Shulou(Shulou.com)06/02 Report--

IP camouflage and port forwarding Firewalld support two types of network address translation

IP address masquerading (masquerade)

Can achieve local area network multiple address sharing single public network address camouflage only supports IPv4, does not support IPv6 default external area enable address masquerade port forwarding (Forward-port) also known as destination address translation or port mapping to forward through the port, specified IP address and port traffic will be forwarded to different ports on the same computer Or the port address masquerading that is forwarded to different computers is configured to add address masquerading to the specified area. Firewall-cmd [--permanent] [--zone= zone]-- add-masquerade [--timeout seconds] /-timeout=seconds: delete this function automatically after a period of time. Delete the address masquerading function for the specified area. Firewall-cmd [--permanent] [--zone= zone]-- remove-masquerade query the specified area. Whether to enable address masquerading function firewall-cmd [--permanent] [--zone=zone]-- query-masquerade port forwarding configuration lists port forwarding configuration firewall-cmd [--permanent] [--zone=zone]-- list-forward-ports add port forwarding rules firewall-cmd [--permanent] [--zone=zone]-- add-forward-port=port=portid [- portid]: proto=protocol [: toport-portid [- portid]] [: toaddr-address [/ mask] ] [--timeout=seconds] Delete port forwarding rule firewall-cmd [--permanent] [--zone=zone]-- remove-forward-port=port=portid [- portid]: proto=protocol [: toport=portid [- portid]] [: toaddr= addressr [/ mask]] query port forwarding rule firewall-cmd [--permanent] [--zone=zone]-- query-forward-port-port-portid [- portid]: proto=protocol [: toport-portid [- portid]] [: toaddr= address[ / mask]] Firewalld directly Rule Direct rules (direct interface) allow administrators to manually write iptables, Ip6tables and ebtables rules are inserted into Firewalld-managed areas through the-- direct option in the firewall-cmd command, in addition to the display insertion method Priority matching Direct rules Custom Rule chain Firewalld automatically creates custom rule chains for areas with configured rules IN area domain name deny: store reject statements Rule IN zone domain name allow that takes precedence over "IN zone domain name _ allow": store inbound traffic irewall-cmd-direct-add-rule ipv4 filter IN work_ allow 0-p tcp-- dport 9000 j ACCEPTIN work_ allow that allow TCP/9000 port with allow statement: rule chain 0: matches work region 0: represents the highest priority of the rule Placed at the front of the rule can be added-- permanent option indicates permanent configuration query all direct rules firewall-cmd-- direct-- get-all-rulesipv4 filter IN_ work _ allow 0-p tcp-- dport 9000-j ACCEPT can be added-- permanent option indicates view permanent configuration Firewalld Rich language Rich language (rich language) expressive configuration language There is no need to understand iptables syntax to express basic allow / deny rules, configuration records (for syslog and auditd), port forwarding, Camouflage and rate limiting rule [family= ""] [source address= "" [invert "True"] [destination address= "[invert=" True "]] [] [log [prefix="] [level="] [limit value= "rate/duration"] [audit] [acceptlrejectldrop] understand rich language rules commands firewall-cmd common options for handling rich language rules description-add-rich-rule= 'RULE' adds RULE to a specified area If no area is specified Then the default zone-remove-rich-rule= 'RULE' removes RULE from the specified zone, if no region is specified, the default zone-query-rich-rule=' RULE' queries whether RULE has been added to the specified zone, or default if no region is specified. Returns 0 if the rule exists, otherwise 1--list-rich-rules outputs all rich rules in the specified area, if no region is specified Then the default region is configured with rich language rule display method firewall-cmd-list-allfirewall-cmd-list-all-zones--list-rich-rules rich language rule specific syntax source, destination, element, service, port, protocol, icmp-block, masquerade, forward-port, log, audit, Acceptlreject | drop rejects all traffic from 192.168.8.101 firewall-cmd-- permanent-- zone=work-- add-rich-rule='rule family=ipv4 source address=192.168.8.101/32 reject'ddress option when using source or destination You must use family=ipv4 | ipv6 to accept 192.168.1.0 one=work 24 subnet port norm 8000-9000 TCP traffic firewall-cmd-- permanent-- one=work-- add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=8000-9000 protocol=tcp accept' discard all icmp packets firewall-cmd-- permanent-- add-rich-rule='rule protocol value=icmp drop' accept http traffic from 192.168.8.1 And log firewall-cmd-- add-rich-rule='rule family=ipv4 source address=192.168.8.1/32 service name= "http" log level=notice prefix= "NEW HTTP" limit value "3Universe" accept' to access http with 192.168.8.1 And observe / var/log/messagesApr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT=MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131LEN=52 TOS=0xOO PREC=0x00 TTL = 64 ID=20582 DF PROTO=TCP SPT=65289 DPT=80WINDOW=8192 RES=0x00 SYN URGP=0Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT=MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131LEN=52 TOS=0x0O PREC=0x0O TTL = 64 ID=20590 DF PROTO=TCP SPT=65291 DPT=80WINDOW=8192 RES=0x00 SYN URGP=0Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT=MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131LEN=52 TOS=0x0O PREC=0x0O TTL = 64 ID=20602 DF PROTO=TCP SPT=65292 DPT=80WINDOW=8192 RES=0x00 SYN URGP=0

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.