(1) Firewall overview
The concept of firewall: Firewall is a very important network security tool. It is an important part of network security and is used to protect computer networks from unauthorized access, malicious attacks, data leakage and other threats.
Firewall Features
Firewalls usually have the following characteristics.
Location authority: In network planning, the firewall must be located on the backbone line of the network. Only when the firewall is the only channel for communication between internal and external networks can the network security within the enterprise be comprehensively and effectively protected.
Detecting legitimacy:The most basic function of a firewall is to ensure the legitimacy of network traffic. Only data packets that meet the firewall policy can be forwarded accordingly.
Performance stability: The firewall is at the edge of the network. It is the only channel to connect to the network. It will withstand the test of the network at all times, so its stability is crucial to network security. Words are crucial.
There are various classification methods for firewalls, but in the traditional sense, firewalls can be roughly divided into three categories, namely "packet filtering", "application proxy" and "stateful inspection". No matter how powerful the function of the firewall is and how perfect the performance is, in the final analysis, the functions are expanded based on these three technologies.
iptables and firewall
For Linux servers, using the netfilter/iptables packet filtering system can save software costs and provide powerful packet filtering control functions. iptables is an ideal firewall solution.
In the RHEL8 system, the firewalld firewall replaces the iptables firewall. In reality, neither iptables nor firewalld are real firewalls. They are just firewall management tools used to define firewall policies, or in other words, they are just a service. The iptables service will hand over the configured firewall policy to the kernel-level netfilter network filter for processing, while the firewalld service will hand over the configured firewall policy to the kernel-level nftables packet filtering framework for processing. In other words, there are currently multiple firewall management tools in Linux systems, which are designed to facilitate operation and maintenance personnel to manage firewall policies in Linux systems. It is enough to configure one of them properly. Although these tools have their own advantages and disadvantages, they are consistent in configuring firewall policies.
NAT basics
NAT (Network Address Translation) is located between the Intranet using private addresses and the Internet using public addresses. It mainly has the following functions:
(1) Data packets outgoing from the intranet are converted from their private addresses to public addresses by NAT.
(2) Incoming data packets from the Internet have their public addresses converted to private addresses by NAT.
(3) Supports multiple servers and load balancing.
(4) Implement transparent proxy.
Computers in the internal network use unregistered dedicated IP addresses, and when communicating with external networks, registered IP addresses are used, which greatly reduces connection costs. At the same time, NAT also plays a role in hiding and protecting the internal network, because to external users, only NAT using public IP addresses is visible, similar to a firewall security measure.
1. Working process of NAT
(1) The client sends the data packet to the computer running NAT.
(2) NAT replaces the port number and dedicated IP address in the data packet with its own port number and public IP address, and then sends the data packet to the destination host on the external network. At the same time, a tracking information is recorded in the image table to send reply information to the guest machine.
(3) The external network sends reply information to NAT.
(4) NAT converts the port number and public IP address of the received data packet into the client's port number and private IP address used by the internal network
and forwarded to the client.
The above steps are transparent to hosts inside the network and hosts outside the network, and are just like direct communication to them.
Classification of NAT:
(1) SNAT: refers to modifying the source IP address of the first packet. SNAT will perform the Post-Routing action at the last moment before the package is sent. IP masquerading (MASQUERADE) in Linux is a special form of SNAT.
(2) DNAT: refers to modifying the destination IP address of the first packet. DNAT always performs the Pre-Routing action immediately after the packet enters. Port forwarding, load balancing, and transparent proxies all fall under DNAT.
(2) SELinux
SELinux (Security-Enhanced Linux, Security-Enhanced Linux) is the implementation of mandatory access control by the National Security Agency (NSA) and is the most outstanding new security subsystem in the history of Linux. NSA developed an access control system with the help of the Linux community. Under the restrictions of this access control system, a process can only access those files needed for its task. Linux kernels of versions 2.6 and above have integrated SELinux modules. In short, SELinux is a mandatory access control mechanism that provides more security and granular permission management than traditional discretionary access control, helping to prevent potential security holes and attacks.
