I. Introduction firewall
In linux firewall strategy is based on netfilter implementation. netfilter kernel firewall architecture, enabling security policies in many functions such as packet filtering, packet processing, masquerading, transparent proxy, Dynamic Network address translation (Network Address Translation, NAT), and a control based on a user and media access filtration filter (Media Access Control, MAC) address and a state-based, packet rate limiting.
IPTABLES is integrated with the Linux kernel IP packet filtering system. If the Linux system is connected to the Internet or LAN, and the Internet server or LAN connection proxy server, the system facilitates better control of the IP packet filter on the Linux system and firewall configuration.
netfilter / iptables IP packet filtering system consists of two components netfilter and iptables composition.
netfilter components are also called kernel space (kernelspace), is part of the kernel, the number of packet filtering tables, these tables contain the core to control the packet filtering rule sets processing.
iptables component is a tool, also referred to as user space (the userspace), which allows to insert, modify, and remove rules in the packet filter table becomes easy.
Second, the firewall and switch management tools
There are two firewall management tool in linux: firewalld and iptables
default in rhel8 is firewalld, if you need to download using iptables
dnf search iptables
dnf install iptables-services.x86_64 -y
There is a firewall management tools only in the system, first put firewalld fully closed before all to use iptables
systemctl stop firewalld.service #关闭火墙
systemctl disable firewalld.service #设置开机不启动
systemctl mask firewalld.service #冻结火墙
Three, iptables use
View: iptables -L
Refresh: iptables -F
log file policy for the / etc / sysconfig / iptables
by default iptables -Lsituation View below
but in view of the default content service iptables restart before they can be seen, because the policy is stored in the policy document
refresh to change the policy file can be saved after the restart to refresh, so the iptables policy saved permanently to use the following command:
service iptables save
iptables-save > /etc/sysconfig/iptables
Four, iptables three in Table V chain
The default policy pentachain
| input | Entry |
|---|---|
| output | Export |
| forward | Forwarded |
| postrouting | After converting the source address generating SNAT route |
| prerouting | Conversion will occur before the destination address routing DNAT |
The default policy three tables
| filter | After the native kernel data (input, output, forward) |
|---|---|
| nat | Without kernel data (postrouting, prerouting, output, input) |
| missing | Additional tables, used when the filter is not enough and nat table, including the five chain |
Use the 5, iptables command
5.1 In the filter table
Strategies to view the table
by default, the test host can communicate between the host and, by default, all hosts can access this host
refused access to all hosts
deletion policy
will be changed to DROP action
only allow 192.168.0.12 this host data access
test
only allows access to host data port 22 of the host 12, that can not communicate (ping nowhere) but you can use ssh connection
test
to change the rules
to change the default policy, the default policy can only be changed to ACCEPT or DROP
tests
add a new the chain
change chain name
deleted chain
a small example: an existing host 192.168.0.11, only allows access to other hosts dns and apache services, other visits are not possible, configure iptables to achieve
iptables -A INPUT -i lo -j ACCEPT #将本地回环接口的访问打开
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # 将apache服务的80端口打开
iptables -A INPUT -p tcp --dport 443 -j ACCEPT #将apache服务的443端口打开
iptables -A INPUT -p tcp --dport 53 -j ACCEPT #将dns服务的53端口打开
iptables -A INPUT -j REJECT #其他的所有情况都拒绝
The above-described arrangement configuration requirements can be achieved, but because the firewall is a top-down strategy read, particularly when the strategy is a data packet to each of the investigation will be carried out from the policy, the result is a long delay, so you need to state data packet plus the time allocation strategy that effectively reduce the time delay, greatly improving the efficiency of access
packet common state
| RELATED | Connection has been established |
|---|---|
| ESTABLISHED | Establishing Connection |
| NEW | The new data packet access |
