Shulou(Shulou.com)06/01 Report--

* *

* Firewalld (iptables) *

* *

One, firewalld (dynamic firewall daemon)

1. (key) it is more intelligent than iptables,firewalld to support the network "zones" and to assign trust to a network and its associated connections and interfaces.

2. (focus) (on policy configuration) has an access to a service or application to directly add firewall rules. [compared to iptables,firewalld intelligence is here, it does not need to carry out 5 policy analysis, the system will arrange your strategy in when and where]

3. It supports Ethernet bridges and has separate run time and permanent configuration options.

4. With IPv4 and IPv6 firewall settings and support.

Second, the location of the file (the difference between firewalld and iptablesservice)

1.firewalld

/ usr/lib/firewalld/ and / etc/firewalld [these two contain various xml files for configuration and storage]

2.iptables

/ etc/sysconfig/iptables [configuration storage is carried out here]

Third, the difference between iptables and firewalld.

The change to 1.iptables server means to clear all the old rules and then read all the new rules from / etc/sysconfig/iptables.

2.firewalld doesn't create new rules; it just runs the differences in the rules. Therefore, firewalld can be run again within time. Change the settings without losing the current connection

Fourth, the firewall structure (the graphics and services of the upper layer are also commands based on iptables, and the bottom layer is netfilter in the kernel)

System-config-firewall-> iptables (service)

-> iptables (command)-> kernel (netfilter)

Firewall-config

-> firewalld (daemon& service)

Firewall-cmd

Five, zones (9)

Trusted (trust): accept all network connections.

Home (home): only ssh,mdns,ipp-client,samba-client, or dhcpv6-client service connections are accepted.

Internal (internal): only ssh,mdns,ipp-client,samba-client,dhcpv6-client is received.

Work (work): for the workspace, only ssh,ipp-client or dhcpv6-client service connections are accepted.

Public (public): for use in public areas, only ssh or dhcpv6-client service connections are accepted.

External (external): outgoing ipv4 network connections are camouflaged and forwarded through this area and only ssh service connections are accepted.

Dmz (demilitarized zone): only ssh service connections are accepted

Block (restricted): deny all network connections

Drop (drop): any received network packets are discarded without any reply.

Six, command

# firewall-cmd-- state [View the status of firewalld]

# firewall-cmd-- get-active-zones [view the currently active area with a list of interfaces currently assigned to them]

# firewall-cmd-- get-defailt-zone [View default area]

# firewall-cmd-- get-zones [View all available domain zones]

# firewall-cmd-- get=public-- list-all [lists all the settings for the specified area, otherwise it is the default]

# firewall-cmd-- get-service [list all preset services]

# firewall-cmd-- list-all-zones [list settings for all regions]

# firewall-cmd-- set-default-zone=dmz [set default region]

# firewall-cmd-- permanent-- zone=internal-- add-source=172.25.254.60/24 [set the zone of the source address]

(the-- permanent parameter indicates a permanent setting, and if the-- zone parameter is not specified, it is added to the default area)

# firewall-cmd-- permanent-- zone=internal-- remove-source=172.25.254.60/24 [delete network address]

# firewall-cmd-- permanent-- zone=internal-- add-interface=eth0 [add, modify, delete network interface eth0]

# firewall-cmd-permanent-zone=internal-change-interface=eth0

# firewall-cmd-permanent-zone=internal-remove-interface=eth0

# firewall-cmd-- permanent-- zone=internal-- add-service=smtp [add or delete mail services]

# firewall-cmd-permanent-zone=internal-remove-service-smtp

# firewall-cmd-- zone=public-- list-ports [list, add, delete ports]

# firewall-cmd-permanent-zone=public-add-port=8080/tcp

# firewall-cmd-permanent-zone=public-remove-port=8080/tcp

# firewall-cmd-- reload [reload configuration without interrupting service]

# firewall-cmd-- complete-reload [completely overloaded, service will be interrupted]

Firewalld rules are saved in files in the / etc/firewalld directory, and you can also edit these files directly for the purpose of configuring the firewall. The contents of the / usr/lib/firewalld directory cannot be edited, but can be used as the default template.

Seventh, firewall rules (Direct Rules)

1. With the firewall-cmd tool, you can use the-- direct option to add or remove chains at run time.

When modifying the iptables policy, you need to understand the meaning of the five chains. For people who are not familiar with iptables, it is very dangerous to use direct interfaces. If you are not careful, it will lead to a firewall.

Direct port mode applies to services or programs to add specific firewall rules during run time.

Rules added in direct port mode are applied first

Add a rule:

# firewall-cmd-- direct-- add-rule ipv4filter IN_public_allow 0-p tcp-- dport 80-j ACCEPT

Delete a rule:

# firewall-cmd-- direct-- remove-ruleipv4 filter IN_public_allow 0-p tcp-- dport 80-j ACCEPT

List rules:

# firewall-cmd-direct--get-all-rules

two。 Format of multilingual commands (operational identity root)

(1) the format of the order for adding a rule is as follows:

Firewall-cmd [--zone=zone]-- add-rich-rule='rule' [--timeout=seconds]

(this adds a multilingual rule, rule, to the zone partition. This option can be specified multiple times. If the partition is omitted. The default partition will be used. If a timeout occurs, the rule will be activated within the specified number of seconds and then automatically removed)

(2) Delete a rule:

Firewall-cmd [--zone=zone]-- remove-rich-rule='rule'

(3) check whether a rule exists:

Firewall-cmd [--zone=zone]-- query-rich-rule='rule'

Check whether a multilingual rule has been added to the region, and if available, the screen will display yes with an exit status of 0; otherwise, the screen will show no with an exit status of 1. If zone is omitted, the default area will be used)

