing and debugging

For ease of testing and debugging, almost all rules can be added to the run-time configuration with timeouts. When a rule with a timeout is added to the firewall, the timer starts the countdown to the rule, and once the rule's timer reaches 0 seconds, the rule is removed from the run-time configuration.

Using timeouts can be an extremely useful tool when using remote firewalls, especially when testing more replicated rule sets. If the rule is valid, the administrator can add the rule again; if the rule does not run as expected and may even lock the administrator out of the system, the rule is automatically deleted to allow the administrator to continue to work. You can add a timeout to a run-time rule by appending the option-- timeout, to the end of the rule-enabled firewalld-cmd command.

3. Rich rule command

Firewalld-cmd has four options for handling rich rules, all of which can be combined with the regular-- permanent or-- zone= options, as follows:

-- add-rich-rule='RULE' # adds RULE to the specified area. If no region is specified, it is the default area.

-- remove-rich-rule='RULE' # removes the RULE from the specified area. If no region is specified, it is the default region.

-- query-rich-rule='RULE' # queries whether RULE has been added to the specified area. If no region is specified, it is the default area. If the rule exists, 0 is returned, otherwise 1 is returned.

-- list-rich-rules # outputs all rich rules for the specified region. If no region is specified, it is the default region.

Any configured rich rules are displayed in the output of firewall-cmd-- list-all and firewall-cmd-- list-all-zone. The grammatical explanation is as follows:

Source: restricts the source IP address, which can be an IPv4, IPv6 address, or a network address field

Destination: restrict the destination address, which uses the same syntax as the source address

Element: feature, and this item can only be one of the following feature types: service, port, protocol, icmp-block, masquerade, and forward-port

① service: the service name is one of the services provided by firewalld. For a list of supported services, enter the following command: firewalld-cmd--get-services. If a service provides a destination address that conflicts with the destination address in the rule, it will cause an error. The command format is: service name=service_name

② port: the port can be a separate port number or a port range, such as 5060 to 5062. The protocol is TCP or UDP. The command format is: port port=number_or_range protocol=protocol

③ protocol: protocol, which can be a protocol ID number or a protocol name. For available protocols, please see / etc/protocols. The command format is: protocol value=protocol_name_or_ID

④ icmp-block: block one or more ICMP types. For a list of supported ICMP types, enter the firewalld-cmd--get-icmptypes command to view it. The command format is: icmp-blick name=icmptype_name

⑤ masquerade: IP camouflage in the rules. Deploy the destination address with the source address to limit the camouflage to a range

⑥ forward-port: forwards packets from the specified TCP or UDP protocol to another port on this machine, or to another machine, or to another port on another machine. Port and to-port can be a single port number or a port range. The destination address is a simple IP address. The command format is: forward-port port=number_or_range protocol=protocol to-port=number_or_range to-addr=address

Log: requests for connections with kernel logs registered to rules, such as Syslog. You can define a prefix text to add log information as a prefix. The log level can be one of emerg, alert, crit, error, warning, notice, info, or debug. You can choose the use of logs and restrict them as follows: log [prefix text] [level=log level] limint value=rate/duration. The units of duration are s, m, h and d. S stands for seconds, m for minutes, h for hours, and d for days. The maximum limit is 1 stroke d (up to one log entry per day)

Audit: audit, the audit type can be one of accept, reject, or drop, but cannot be specified after the audit command, because the audit type will be automatically collected from the rule action. Auditing does not contain its own parameters, but restrictions can be optionally increased. The use of audit is optional

Accept | reject | drop: it can be a behavior in accept, reject or drop. The command format is: accept | reject connection will be rejected and the initiator will receive a rejection message. When drop is specified, all packets are discarded and no information is sent to the initiator 4. Rich rule configuration example: 1) use new IPv4 and IPv6 connections for authentication header protocol AH: [root@centos01 ~] # firewall-cmd-- add-rich-rule= 'rule protocolvalue=ah accept'success2) allow new IPv4 and IPv6 connections to FTP And use the audit to record every minute: [root@centos01 ~] # firewall-cmd-- add-rich-rule= 'rule service name=ftp log limit value=1/m audit accept'success3) allows IPv4 connections from the TFTP protocol of 192.168.0.0and24 addresses And use the Syslog to record every minute: [root@centos01 ~] # firewall-cmd-- add-rich-rule='rule family= "ipv4" source address= "192.168.0.0Accord 24" service name= "tftp" log prefix= "tftp" info "limit value=" 1ANGA "accept'success4) all new IPv6 connections from 1V 2V 3V 4V 6V: are rejected for RADIUS protocol, with log prefix" dns "and level" info ", and recorded up to 3 times per minute. Accept new IPv6 connections from other initiators: [root@centos01 ~] # firewall-cmd-- add-rich-rule= 'rule family= "ipv6" source address= "1, 3, 4, 6:" service name= "radius" log prefix= "dns" level= "info" limit value= "3 service name= [root@centos01 ~] # firewall-cmd-add-rich-rule=' rule family=" ipv6 "service name=" radius "accept'success5) add the source 192.168.2.2 address to the whitelist To allow all connections from this source address: [root@centos01 ~] # firewall-cmd-- add-rich-rule='rule family= "ipv4" source address= "192.168.2.2" accept'success6) deny all traffic from IP address 192.168.0.11 in the piblic area: [root@centos01 ~] # firewall-cmd-- zone=public-- add-rich-rule='rule family=ipv4 source address=192.168.0.11/32 reject'success7) discard traffic from default Identify all incoming ipsec esp protocol packets anywhere in the area: [root@centos01 ~] # firewall-cmd-- add-rich-rule= 'rule protocol value= "esp" drop'success8) in the dmz area of the 192.168.1.0 ax 24 subnet Receive all TCP packets on port 790007905: [root@centos01 ~] # firewall-cmd-- zone=dmz-- add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=7900-7905 protocol=tcp accept'success9) receive a new connection from the work area to SSH Log new connections to syslog at the notice level and with up to three messages per minute: [root @ centos01 ~] # firewall-cmd-- zone=work-- add-rich-rule='rule service name=ssh log prefix= "ssh" level= "notice" limit value= "3 accept'success10") in the following 5min, deny new connections to DNS from the subnet 192.168.2.0 in the default area, and rejected connections will be logged to the audit system And at most one message per hour: [root@centos01 ~] # firewall-cmd-- add-rich-rule= 'rule family=ipv4 source address=192.168.2.0/24 service name=dns audit limit value= "1max h" reject'-- timeout=300success

The next blog will configure firewalld firewall address masquerading and port forwarding cases.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.