Article Directory
- 1. The relationship between firewalld and iptables
- 2. Firewall management tool switch
- 3. firewalld main directory information
- 4. firewalld domain
- 5. firewalld management commands
- 6. Advanced firewalld rules
- 7. SNAT in firewalld (intranet access to extranet)
- 8. DNAT in firewalld (external network access internal network)
1. The relationship between firewalld and iptables
Benefits of firewalld :
1) firewalld can dynamically modify a single rule, and it does not need to be refreshed to take effect after modifying the rules like iptables;
2) The use of firewalld is much more humane than iptables. Even if you don't understand the "five tables and five chains" and don't understand the TCP/IP protocol, you can achieve most of the functions.
Note: firewalld itself does not have the function of a firewall, but needs to be implemented through the netfilter of the kernel like iptables. That is to say, firewalld is the same as iptables. Their role is to maintain the rules, and the real use of the rules is The netfilter of the kernel , but the structure and usage of firewalld and iptables are different.
2. Firewall management tool switch
2.1 firewalld switch to iptables
- Close firewalld
systemctl disable --now firewalld.service
systemctl mask firewalld.service
- Open iptables
dnf install iptables-services.x86_64 -y
systemctl unmask iptables.service
systemctl enable --now iptables.service
2.2 Switch iptables to firewalld
- Close iptables
systemctl disable --now iptables.service
systemctl mask iptables.service
- Open firewalld
dnf install firewalld -y #安装firewalld(rhel8中默认已安装)
systemctl unmask firewalld.service
systemctl enable --now firewalld.service
3. firewalld main directory information
- Firewall configuration directory:/etc/firewalld
- Firewall module catalog:/lib/firewalld
4. firewalld domain
trusted:Accept all network connections
home:Used for home network, allow to accept ssh mdns ipp-client samba-client dhcp-client
work:Working network ssh ipp-client dhcp-client
public:Public network ssh dhcp-client
dmz:Military network ssh
block:Reject all
drop:Discard, all data is discarded without any reply
internal:Internal network, ssh mdns ipp-client samba-client dhcp-client
external:ipv4 network address masquerading and forwarding sshd
5. firewalld management commands
--permanent
: Used to set permanent rules
- View firewall status, domain, and policy of specified domain
查看火墙状态
firewall-cmd --state
查看当前火墙中生效的域
firewall-cmd --get-active-zones
查看默认域
firewall-cmd --get-default-zone
查看默认域中的火墙策略
firewall-cmd --list-all
查看指定域的火墙策略
firewall-cmd --list-all --zone=域
- Set default domain, service, remove service
设定默认域(永久 直接生效)
firewall-cmd --set-default-zone=域
查看所有可以设定的服务
firewall-cmd --get-services
移除服务(临时,reload后失效)
firewall-cmd --remove-service=dns
- Set the data source of the specified domain
指定数据来源访问指定域
firewall-cmd --permanent --add-source=IP地址/24 --zone=域
firewall-cmd --reload
删除指定域中的数据来源
firewall-cmd --permanent --remove-source=IP地址/24 --zone=域
firewall-cmd --reload
- Set the network interface of the specified domain
添加指定域的网络接口
firewall-cmd --permanent --add-interface=接口 --zone=域
firewall-cmd --reload
删除指定域的网络接口
firewall-cmd --permanent --remove-interface=接口 --zone=域
firewall-cmd --reload
更改网络接口到指定域
firewall-cmd --permanent --change-interface=接口 --zone=域
firewall-cmd --reload
6. Advanced firewalld rules
- View advanced rules
firewall-cmd --direct --get-all-rules
- Permanently add and delete advanced rules
#与iptables类似
永久添加高级规则
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -s 172.25.254.27 -p tcp --dport 22 -j REJECT
永久删除高级规则
firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 1 -s 172.25.254.27 -p tcp --dport 22 -j REJECT
- Refresh rules
firewall-cmd --reload
6.1 Examples of advanced rules
firewalld host: node1: 192.168.43.101
test host: node2: 192.168.43.111
Before the experiment : node2 can log in to node1 normally
Add advanced rule : prohibit node2 from logging in to node1
Delete advanced rules : node2 can log in to node1
7. SNAT in firewalld (intranet access to extranet)
lab environment
- Dual network card host (route): 192.168.43.101; 1.1.1.101
- Single network card host (intranet): 1.1.1.111 (the gateway is set to the IP of the dual network card segment 1)
- Single network card host (external network): 192.168.43.121
7.1 Router side
Enable IP address masquerading (usually enabled by default)
firewall-cmd --permanent --add-masquerade
: Turn on IP address masquerading
firewall-cmd --reload
: Refresh rules
7.2 Client configuration
The internal network host node2 can successfully access the external network host node3
Check in the external network host node3, it is really the login host is node2, but the actual IP of node1 host
8. DNAT in firewalld (external network access internal network)
lab environment
- Dual network card host (route): 192.168.43.101; 1.1.1.101
- Single network card host (intranet): 1.1.1.111 (the gateway is set to the IP of the dual network card segment 1)
- Single network card host (external network): 192.168.43.121
8.1 Router side
firewall-cmd --permanent --add-forward-port=port=22:proto=tcp:toaddr=1.1.1.111:toport=22
: Automatically switch to this host 111 when logging in to this host
firewall-cmd --reload
: Refresh rules
7.2 Client configuration
Log in to the node1 host in the node3 host, but the last host to log in is node2
Check the user logged in to this machine in node2, it shows node1, but the real login is node3