Linux firewall firewall
Article Directory
firewall directive
Regional interface
graphical interface firewall-config
command tool firewall-cmd
iptables command
Four tables and five chains
Data forwarding NAT (SNAT, DNAT)
firewalld
- A dynamic firewall management tool that supports network connections and interface security levels defined by the network area
- Support IPv4, IPv6 firewall change settings and Ethernet bridge
- Support services or applications directly add firewall rules interface
- Has two configuration modes
Run-time configuration (temporary configuration, restart failure)
permanent configuration
DMZ demilitarized zone
Back-to-back firewall (dual firewall mode)
hardware firewall
The firewall belongs to the four-layer transport layer
and can also act on the two-layer data link layer
Traffic cleaning honeypot
Security Knight (anti-trojan horse) Green net (filter sensitive information) Cloud Shield
The relationship between firewalld and iptables
The packet filtering function of netfilter located in the Linux kernel. Ixia
called the kernel mode
firewalld/iptables of the Linux firewall. The
default tool for managing firewall rules in CentOS7 is
called the user mode of the Linux firewall.
The difference between firewalld and iptables
| firewalld | iptables | |
|---|---|---|
| Configuration file | /user/lib/firewalld/ /etc/firewalld/ | /etx/sysconfig/iptables |
| Changes to the rules | No need to refresh all strategies, no loss of current connection | Need to refresh all policies, lose connection |
| Type of firewall | Dynamic firewall | Static firewall |
firewalld network zone
Zone introduction
Zones are like security gates to enter the host. Each zone has different restrictions.
One or more zones can be used, but any active zone needs to be associated with at least the source address or interface.
By default, the public zone is the default zone and contains all Interface (network card)
firewalld data processing flow
Source address validation data source
if the source address associated to a specific region of the region specified by the rule is executed
if the source address is not associated to a specific area, using the incoming network interface region
and executes the rules specified area
if the network If the interface is not associated with a specific area, the default area is used and the rules specified by the area are executed
Runtime configuration
The implementation takes effect and continues until the firewall is restarted or the configuration
is reloaded. The existing connection is not interrupted. The
service configuration cannot be modified.
Permanent configuration
Does not take effect immediately, unless firewalld restarts or reloads the configuration. The
existing connection is interrupted. The
service configuration can be modified.
firewalld-config graphical tool
The configuration file in the firewalld-cmd command line tool /etc/firewalld/
will give priority to the configuration in /etc/fiewalld/. If there is no configuration file, use the configuration in /usr/lib/firewalld/
/etc/ firewalld/: User-defined configuration file, you can copy it from /usr/lib/firewalld/ when needed.
/usr/lib/firewalld/: Default configuration file, it is not recommended to modify, if you restore to the default configuration, you can directly delete /etc Configuration in /firewalld/
Runtime configuration / permanent configuration
Reload the firewall to
change the permanent configuration and take effect
Associate the network card to the designated area
Modify the default area
Connection Status
"Area" tab
"Service" sub-tab
"Port" sub-tab
"Agreement" sub-tab
"Source Port" sub-tab
"Disguise" sub-tab
"Port Forwarding" sub-tab
"ICMP filter" tab
"Service" tab
"Module" subtab
"Destination Address" sub-tab
experiment
lab environment
Requirement description
Forbid host to ping server
Only allow 192.168.20.20 host to access ssh service
Allow all hosts to access Apache service
analysis
block block
dmz demilitarized zone is between high security and low security
drop lost zone
external external zone
home
internal internal
public public
trusted
work work
Experimental steps
- Network parameter configuration
[root@localname ~]# ifconfig ens33
[root@localname ~]# systemctl status firewalld.service
-
Open firewalld firewall
[root@localname ~]# firewall-config //Run the firewall graphical management tool -
Configure the work area
-
Configure the public area
-
Verify
[root@localhost ~]# yum install httpd -y
[root@localhost ~]# systemctl start httpd
on the second 192.168.20.20 virtual machine
firewall-cmd
Start, stop, and view firewalld service
When installing CentOS7 system, firewalld and graphical tool firewall-config will be installed automatically. Execute the
following command to start firewalld and set it to self-startup state.
[root@localhost ~]# systemctl start firewalld //Start firewalld
[root@localhost ~]# systemctl enable firewalld //Set firewalld to start automatically after booting
View firewalld running status
[root@localhost ~]# systemctl status firewalld
● firewalld.service -firewalld-dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Friday 2020-07-31 08:32:05 CST; 6h ago
Docs: man:firewalld(1)
Main PID: 8762 (firewalld)
Tasks: 2
CGroup: /system.slice/firewalld.service
└─8762 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
7月 31 08:32:05 localname systemd[1]: Starting firewalld - dynamic firewall daemon…
7月 31 08:32:05 localname systemd[1]: Started firewalld - dynamic firewall daemon.
[root@localhost ~]# firewall-cmd --state
running
Disable firewalld
[root@localhost ~]# systemctl stop firewalld //Stop firewalld
[root@localhost ~]# firewall-cmd --state
not running
[root@localhost ~]# systemctl disable firewalld //Set firewalld to not start automatically when booting
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Obtaining predefined information
firewall-cmd predefined information mainly includes three types: available zones, available services, and available ICMP blocking
types.