DAC
The traditional access control standard on Linux is DAC (Discretionary Access Control). In this form, a software or daemon runs as a UID (User ID) or SUID (Set owner User ID) and has the user's target (files, sockets, and other processes) permissions. This makes it easy for malicious code to run under specific privileges and gain access to critical subsystems. The most fatal problem is that the root user is not subject to any control, and any resources on the system can be accessed without restriction. In the traditional DAC model, access to resources is controlled by the user identification (UID) of the user or process and the permission bits of the file. This means that processes run with the permissions of their owner, and malicious code may run as a privileged user and access sensitive resources. The root user (UID 0) has unlimited access, which is a potential security risk.
MAC
In SELinux, in addition to UIDs and file permissions in the DAC model, stricter security policies are introduced to determine which processes can access which resources. This means that even if a process is running as root, it needs to adhere to SELinux policies to determine whether it can access resources. The type of process and the type of resource are taken into account, thereby limiting the permissions and scope of activity of malicious code
In an operating system that uses SELinux, in addition to the above factors, the factors that determine whether a resource can be accessed also need to determine whether each type of process has access rights to a certain type of resource.
In this way, even if the process is running as root, you still need to determine the type of the process and the types of resources that are allowed to be accessed to decide whether to allow access to a certain resource. The activity space of the process can also be compressed to a minimum. Even a service process running as root can generally only access the resources it needs. Even if there is a vulnerability in the program, the impact will only be within the resources it is allowed to access, greatly increasing security. The subject of this permission management mechanism is the process, also called MAC (Mandatory Access Control).
SELinux is actually one of the most important implementations of MAC theory, and SELinux architecturally allows both DAC and MAC mechanisms to work. Therefore, in the RHEL8 system, in fact, DAC and The MAC mechanism is used together, and the joint filtering effect of the two mechanisms can achieve better security effects.
SELinux working mechanism
SELinux controls access to system resources based on a set of policy rules (Policy). The following are related concepts:
- Subject: The subject is usually a process or program that attempts to access a resource.
- Object: The target is a resource in the system, such as a file, socket, or process.
- Policy: The policy database contains SELinux rules that determine which subjects can access which targets.
- Mode: SELinux supports multiple working modes, such as Enforcing mode and Permissive mode, which are used to control the strictness of policy execution.
When a subject (such as a program) attempts to access a target (such as a file), the SELinux security server checks the policy database to see whether such access is allowed. If the SELinux security server grants permission, the principal can access the target. This approach ensures more fine-grained permission control and a higher level of system security. If the SELinux security server denies permission, a denial message will be logged in /var/log/message.
(3) Using firewalld service
RHEL 8 system integrates a variety of firewall management tools, among which firewalld provides a dynamic firewall management tool that supports network/firewall zones to define network links and interface security levels - Linux system Dynamic Firewall Manager of Linux Systems. The dynamic firewall manager of the Linux system has two management methods: CLI command line interface) and GUI (graphical user interface). Compared with traditional firewall management and configuration tools, firewalld supports dynamic update technology and adds the concept of zones. To put it simply, the area means that firewalld has prepared several sets of firewall policy sets (policy templates) in advance. Users can choose the appropriate policy set according to different scenarios, thereby achieving rapid deployment between firewall policies. switch.
Out out out of the box, you have a laptop that you use every day in the office, coffee shop, and home. According to common sense, the security of these three are arranged in order from high to low, which should be home, company office, and coffee shop. Therefore, you want to specify the following firewall policy rules for this laptop: allow access to all services at home; allow access to only file sharing services in the office; and allow only Internet browsing in the coffee shop. In the past, firewall policy rules needed to be set manually frequently, but now you only need to preset the zone set and then automatically switch with a click of the mouse, thus greatly improving the efficiency of firewall policy application. Common zone names in firewalld (default is public) and corresponding policy rules are shown in the following table.