Connection has been established, and packet connection being established can perform actions ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state NEW -i lo -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -j REJECT
In addition to 22 ports can not access the 192.168.0.12 host, other hosts can be
tested: 12 hosts
in the 10 host
summary, the following common parameters iptables
| -t | Specify the table name (filter (default), nat, mangle) |
|---|---|
| -n | Is not resolved |
| -L | View |
| -A | Add Policy |
| -p | Designated agreement |
| -Dport | Destination port |
| -s | source |
| -j | Specify actions ACCEPT, DROP, REJECT, SNAT, DNAT |
| -N | New Chain |
| -X | Delete chain |
| -E | Change the name chain |
| -D | Delete Rule |
| -I | Insertion rules |
| -R | Changing the rules |
| -P | Change the default rule (ACCEPT, DROP) |
5.2 nat table
A first host configured for dual card host
test machine 1 and the gateway ip
test host ip of 2
test machine 1 and 2 in two different segments, default communication is not
disposed in a dual NIC host firewall policy: ens160 card data out from the mouth will translate the source address 192.168.0.11
test
to see which hosts the test even his host 2 host, display is dual-NIC host ip
want to connect the test host 1 host 2 in the test also need to configure dual-NIC host strategy: coming from the host ens160 card destination address data have changed (ip test host 1) 172.25.254.12
Six, firewalld enabled and firewalld domain
6.1 firewalld open iptables tool needs to be shut down
systemctl stop iptables
systemctl disable iptables
systemctl mask iptables
systemctl unmask firewalld
systemctl start firewalld
firewalld domain and service included by default as follows
| Domain Type | Allows connection service |
|---|---|
| trusted | Accept all network connections |
| home | Home network, ssh, mdns, ipp-client, samba-client, dhcp-client |
| work | Work Network, ssh, ipp-client, dhcp-client |
| public | Public network, ssh, dhcp-client |
| dmz | Military-grade network, ssh |
| block | Reject all |
| drop | Discard all data will be discarded without any reply |
| internal | Intranet, and home network allows the same service |
| external | ipv4 network address masquerading forward ssh |
Firewall configuration directory / etc / firewalld
firewall module directory / usr / lib / firewalld, which has allowed the definition and description of the firewall services
6.2 firewalld management command
About the domain management command
firewall-cmd --state #查看火墙状态
firewall-cmd --get-active-zones #查看生效的域
firewall-cmd --get-default-zone #查看默认域
firewall-cmd --liat-all #查看默认域中的详细火墙信息
firewall-cmd --list-all --zone=work #查看指定域(work)中的详细火墙信息
firewall-cmd --set-default-zone=drop #设定默认域
When set to the default domain to drop, it did not respond when connecting a host
on service management command
to view all services that can be set
firewall-cmd --get-service
Allowed to view the default domain firewall information
Removes the specified service
firewall-cmd --remove-service=http
firewall-cmd --reload #刷新
Specifies the data source to access the specified domain
firewall-cmd --permanent --add-source=192.168.0.11 --zone=block #指定从192.168.0.11中来的数据访问block域
Test ping11 host unreasonable in the host
delete data sources to access the specified domain
firewall-cmd --permanent --remove-source=192.168.0.11 --zone=block
Change the network interface to the specified domain
firewall-cmd --permanent --change-interface=ens160 --zone=block
Delete the specified network interface
firewall-cmd --permanent --remove-interface=ens160 --zone=block
Adds the specified network interface
firewall-cmd --permanent --add-interface=ens160 --zone=drop
The advanced rule 6.3 firewalld
The method is similar to using the iptables command to specify the chain specified in the table to add firewall policy
to see all of the direct rule
will host firewall dual-NIC in the ssh service to remove, add new direct rule
host 192 can not connect network segments
6.3 firewalld of NAT
1, the source address forwarding (SNAT)
firewall-cmd --permanent --add-masquerade #打开地址伪装功能
firewall-cmd --reload
In 172.25.254.30 host ping192.25.254.12 successfully host
1, the destination address forwarding (DNAT)
firewall-cmd --permanent --add-forward-port=port=22:proto=tcp:toaddr=172.25.254.30
Test: Connect dual-NIC host ip192.168.0.11 in the host 192.168.0.12 actually connect to the larger of the host 172.25.254.30