Zone
[root@localhost ~]# firewall-cmd --get-zones //Display predefined regional
block dmz drop external home internal public trusted work
service
[root @ localhost ~] # firewall -cmd --get-service // display the predefined service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mongodb mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
View ICMP type
[root@localhost ~]# firewall-cmd --get-icmptypes //Display predefined ICMP types
address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
The meanings of the various blocking types in the execution result of the firewall-cmd --get-icmptypes command are as follows.
destination-unreachable: The destination address is unreachable.
Echo-reply: response response (pong).
parameter-problem: parameter problem.
redirect: Redirect.
router-advertisement: router advertisement.
router-solicitation: router solicitation.
source-quench: source-quench.
time-exceeded: timeout.
timestamp-reply: timestamp reply response.
timestamp-request: timestamp request.
Zone management
default zone firewall-cmd --get-default-zone
set the default zone firewall-cmd --set-default-zone=
show all activated zones firewall-cmd --get-active-zones
show the specified interface binding The zone firewall-cmd --get-zone-of-interface=<interface
bind the zone to the specified port firewall-cmd --zone= --add-interface=
Replace the port to the specified zone firewall-cmd --zone= --change-interface=
Remove the port for the specified zone firewall-cmd --zone= --remove-interface=
show all zones and their rules firewall-cmd --list-all-zones
show all the rules of the specified zone firewall-cmd --zone= --list-all
Display the default area in the current system.
[root@localhost ~]# firewall-cmd --get-default-zone
public
Display all rules of the default zone
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block- inversion: no
interfaces: ens33
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
show network interface ens33 corresponding area
[root@localhost ~]# firewall -cmd --get-zone-of-interface=ens33
public
Change the zone corresponding to the network interface ens33 to the internal zone
[root@localhost ~]# firewall-cmd --zone=internal --change-interface=ens33
The interface is under control of NetworkManager, setting zone to ‘internal’.
success
[root@localhost ~]# firewall-cmd --zone=internal --list-interfaces
ens33
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
internal
Show all active zones
[root@localhost ~]# firewall-cmd --get-active-zones
internal
interfaces: ens33
Service Management
Display all the services that are allowed to be accessed in the specified zone firewall-cmd [–zone=] --list-services
is a certain service allowed to be accessed in the specified zone settings firewall-cmd [–zone=] --add-service=
delete the specified A certain service that has been set to allow access to the zone firewall-cmd [--zone=] --remove-service=
Display all the port numbers allowed to be accessed in the specified zone firewall-cmd [--zone=] --list-ports
to add to the specified zone Port firewall-cmd [–zone=] --add-port=[-]/
Remove port for the specified area firewall-cmd [–zone=] --remove-port=[-]/
Display all the denied access in the specified area ICMP type firewall-cmd [--zone=] --list-icmp-blocks
is the ICMP type firewall-cmd [--zone=] --add-icmp-block=
Delete denied access in the specified zone ICMP type firewall-cmd [–zone=] --remove-icmp-block=<icmptype
Set the allowed services for the default zone
[root@localhost ~]# firewall-cmd --list-services //Display all the services allowed to be accessed by the
default zone You're performing an operation over default zone ('public'),
but your connections/interfaces are in
zone'internal ' (see --get-active-zones) You most likely need to use --zone=internal option.
ssh dhcpv6-client
[root@localhost ~]# firewall-cmd --add-service=http //设置默认区域允许访问http服务
You’re performing an operation over default zone (‘public’),
but your connections/interfaces are in zone ‘internal’ (see --get-active-zones)
You most likely need to use --zone=internal option.
success
[root@localhost ~]# firewall-cmd --add-service=https //设置默认区域允许访问https服务
You’re performing an operation over default zone (‘public’),
but your connections/interfaces are in zone ‘internal’ (see --get-active-zones)
You most likely need to use --zone=internal option.
success
[root@localhost ~]# firewall-cmd --list-services
You’re performing an operation over default zone (‘public’),
but your connections/interfaces are in zone ‘internal’ (see --get-active-zones)
You most likely need to use --zone=internal option.
ssh dhcpv6-client http https
Set the allowed services for the internal zone
[root@localhost ~]# firewall-cmd --zone=internal --add-service=mysql //Set the internal zone to allow access to the mysql service
success
[root@localhost ~]# firewall-cmd --zone=internal --remove-service=samba-client //Set the internal zone to allow access to the samba-client service
success
[root@localhost ~]# firewall-cmd --zone=internal --list-services //Display default All services allowed in the zone
ssh mdns dhcpv6-client mysql
Port Management
During service configuration, predefined network services can be configured with service names, and the ports involved in the service will be automatically
opened. However, for non-predefined services, you can only manually add ports for the specified area.
Open port 443/tcp in the internal zone
[root@localhost ~]# firewall-cmd --zone=internal --add-port=443/tcp
success
Disable port 443/tcp access in the internal zone
[root@localhost ~]# firewall -cmd --zone=internal --remove-port=443/tcp
success
Two configuration modes
: Runtime mode
(Permanent mode)
firewall-cmd --reload: reload firewall rules and maintain state information, that is, permanent configuration is applied as runtime configuration.
firewall-cmd --permanent: Commands with this option are used to set permanent rules. These rules will only take effect when firewalld is restarted or firewall rules are reloaded; if this option is not included, it means it is used to set runtime
rule.
firewall-cmd --runtime-to-permanent: Write the current runtime configuration to the rule configuration file to make it permanent