IP address masquerading and port forwarding belong to NAT (network address translation).
Address masquerading and port forwarding differences are as follows:
IP masquerading:
by masquerading, packet through the NAT device to the device to the specified forwarding destination, while the data packet by
the source address change its own interface address of the NAT device. When the returned packet arrives, the destination address will be modified
to address and routing the original host. LAN address masquerading can achieve multiple addresses share a single public Internet address.
Similar to Port Multiplexing (PAT) NAT technology. IP address masquerading only support ipv4, does not support ipv6.
Port forwarding:
it can also be called a destination address or port mapping. Forwarding through the port, to specify the IP address and port of the packet flow to different ports on the same computer or on different computers port. Within the general corporate network server using a private IP address, and then use the server's private network address released to the public Internet through port forwarding.
In firewalld, there is the concept of a rich language, firewalld provides a language-rich do not need to understand the mechanisms by high-level language syntax iptables to configure complex firewall rules, this language can express the basic syntax firewalld can not be achieved custom firewall rules.
Substantially enriched for expression rules allow / deny rules, the configuration record may also be used (for syslog and the auditd), and the port forwarding, camouflage and rate limiting.
There is a timeout in firewalld firewall configuration tool, when including overtime rule to the firewall, the timer begins the countdown for the rule, once the countdown reaches 0 seconds, begins to run when you remove the rule configuration.
When testing a more complex set of rules, if the rule is valid, then we can add again the rule, if the rule did not achieve our desired results, even our administrators to lock so it can not enter the system, then the rule will be automatically deleted so that we can continue testing operation and maintenance personnel work.
When using firewall-cmd configuration rule, the end of the command option is added --timeout = <timeval> to, - help regarding the reference option is as follows (unit may be a second, minute, hour):
Enable an option for timeval time, where timeval is
a number followed by one of letters 's' or 'm' or 'h'
Usable for options marked with [T]firewall-cmd There are four options for handling rich rule, all of these options are conventional and can --permanent or --zone = <ZONE> option in combination, as follows:
In any configured to display rich rule will result in the output firewall-cmd --list-all and firewall-cmd --list-all-zone's. With syntax explained as follows:
Rich rule configuration examples:
① 为认证报头协议AH使用新的ipv4和ipv6连接
[root@localhost /]# firewall-cmd --add-rich-rule='rule protocol value=ah accept'②允许新的ipv4和ipv6连接ftp,并使用审核每分钟记录一次
[root@localhost /]# firewall-cmd --add-rich-rule='rule service name=ftp log limit value=1/m audit accept'③允许来自192.168.1.0/24地址的TFTP协议的ipv4连接,并且使用系统日志每分钟记录一次
[root@localhost /]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept'④为RADIUS协议拒绝所有来自1:2:3:4:6::的新ipv6连接,日志前缀为“dns”,级别为“info”,并每分钟最多记录3次。接受来自其他发起端新的ipv6连接:
[root@localhost /]# firewall-cmd --add-rich-rule='rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject'
[root@localhost /]# firewall-cmd --add-rich-rule='rule family="ipv6" service name="radius" accept'⑤将源192.168.2.2地址加入白名单,以允许来自这个源地址的所有连接:
[root@localhost /]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.2.2" accept'⑥拒绝来自public区域中IP地址192.168.0.11的所有流量:
[root@localhost /]# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.0.11/32 reject'
⑦丢弃来自默认区域中任何位置的所有传入的ipsec esp协议包:
[root@localhost /]# firewall-cmd --add-rich-rule='rule protocol value="esp" drop'⑧在192.168.1.0/24子网的DMZ区域中,接收端口7900~7905的所有TCP包:
[root@localhost /]# firewall-cmd --zone=dmz --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=7900-1905 protocol=tcp accept'⑨接收从work区域到SSH的新连接,以notice级别且每分钟最多三条消息的方式将新连接记录到syslog:
[root@localhost /]# firewall-cmd --zone=work --add-rich-rule='rule service name=ssh log prefix="ssh" level="notice" limit value="3/m" accept'⑩在接下来的5min内(通过--timeout=300配置项实现),拒绝从默认区域中的子网192.168.2.0/24到DNS的新连接,并且拒绝的连接将记录到audit系统,且每小时最多一条消息。
[root@localhost /]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.2.0/24 service name=dns audit limit value="1/h" reject' --timeout=300This article was written a little more, in order to avoid clutter, it will configure the firewall of the firewall configuration examples masquerading and port forwarding wrote another blog post in it! Bowen link: https://blog.51cto.com/14154700/2410203