Article Directory
firewall
firewall tools
Netfilter
1. 是Linux操作系统核心层内部的一个数据包处理模块,Linux平台下的包过滤防火墙;
2.作用:
网络地址转换
数据包内容修改
数据包过滤的防火墙功能 ***(要介绍的部分)
相关定义:
1. 表 tables:规则的集合(功能相似 的 规则 的集合)
2. 链 chains:关卡(一个关卡,可能有多个规则)
3. 规则 policy:匹配条件,处理动作
example
chains, lists, rules
chain
surface
常见的4类表:
1. raw表:关闭nat表上启动的连接追踪机制 iptable_raw
2. mangle表:拆解报文,做出修改,并重新封装 iptable_mangle
3. nat表:Network Address Translation,网络地址转换 iptable_net
4. filter表:负责过滤功能,防护墙功能 iptable_filter
注意:
1 - 每个关卡能调用的 表 是不同的;
2 - 五个关卡基本是固定的:
PREROUTING
INPUT
FORWARD
POSTROUTING
OUTPUT:4个表
rule
System Firewall - Firewalld
static firewall
As long as the rules are modified, all rules must be reloaded, such as: iptables service
dynamic firewall
Any rule change does not need to reload the entire firewall rule list, just save and update the changed part to the running iptables, such as: firewalld
area
Firewalld maps network cards to different zones
There are 9 zones by default
1. block
2. dmz
3. drop
4. external
5. home
6. internal
7. public
8. trusted
9. work
It can be understood as: 9 model rooms
Different zones have different default behaviors for packets,
In kylinos, the default zone is public
By default, firewalld rejects each service and needs to be set before it can be released;
zone | default policy rule |
---|---|
trusted | Accepts all network connections, allowing all packets in and out |
home | It is used in a home network, and basically trusts that other hosts in the network will not harm the host. Traffic, ssh, mdns, ipp-client, amba-client and dhcpv6-client services are related, allowing access |
internal | For internal network, equivalent to home |
work | For workspaces, basically trust that other hosts in the network will not compromise this host. Only related to traffic, ssh, ipp-client and dhcpv6-client services, allowing access |
public | Used in public areas, do not trust other computers in the network and can only accept selected connections. Traffic, ssh and dhcpv6-client services are related, allowing access |
external | An extranet with masquerading enabled for the router, distrusting other computers on the network. The traffic is related to the ssh service and can be entered |
dmz | Demilitarized zone, which is publicly accessible and has limited access to the internal network. The traffic is related to the ssh service and can be entered |
block | limit, any incoming network connections will be rejected |
drop | Discard, any received network packets will be discarded, only outgoing network connections can be made |
Command line operation firewall
basic command
Order | Function |
---|---|
systemctl start firewalld | Turn on the firewall |
systemct enable firewalld | boot-up firewall |
systemct stop firewalld | turn off firewall |
systemct disable firewalld | Turn off the firewall automatically at startup |
firewall-cmd state | View firewall status |
firewall-cmd --get-active-zones | View devices managed by the firewall |
firewall-cmd --get-default-zone | View the areas where the firewall is enabled by default |
firewall-cmd --get-zones | View all areas of the firewall |
firewall-cmd --zone=public --list-all | List service settings for the public zone |
firewall-cmd --get-services | list available services |
firewall-cmd --set-default-zone=trusted | Modify the default zone to trusted |
firewall-cmd --list-all-zones | list all domains |
View firewall status
firewall-cmd state #防护墙状态
systemctl status firewalld #防火墙状态
turn off firewall
systemctl stop firewalld.service #关闭防火墙
start firewall
systemctl start firewalld.service
boot-up firewall
systemctl enable firewalld.service
modify security policy
Order | Function |
---|---|
firewalld-cmd --add-service=https | Temporarily add services (default region) |
firewalld-cmd --remove-service=https --permanent | Permanently delete service |
firewalld-cmd --add-port=80/tcp | Temporarily add ports |
firewalld-cmd --remove-interface=eth0 | delete interface |
firewalld-cmd --permanent --change-interface=eth1 --zone=trusted | Permanently change the interface zone |
firewalld-cmd --add-source=172.25.254.100 --zone=block | Temporarily deny all network connections to host 172.25.254.100 |
firewalld-cmd --remove-source=172.25.254.100 --zone=block --permanent | Permanently remove restrictions |
firewalld-cmd --complete-reload | Disconnect, restart firewall policy |
firewalld-cmd --reload | Restart the firewall policy without interrupting the connection |
firewalld-cmd --direct --get-all-rules | View the set rules |