| district city | Default policy rules |
| trusted | allow all packets |
| home | Deny incoming traffic unless related to outgoing traffic; allow traffic if related to SSH, mdns, ipp-client, amba-client, and dhcpv6-client services |
| internal | Equivalent to home area |
| work | Deny incoming traffic unless related to the number of outgoing traffic; allow traffic if it is related to SSH, ipp-client and dhcpv6-client services |
| public | Deny incoming traffic unless related to outgoing traffic; allow traffic if related to SSH, dhepv6-client services |
| external | Deny incoming traffic unless related to outgoing traffic, and allow traffic if related to SSH service |
| dmz | Deny incoming traffic unless related to outgoing traffic, while allow traffic if related to SSH service |
| block | Deny incoming traffic unless related to outgoing traffic |
| drop | Deny incoming traffic unless related to outgoing traffic |
Use terminal management tools
The command line terminal is an efficient way to work. fiewall-cmd is the CLI (command line interface) version of the firewalld firewall configuration management tool. Its parameters are generally provided in "long format", but fortunately, the RHEl 8 system supports parameter completion for some commands. Now, in addition to using the Tab key to automatically complete commands or file names, you can also use the Tab key to complete the long-format parameters in the table below.
| parameter | effect |
| --get-defaultzone | Query the default region name |
| --set-default-zone=<zone name> | Set the default region and make it permanent |
| --get-zones | Show available areas |
| --get-services | Show predefined services |
| --get-active zones | Display the area and network card name currently in use |
| --add-source= | Direct traffic originating from this IP or subnet to the specified zone |
| --remove source= | Traffic originating from this IP or subnet is no longer directed |
| --add-interface=<Network card name> | A designated area directs all traffic originating from this network card to a designated area |
| --change interface=<network card name> | Associate a network card with a zone |
| --list-all | Display network card configuration parameters, resources, ports, services and other information in the current area |
| --list-all-zones | Display network card configuration parameters, resources, ports, services and other information in all areas |
| --add-service=<service name> | Set the default zone to allow traffic for this service |
| --add-port=<port number/protocol> | Set the default zone to allow traffic on this port |
| --remove-service=<service name> | Set the default zone to no longer allow traffic for that service |
| --remove port=<port number/protocol> | Set the default zone to no longer allow traffic on this port |
| --reload | Make the "permanent" configuration rules take effect immediately and overwrite the current configuration rules |
| --panic on | Turn on emergency mode |
| --panic off | Turn off emergency mode |
与Linux系统中其他的防火墙策略配置工具一样,使用firewalld配置的防火墙策略默认为运行时模式,又称为当前生效模式,而且系统重启后会失效。如果想让配置策略一直存在,就需要使用永久模式,方法就是在用 firewall-cmd 命令正常设置防火墙策略时添加permanent叁数,这样配置的防火墙策略就可以永久生效了。但是永久生效模式有一个的特点,就是使用它设置的策略只有在系统重启之后才能自动生效。如果想让配置的策略立即生效,需要手动执行 firewall-cmd-reload命令。
用命令设置防火墙策略
1)systemctl命令速查
