Add to Favorites | Login | Register
Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

About us Contact us

Details the use of Firewalld advanced configuration in Linux

2025-02-25 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/02 Report--

IP camouflage and Port forwarding

Firewalld supports two types of network address translation

IP address masquerading (masquerade)

It can be realized that multiple addresses in the local area network can share a single public network address. IP address camouflage only supports IPv4, but does not support enabling address masquerading in the default external area of IPv6.

Port forwarding (Forward-port)

Also known as destination address translation or port mapping forwarding through ports, specifying IP addresses and port traffic will be forwarded to different ports on the same computer, or to ports on different computers

Address camouflage configuration

Add address camouflage to the specified area

Firewall-cmd [--permanent] [--zone= zone]-- add-masquerade [--timeout seconds] / /-timeout=seconds: automatically delete this feature after a period of time

Remove address camouflage for the specified area

Firewall-cmd [--permanent] [--zone= zone]-- remove-masquerade

Query whether address camouflage is enabled in the specified area

Firewall-cmd [--permanent] [--zone=zone]-- query-masquerade

Port forwarding configuration

List port forwarding configuration

Firewall-cmd [--permanent] [--zone=zone]-- list-forward-ports

Add Port forwarding Rul

Firewall-cmd [--permanent] [--zone=zone]-- add-forward-port=port=portid [- portid]: proto=protocol [: toport-portid [- portid]] [: toaddr- address [/ mask]] [--timeout=seconds]

Delete Port forwarding Rul

Firewall-cmd [--permanent] [--zone=zone]-- remove-forward-port=port=portid [- portid]: proto=protocol [: toport=portid [- portid]] [: toaddr= address [/ mask]]

Query port forwarding rules

Firewall-cmd [--permanent] [--zone=zone]-- query-forward-port-port-portid [- portid]: proto=protocol [: toport-portid [- portid]] [: toaddr= address [/ mask]]

Firewalld direct rule

Direct rule (direct interface)

Allows administrators to insert manually written iptables, ip6tables, and ebtables rules into Firewalld-managed areas through the-direct option in the firewall-cmd command to give priority to matching direct rules in addition to display insertion

Custom rule chain

Firewalld automatically creates a custom rule chain for areas where rules are configured

IN zone domain name deny: store the reject statement, which takes precedence over the rule "IN zone domain name _ allow". IN zone domain name allow: store allow statement

Allow inbound traffic for TCP/9000 ports

Irewall-cmd-- direct-- add-rule ipv4 filter IN work_ allow 0-p tcp-- dport 9000 j ACCEPTIN work_ allow: 0 of the rule chain that matches the work region: 0: indicates that the rule has the highest priority, and can be added by placing it in front of the rule-- permanent option indicates permanent configuration.

Query all direct rules

Firewall-cmd-- direct-- get-all-rulesipv4 filter IN_ work _ allow 0-p tcp-- dport 9000-j ACCEPT

You can add the-- permanent option to view the permanent configuration

Firewalld Rich language rules

Rich language (rich language)

Expressive configuration language, no need to understand iptables syntax

Used to express basic allow / deny rules, configuration records (for syslog and auditd), port forwarding, masquerading, and rate limiting

Rule [family= ""] [source address= "" [invert "True"] [destination address= "" [invert= "True"]] [] [log [prefix= ""] [level= ""] [limit value= "rate/duration"]] [audit] [acceptlrejectldrop]

Understand rich language rule commands

Common options for firewall-cmd to handle rich language rules

Option description-add-rich-rule= 'RULE' adds RULE to the specified area, if no region is specified, the default region-- remove-rich-rule=' RULE' removes RULE from the specified area, if no region is specified, the default region-- query-rich-rule= 'RULE' queries whether RULE has been added to the specified region, or default if no region is specified. If the rule exists, 0 is returned, otherwise 1--list-rich-rules outputs all rich rules in the specified region, and if no region is specified, it is the default region

Configured how rich language rules are displayed

Firewall-cmd-list-allfirewall-cmd-list-all-zones--list-rich-rules

Specific grammar of rich language rules

Source, destination, element, service, port, protocol, icmp-block, masquerade, forward-port, log, audit, acceptlreject | drop

Deny all traffic from 192.168.8.101

Firewall-cmd-permanent-zone=work-add-rich-rule='rule family=ipv4 source address=192.168.8.101/32 reject'

When using source or destination for the ddress option, you must use family= ipv4 | ipv6

Accept TCP traffic of 192.168.1.0 amp 24 subnet port norm 8000-9000

Firewall-cmd-permanent-one=work-add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=8000-9000 protocol=tcp accept'

Discard all icmp packets

Firewall-cmd-permanent-add-rich-rule='rule protocol value=icmp drop'

Accept http traffic from 192.168.8.1 and log

Firewall-cmd-add-rich-rule='rule family=ipv4 source address=192.168.8.1/32 service name= "http" log level=notice prefix= "NEW HTTP" limit value "3max s" accept'

Access http at 192.168.8.1 and observe / var/log/messages

Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT=MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131LEN=52 TOS=0xOO PREC=0x00 TTL = 64 ID=20582 DF PROTO=TCP SPT=65289 DPT=80WINDOW=8192 RES=0x00 SYN URGP=0Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT=MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131LEN=52 TOS=0x0O PREC=0x0O TTL = 64 ID=20590 DF PROTO=TCP SPT=65291 DPT=80WINDOW=8192 RES=0x00 SYN URGP=0Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT=MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131LEN=52 TOS=0x0O PREC=0x0O TTL = 64 ID=20602 DF PROTO=TCP SPT=65292 DPT=80WINDOW=8192 RES=0x00 SYN URGP=0

The above is the whole content of this article, I hope it will be helpful to your study, and I also hope that you will support it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Tag Search: Rules region port address configuration language traffic function support query domain name different command method statement syntax permanent management highest same vpn macOS Linux MariaDB MySQL Docker Shulou Information Shulou Technology Shulou Tech Info OPPO Reno Redmi Xiaomi NVidia Microsoft Huawei Apple Shulou Tech Info Apple MariaDB MySQL OPPO Reno vpn Shulou Technology macOS Xiaomi Linux Docker Shulou Information Microsoft NVidia Redmi Huawei Shulou Tech Info Apple MariaDB MySQL OPPO Reno vpn Shulou Technology macOS Xiaomi Linux Docker Shulou Information Microsoft NVidia Redmi Huawei

Share To

Related

Servers

More Servers >

Latest Network Security More Network Security >

Latest Internet Technology More Internet Technology >

Latest Development More Development >

Latest Database More Database >

Latest Servers More Servers >

Latest Mobile Phone More Mobile Phone >

Latest Android Software More Android Software >

Latest Apple Software More Apple Software >

Latest Computer Software News More Computer Software News >

Latest IT Information More IT Information >

Wechat

About us Contact us Product review car news thenatureplanet

© 2024 shulou.com SLNews company. All rights reserved.

12
Report