(4) list all multilingual rules:

Firewall-cmd-list-rich-rules

(5) add rules:

Firewall-cmd-- add-rich-rule='rulefamily= "ipv4" source address= "172.25.254.60" accept' [allows all connections of 172.25.254.60 hosts]

Firewall-cmd-- add-rich-rule='ruleservice name=ftp limit value=2/s accept' [allows 2 new connections per second to access the ftp service]

Firewall-cmd-- add-rich-rule='ruleservice name=ftp log limit value= "1 IPv6" audit accept' [agree to new IPv4 and IPv6 connections to FTP and log in every minute using auditing]

Firewall-cmd-- add-rich-rule='rulefamily= "ipv4" source address= "172.25.254.60 SSH 24" servicename=ssh log prefix= "ssh" level= "natice" limitvalue= "3 natice'[allow new IPv4 from 172.25.254.60 Universe 24 address to connect to the SSH service and record three times per minute]

Firewall-cmd-- permanent--add-rich-rule='rule protocol value=icmp drop' [disable ping, discard all ICMP packets]

Firewall-cmd-- add-rich-rule='rulefamily=ipv4 source address=172.25.254.6/24 reject'-- timeout=10 [when specifying an address using source and destination, there must be a family parameter to specify ipv4 or ipv6. If you specify a timeout, the rule is activated within the specified number of seconds and then automatically removed.]

Firewall-cmd-- add-rich-rule='rulefamily=ipv6 source address= "2001:db8::/64" servicename= "dns" audit limit value= "1max h" reject'-- timeout=300 [deny all hosts from the 2001:db8::/64 subnet access to the dns service and audit the service only once an hour]

Firewall-cmd-- permanent--add-rich-rule='rule family=ipv4 source address=172.25.254.6/24 servicename=ftp accept' [allows 172.25.254.6 Compact 24 to access the host ftp service]

Firewall-cmd-- add-rich-rule='rulefamily= "ipv6" source address= "fe80::f8f8:5aff:fe6e:7bd0" forward-port to-addr= "fe80::f8f8:5aff:fe6e:7bd1" protocol= "tcp" port= "4011 to-port=" 4012 "" [forward from ipv6 address fe80::f8f8:5aff:fe6e:7bd0 TCP port 4011 to TCP port 4012 of fe80::f8f8:5aff:fe6e:7bd1]

Eight, [camouflage / port forwarding]

(1) camouflage

# firewall-cmd-permanent--zone=-add-masquerade

# firewall-cmd-permanent--zone=

-- add-rich-rule='rule family=ipv4 source

Addres=172.25.0.0/24 masquerad

(2) forward

# firewall-cmd-permanent--zone=-add-forward-port=prot=80:proto=TCP:toport=8080:toaddr=172.25.254.6

# # firewall-cmd-permanent--zone=

-- add-rich-rule='rule family=ipv4 source

Address=172.25.254.6/24 forward-port port=80 protocol=tcp to-port=8080'

Nine. Manage SElinux port labels

List the port labels:

# semanage port-l

Add a port label:

# semanage port-t http_port_t-p tcp 82

Delete Port label

# semanage port-d http_port_t-p tcp 82

Ten, table of rules:

1.filter table-three chains: INPUT, FORWARD, OUTPUT

Function: filter packet kernel module: iptables_filter.

2.Nat table-three chains: PREROUTING, POSTROUTING, OUTPUT

Function: for network address translation (IP, port) kernel module: iptable_nat

3.Mangle table-five chains: PREROUTING, POSTROUTING, INPUT, OUTPUT, FORWARD

Purpose: modify the service type of the packet, TTL, and configure routing to implement the QOS kernel module: iptable_mangle (don't look at this table so troublesome, we hardly use it when setting policies)

4.Raw table-two chains: OUTPUT, PREROUTING

Function: determine whether the packet is processed by the state tracking mechanism kernel module: iptable_raw

(I) chain of rules:

1. Inbound packets apply the policies in this rule chain

2. Output-outgoing packets apply the policies in this rule chain

3. Forward _ color-apply the policies in this rule chain when forwarding packets

4. PREROUTINGML-apply the rules in this chain before routing a packet

Remember! All packets are handled by this chain first when they come in)

5. POSTROUTINGmuri-apply the rules in this chain after routing packets

(all packets are handled by this chain when they come out.)

(2) priority among the tables of rules:

Raw--mangle--nat--filter

Priority between rule chains (in three cases):

The first case: inbound data flow

Packets arriving at the firewall from the outside are first processed by the PREROUTING rule chain (whether to modify the packet address, etc.), and then routed (to determine where the packet should be sent). If the target host of the packet is the firewall local machine (for example, the packet that the Internet user accesses the web server in the firewall host), then the kernel passes it to the INPUT chain for processing (to determine whether it is allowed to pass, etc.) Respond by handing it to the upper application of the system (such as the Apache server) later.

Second impulse: forward data flow

After arriving at the firewall, the packet from the outside is first processed by the PREROUTING rule chain, and then it will be routed. If the destination address of the packet is another external address (such as a packet accessed by a local area network user to a QQ site through a gateway), the kernel passes it to the FORWARD chain for processing (whether to forward or block it), and then to the POSTROUTING rule chain (whether to modify the address of the packet, etc.) for processing.

The third case: outbound data flow

Packets sent locally by the firewall to external addresses (for example, when testing a public network DNS server in a firewall host) are first processed by the OUTPUT rule chain, then routed, and then passed to the POSTROUTING rule chain (whether to modify the address of the packet, etc.) for processing

(3) graphic method

_ _

| | |

PREROUTING | INPUT FORWORD OUTPUT | POSTROUTING

| | |

-

Kernal Netfilter

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.