systemctl start nfs-server.service . # 启动nfs服务 systemctl start firewalld.service #启动防火墙 systemctl stop firewalld.service #停止防火墙 systemctl reloadt firewalld.service #重载配置 systemctl restart firewalld.service # 重启服务 systemctl enable nfs-server.service #设置开机自启动 systemctl disable nfs-server.service # 停止开机自启动 systemctl status nfs-server.service #查看服务当前状态 systemctl restart nfs-server.service #重新启动某服务 systemctl list-units --type=service #查看所有已启动的服务 systemctl list-units-files|grep enavle # 查看所有已启动的服务列表 systemctl --failed #查看启动失败的服务列表
2)firewall-cmd命令速查
firewall-cmd --state #查看防火墙状态
firewall-cmd --reload #更新防火墙规则
firewall-cmd --state #查看防火墙状态
firewall-cmd --reload #重载防火墙规则
firewall-cmd--list-ports #查看所有打开的端口
firewall-cmd--list-services #查看所有允许的服务
firewall-cmd--get-services #获取所有支持的服务3)区域相关命令速查
firewall-cmd --list-all-zones #查看所有区域的信息
firewall-cmd --get-active-zones #查看活动区域信息
firewall-cnd --get-default-zone #设置public为默认区域信息
firewall-cmd --set-default-zone-public #查看默认区域信息
firewall-cmd --zone-public --add-interface-eth0 #接口eth0加入区域public
4)接口相关命令速查
tirewall-cmd --zone-public --remove-interface-ens160 #从区域pubiic中副除接口 ens160
firewall-cmd --zone-default --change-interface-ens160 #修改接口ens160所属区域为default
firewall- cmd --get- zone-of-interface-ens160 #查看接口ens160所属区域5)端口控制命令速查
firewall-cmd --add-port=80/tcp --permanent #永久添加80端口例外(全局)
firewall-cmd --remove-port=80/tcp --permanent #永久删除 80端口例外(全局)
firewall-cmd --add-port=65001-65010/tcp --permanent #永久增加65001-65010例外(全局)
firewall-cmd --zone=public --add-port=80/tcp --permanent #永久添加80端口例外(区域 public)
firewall-cmd --zone=public --remove-port=80/tcp --permanent#永久删除80端口例外(区域 public)
firewall-cmd --zone=public --add-port=65001-65010/tcp --permanent
#永久增加65001-65010例外(区域public)
firewall-cmd--query-port=8080/tcp #查询端口是否开放
firewall-cmd --permanent --add-port=80/tcp #开放80端口
firewall-cmd --permanent --remove-port=8080/tcp #移除端口
firewall-cmd --reload #重启防火墙(修改配置后要重启防火墙)
6)项目实战
(1)查看firewalld服务当前状态和使用的区域。
# firewall-cmd --state
# systemctl restart firewalld
#firewall-cmd --get-default-zone
(2)查询防火墙生效ens160网卡在 firewalld服务中的区域。
# firewall-cnd --get-active-zones#查看当前防火墙中生效的域
# firewall-cmd --set-default-zone=trusted _#设定默认域
(3)把firewalld 服务中ens160网卡的默认区域修改为external,并在系统重启后生效,分别查看当前与永久模式下的区域名称。
firewall-cnd --11st-all --zone-work //查看指定与的防火墙策略
firewall-cnd --permanent --zone-external --change-interface=ens160
firewall-cmd --get-zone-of-interface =ens160
firewall-cnd --permanent --get-zone-of-interface=ens160
(4)把firewalld服务的当前默认区域设置为 public
#firewall-cmd --set-default-zone-public
#firewall-cmd --get-default-zone
(5)启动/关闭firewalld 防火墙服务的应急状况模式,阻断一切网络连接(当远程控制服务器时请慎用)
# firewall-cmd?--panic-on
#firewall-cmd?--panic-off
(6)查询public 区域是否允许请求SSH和HTTPS协议的流量。
# firewall-cmd --zone-public --query-service-ssh
#firewall-cmd --zone-public --query-service-https
(7)把firewalld服务中请求HTTPS协议的流量设置为永久允许,并立即生效。
#firewall-cmd --get-services #查看所有可以设定的服务
#firewall-cmd --zone=public --add-service-https
#firewall-cmd --permanent --zone-public --add-service=https
#firewall-cmd --reload
#firewall-cmd --list-all #查看生效的防火墙策略
#firewall-cmd--list-all #查看生效的防火墙策略
(8)把firewalld服务中请求HTTPS协议的流量设置为永久拒绝,并立即生效
# firewall- cmd --permanent -- zone-public - - remove-service-https
#firewall-cmd --reload
]#firewall-cmd --list-all #查看生效的防火墙策略
(9)把在firewalld服务中访问8088和8089端口的流量策略设置为允许,但仅限当前生效
