Shulou(Shulou.com)06/02 Report--

Firewalld Advanced configuration Firewalld supports two types of network address translation

(1) configuration syntax of direct rules

(2) configuration syntax of rich language rules

IP camouflage and port forwarding Firewalld support two types of network address translation IP address camouflage

The main results are as follows: (1) multiple addresses in the local area network can share a single public network address.

(2) IP address masquerading only supports IPv4, not IPv6.

(3) address masquerading is enabled in the default external area.

Port forwarding

(1) also known as destination address translation or port mapping

(2) through port forwarding, the specified IP address and port traffic will be forwarded to different ports on the same computer, or to different ports on different computers.

Address masquerading configuration adds address masquerading function to the specified area firewall-cmd [--permanent] [--zone=zone]-- add-masquerade [--timeout=seconds]

-- timeout=seconds: automatically removes this feature after a period of time

Delete address masquerade function for specified area firewall-cmd [--permanent] [--zone=zone]-- remove-masquerade query whether address masquerading function is enabled in specified area firewall-cmd [--permanent] [--zone=zone]-- query-masquerade port forwarding configuration lists port forwarding configuration firewall-cmd [--permanent] [--zone=zone]-- list-forward-ports adds port forwarding rules firewall-cmd [--permanent ] [--zone=zone]-- add-forward-port=port=portid [- portid]: proto=protocol [: toport=portid [- portid]] [: toaddr= addresss [/ mask]] [--timeout=seconds] Delete port forwarding rules firewall-cmd [--permanent] [--zone=zone]-- remove-forward-port=port=portid [- portid]: proto=protocol [: toport=portid [- portid] [: toaddr= addresss [/ mask]] query port forwarding rules firewall-cmd [--permanent] [--zone=zone]-- query -forward-port=port=portid [- portid]: proto=protocol [: toport=portid [- portid]] [: toaddr= address [/ mask]] Firewalld direct rule

(1) allow administrators to insert manually written iptables, ip6tables and ebtables rules into areas managed by Firewalld.

(2) through the-- direct option in the firewall-cmd command.'

(3) in addition to displaying the insertion mode, priority is given to matching direct rules.

Custom rule chain

(1) Firewalld automatically creates a custom rule chain for areas where rules are configured.

(2) IN_ area name _ deny: stores the reject statement, which takes precedence over the rule of "IN_ zone domain name _ allow".

(3) IN_ area name _ allow: stores the allow statement.

Allow inbound traffic for TCP/9000 port firewall-cmd-- direct-- add-rule ipv4 filter IN_work_allow 0-p tcp-- dport 9000-j ACCEPT

(1) IN_work_allow: the rule chain that matches the work region

(2) 0: indicates that the rule has the highest priority and is placed in front of the rule.

(3) you can add the-permanent option to indicate permanent configuration

Query all direct rules firewall-cmd-- direct-- get-all-rules ipv4 filter IN_work_allow 0-p tcp-- dport 9000-j ACCEPT

You can add the-permanent option to view the permanent configuration

Firewalld Rich language Rule Rich language (rich language)

(1) expressive configuration language, no need to understand iptables syntax

(2) used to express basic allow / deny rules, configuration records (for syslog and auditd), port forwarding, camouflage, and rate limiting.

Rule [family= ""] [source address= "[invert=" True "] [destination address="[invert=" True "] [] [log [prefix="] [level="] [limit value= "rate/duration"]] [audit] [accept | reject | drop] understand the common options for rich language rules commands firewall-cmd to handle rich language rules

Option description-- add-rich-rule= 'RULE' adds RULE to the specified area. If no region is specified, the default region-- remove-rich-rule=' RULE' removes the RULE from the specified area. If no region is specified, the default region-- query-rich-rule= 'RULE' queries whether RULE has been added to the specified region. If no region is specified, it is the default region. If the rule exists, 0 is returned, otherwise 1--list-rich-rules outputs all rich rules in the specified region. If no region is specified, the default region is configured with rich language rule display.

(1) firewalld-cmd-list-all

(2) firewalld-cmd-list-all-zones

(3)-list-rich-rules

Specific grammar of rich language rules

Source, destination, element, service, port, protocol, icmp-block, masquerade, forward-port, log, audit, accept | reject | drop

When denying all traffic from 192.168.8.101 firewall-cmd-permanent-zone=work-add-rich-rule='rule family=ipv4 source address=192.168.8.101/32 reject'##address option to use source or destination You must use family=ipv4 | ipv6 to accept 192.168.1.0 zone=work 24 subnet port norm 8000-9000 TCP traffic firewall-cmd-- permanent-- zone=work-- add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=8000-9000 protocol=tcp accept' discard all icmp packets firewall-cmd-- permanent-- add-rich-rule='rule protocol value=icmp drop' accept http traffic from 192.168.8.1 And record the log firewall-cmd-- add-rich-rule='rule family=ipv4 source address=192.168.8.1/32 service name= "http" log level=notice prefix= "NEW HTTP" limit value= "3max s" accept'

Access http at 192.168.8.1 and observe / var/log/messages

Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT= MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=20582 DF PROTO=TCP SPT=65289 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT= MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168. 8.131 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=20590 DF PROTO=TCP SPT=65291 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT= MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=20602 DF PROTO=TCP SPT=65292 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.