JAVA development operation and maintenance (linux environment firewall and port opening use summary record)

1. Problem background:

After the development of the web project is completed, it needs to be uploaded to the production environment. Then some ips and ports called by our application need to be set. For example, whoever provides access to the application, those people cannot access it, and the port of the application needs to be opened to access. In the actual R&D process, this part of the work is generally managed by operation and maintenance engineers or network engineers. But as a developer, you also need to understand the principles, and even use it proficiently. Otherwise, it is quite difficult to communicate with network engineers.

2. Firewall introduction:

When a data packet enters the network card, it first enters the PREROUTING chain, and the kernel judges whether it needs to be forwarded according to the destination IP of the data packet.
If the packet is coming into this machine, it will move down the graph to the INPUT chain. After the data packet reaches the INPUT chain, any process will receive it. The program running on this machine can send data packets, these data packets will go through the OUTPUT chain, and then reach the output of the POSTROUTING chain.
If the data packet is to be forwarded, and the kernel allows forwarding, the data packet will move to the right as shown in the figure, pass through the FORWARD chain, and then reach the output of the POSTROUTING chain.

It can be seen that the data packets that have just entered from the network interface have not yet been routed, and it is not known where the data will go, so there is no way to filter data at the entrance and exit. It is necessary to set forwarding checkpoints in the kernel space, enter user space checkpoints, and leave the user Space checkpoint.

Firewall:

In RHEL 7 systems, the firewalld firewall replaces the iptables firewall. For readers who have been exposed to the Linux system earlier or have studied the RHEL 6 system, when they find that the knowledge they have mastered is no longer applicable in RHEL 7, and they need to learn firewalld completely, they will inevitably have resistance. In fact, neither iptables nor firewalld are real firewalls, they are just firewall management tools used to define firewall policies, or they are just a service. The iptables service will hand over the configured firewall policy to the netfilter network filter at the kernel level, while the firewalld service will hand over the configured firewall policy to the nftables packet filtering framework at the kernel level. In other words, there are currently multiple firewall management tools in the Linux system, which are designed to facilitate operation and maintenance personnel to manage firewall policies in the Linux system. We only need to configure one of them properly. Although these tools have their own advantages and disadvantages, they are consistent in the configuration of firewall policies. You don't even need to fully grasp the content introduced in this chapter, as long as you choose one of these multiple firewall management tools and learn it thoroughly, it is enough to meet your daily work needs.

Iptables：

Iptables is a tool for managing firewalls, which is a static firewall. We write filtering rules into the kernel through iptables, and then Netfilter filters packets according to the rules. So in fact, iptables manages the firewall by calling Netfilter, which itself does not have the function of filtering data packets. The iptables program is located in /sbin/iptables, and the configuration files are located in /etc/sysconfig/iptables. Before Rhel7, the firewall used iptables

There are also 5 rule chains in iptables that are exactly the same as those in netfilter, and there are 4 more rule tables. The function of the rule table is to accommodate various rule chains. The division of the rule table is based on the role of firewall rules. The most commonly used of the four tables is the filter table. The most commonly used chains are the INPUT and OUTPUT chains.

3. Firewall and port usage:

View firewall status

firewall-cmd --state

Turn on the firewall:

systemctl start firewalld.service

Open the specified port:

firewall-cmd --zone=public --add-port=8080/tcp --permanent

Show success means success
–zone=public means the scope is public
–add-port=8080/tcp Add port number of tcp protocol to 8080
–permanent takes effect permanently, if there is no this parameter, it can only be maintained within the current service life cycle , invalid after restarting;

restart firewall

systemctl restart firewalld.service

reload firewall

firewall-cmd --reload

Check open ports

firewall-cmd --list-ports

Close the specified port

#关闭指定端口
firewall-cmd --zone=public --remove-port=8080/tcp --permanent
systemctl restart firewalld.service
firewall-cmd --reload

Check port usage

#查看端口被哪一个进程占用
netstat -lnpt |grep 5672
# centos7默认没有 netstat 命令，需要安装 net-tools 工具：
# 安装 net-tools
yum install -y net-tools

Temporarily turn off the firewall

# 临时关闭防火墙
systemctl stop firewalld.service
# 或者
systemctl stop firewalld

Permanently turn off the firewall

# 永久关闭防火墙（必须先临时关闭防火墙，再执行该命令，进行永久关闭）
systemctl disable firewalld.service
# 或者
systemctl disable firewalld

Test whether the port can connect

telnet  ip  port

Fourth, some uses of iptables:

CentOS6

1. Check the firewall status: service iptables status、/etc/init.d/iptables status

2. Start/stop/restart the firewall:service iptables start/stop/restart

3. Check whether the firewall is started:chkconfig iptables --list

4. Set the firewall to start automatically or not to start automatically:chkconfig iptables on/off

CentOS7

1. View the firewall status:systemctl status firewalld

2. Start/stop/restart the firewall:systemctl start/stop/restart firewalld.service

3. Set the firewall to start automatically or not to start automatically:systemctl enable/disable firewalld.service

4. Open the port:firewall-cmd --zone=public --add-port=80/tcp -permanent

1. Basic operation

# View firewall status

service iptables status

# stop firewall

service iptables stop

# start the firewall

service iptables start

# restart firewall

service iptables restart

# Permanently disable the firewall

chkconfig iptables off

# restart after permanent shutdown

chkconfig iptables on　　

2. Open port 80

vim /etc/sysconfig/iptables
# Add the following code
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
save and exit and restart the firewall

service iptables restart
2. firewall firewall
1. Check the firewall service status

systemctl status firewalld

When Active: active (running) is highlighted, it means that it is in the starting state.

Active: inactive (dead) gray means stop, and you can read the words.
2. View the status of the firewall

firewall-cmd --state
3, open, restart, close, firewalld.service service

# Open
service firewalld start
# Restart
service firewalld restart
# Close
service firewalld stop
4. View firewall rules

firewall-cmd --list-all
5. Query, open, close ports

# Query whether the port is open
firewall-cmd --query-port=8080/tcp
# Open port 80
firewall-cmd --permanent --add-port=80/tcp
# Remove port
firewall-cmd --permanent --remove- port=8080/tcp
#Restart the firewall (restart the firewall after modifying the configuration)
firewall-cmd --reload

# Parameter explanation
1. firwall-cmd: It is a tool provided by Linux to operate the firewall;
2. --permanent: means set to Persistent;
3. --add-port: identify the added port