[Operating System] Security Management/Firewall

News 2023-07-19 06:56:13 views: null

Article Directory

firewall

firewall tools

insert image description here

Netfilter

1. 是Linux操作系统核心层内部的一个数据包处理模块,Linux平台下的包过滤防火墙;

2.作用:
	网络地址转换
	数据包内容修改
	数据包过滤的防火墙功能 ***(要介绍的部分)

相关定义:
1. 表 tables:规则的集合(功能相似 的 规则 的集合)
2. 链 chains:关卡(一个关卡,可能有多个规则)
3. 规则 policy:匹配条件,处理动作

example

insert image description here

chains, lists, rules

chain

insert image description here

surface

insert image description here

常见的4类表:
1. raw表:关闭nat表上启动的连接追踪机制 iptable_raw
2. mangle表:拆解报文,做出修改,并重新封装 iptable_mangle
3. nat表:Network Address Translation,网络地址转换 iptable_net
4. filter表:负责过滤功能,防护墙功能 iptable_filter

insert image description here

注意:
1 - 每个关卡能调用的 表 是不同的;
2 - 五个关卡基本是固定的:
	PREROUTING
	INPUT
	FORWARD
	POSTROUTING
	OUTPUT:4个表

rule

System Firewall - Firewalld

static firewall

As long as the rules are modified, all rules must be reloaded, such as: iptables service

dynamic firewall

Any rule change does not need to reload the entire firewall rule list, just save and update the changed part to the running iptables, such as: firewalld

area

Firewalld maps network cards to different zones

There are 9 zones by default

1. block
2. dmz
3. drop
4. external
5. home
6. internal
7. public
8. trusted
9. work

It can be understood as: 9 model rooms

Different zones have different default behaviors for packets,

In kylinos, the default zone is public

By default, firewalld rejects each service and needs to be set before it can be released;

zone default policy rule
trusted Accepts all network connections, allowing all packets in and out
home It is used in a home network, and basically trusts that other hosts in the network will not harm the host. Traffic, ssh, mdns, ipp-client, amba-client and dhcpv6-client services are related, allowing access
internal For internal network, equivalent to home
work For workspaces, basically trust that other hosts in the network will not compromise this host. Only related to traffic, ssh, ipp-client and dhcpv6-client services, allowing access
public Used in public areas, do not trust other computers in the network and can only accept selected connections. Traffic, ssh and dhcpv6-client services are related, allowing access
external An extranet with masquerading enabled for the router, distrusting other computers on the network. The traffic is related to the ssh service and can be entered
dmz Demilitarized zone, which is publicly accessible and has limited access to the internal network. The traffic is related to the ssh service and can be entered
block limit, any incoming network connections will be rejected
drop Discard, any received network packets will be discarded, only outgoing network connections can be made

Command line operation firewall

basic command

Order Function
systemctl start firewalld Turn on the firewall
systemct enable firewalld boot-up firewall
systemct stop firewalld turn off firewall
systemct disable firewalld Turn off the firewall automatically at startup
firewall-cmd state View firewall status
firewall-cmd --get-active-zones View devices managed by the firewall
firewall-cmd --get-default-zone View the areas where the firewall is enabled by default
firewall-cmd --get-zones View all areas of the firewall
firewall-cmd --zone=public --list-all List service settings for the public zone
firewall-cmd --get-services list available services
firewall-cmd --set-default-zone=trusted Modify the default zone to trusted
firewall-cmd --list-all-zones list all domains

View firewall status

firewall-cmd state	#防护墙状态
systemctl status firewalld	#防火墙状态

turn off firewall

systemctl stop firewalld.service	#关闭防火墙

start firewall

systemctl start firewalld.service

boot-up firewall

systemctl enable firewalld.service

modify security policy

Order Function
firewalld-cmd --add-service=https Temporarily add services (default region)
firewalld-cmd --remove-service=https --permanent Permanently delete service
firewalld-cmd --add-port=80/tcp Temporarily add ports
firewalld-cmd --remove-interface=eth0 delete interface
firewalld-cmd --permanent --change-interface=eth1 --zone=trusted Permanently change the interface zone
firewalld-cmd --add-source=172.25.254.100 --zone=block Temporarily deny all network connections to host 172.25.254.100
firewalld-cmd --remove-source=172.25.254.100 --zone=block --permanent Permanently remove restrictions
firewalld-cmd --complete-reload Disconnect, restart firewall policy
firewalld-cmd --reload Restart the firewall policy without interrupting the connection
firewalld-cmd --direct --get-all-rules View the set rules

Guess you like

Origin blog.csdn.net/Sanayeah/article/details/126923244
Recommended
Ranking
Solve the problem that the Chinese display of the drawing using python matplotlib under the Linux system is displayed as a box
[Conference Call for Papers] The 5th International Conference on Civil Engineering, Environmental Resources and Energy Materials (CCESEM 2023)
4-yl Fast Fourier Transform
DataGirdView interlaced display color
[Docker implements test deployment CI/CD----Dingding alarm after the build is successful (7)]
[Asp.net core series] 6 the complete structure of a project in actual combat
The new version of OpenCenterV3 management background
Why can box plots detect outliers and what is the principle?
[Switch] jumbo frame Introduction
C++对象移动(3)——移动构造函数
Daily
More
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)

Code World

© 2018 codetd.com