A, linux of firewall restrictions:
Firewall
- Firewall also known as a protective wall, a barrier is located between the internal network and external network, which the system administrator according to pre-defined rules to control access to the data packet. A firewall is a first line of defense system, whose role is to prevent unauthorized users to enter.
- In the network, the so-called "firewall" refers to a method for the internal network and the public access network separately, it is actually an isolation technology. A firewall is implementation of an access control in two networks communicate scale, it allows you to "agree" to enter your network and the data, while you "disagree" shut out people and data.
- netfilter kernel firewall architecture, security policies can be implemented in many functions such as packet filtering, packet processing, masquerading, transparent proxy, Dynamic Network address translation
- The system offers two mentioned management tools to manage firewall policies (of the netfilter data modification). firewlld and iptables.
filrewalld
- Firewalld dynamic firewall daemon provides a dynamically managed firewall to support network "zones", to assign trust to a network and its links and interfaces to some extent.
- firewalld configuration stored in / usr / lib / firewalld / and / etc / firewalld / various XML file
- firewalld provides a graphical interface management (firewall-config) Command and Management (firewall-cmd)
firewalld域(zones)
Based on the level of trust given to a user of the network, the network firewall can be divided into nine different areas.
-
Only connection 172.25.254.16:
[the root Server @ ~] # --direct --add-Firewall-cmd rule. 1 -p IPv4 TCP --dport filter 22 is the INPUT -s 172.25.254.16 -j ACCEPT
Success -
172.25.254.16 connection is only allowed, other hosts can be connected to:
[the root Server @ ~] # --direct --add-Firewall-cmd rule IPv4 TCP --dport filter 22 is the INPUT. 1 -p! 172.25.254.16 -j ACCEPT -s
Success -
Remove only 172.25.254.16 set up the connection:
[the root Server @ ~] # --direct --remove-Firewall-cmd rule. 1 -p IPv4 TCP --dport filter 22 is the INPUT -s 172.25.254.16 -j ACCEPT
Success -
Delete only allowed to 172.25.254.16 connection, other hosts are set to be connected:
[root @ Server ~] # Firewall-cmd the --direct --remove-1 rule ipv4 filter the INPUT -p tcp --dport 22! 172.25.254.16 -j ACCEPT -s
Success
firewall-config
firewall-config # into the graphical interface to set firewall policy
1 Runtime set a temporary policy to take effect immediately, but after a system restart or reload the firewall settings configuration failure
2 Permanent permanently set, after setting need to reload the firewall configuration, once set permanent
firewall-cmd basic commands:
1, open firewalld service
为了避免firewlld和iptables产生冲突,再进行实验时候,先关闭iptables,开启firewalld。
systemctl stop iptables #关闭iptables服务
systemctl mask iptables.service #锁定iptables服务
systemctl disable iptables #设置iptables开机不自启动
systemctl start firewalld #启动firewalld服务
systemctl enable firewalld #设置firewalld开机自启动
2、域的查看和设置
firewall-cmd --get-zones #查看所有的域
firewall-cmd --get-default-zone #查看默认的域
firewall-cmd --set-default-zone=trusted #设置默认的域
firewall-cmd --state #查看防火墙状态,开启为running 关闭为 not running。
3 、查看域的防火墙策略
firewall-cmd --list-all #查看默认域的所有防火墙策略,没有指定域就是查看默认域
firewall-cmd --list-all --zone=trusted # 查看指定域的所有防火墙策略
firewall-cmd --list-services --zone=public #查看指定域的某一项策略(services)
firewall-cmd --list-ports --zone=public # 查看指定域的某一项策略(ports)
firewall-cmd --list-all-zones # 查看所有域的所有防火墙策略
firewall-cmd --add-service=ftp #临时添加ftp服务到默认域,立即生效
firewall-cmd --add-service=http --permanent #永久添加http服务到默认域,加载后生效
firewall-cmd --reload #重新加载配置,临时添加的服务失效,永久添加的服务生效。
二、路由端口打开,地址转换
实验目的:当其他ip连接该ip 时,会默认连接到172.25.254.16这个ip。
服务端
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ftp ssh
ports:
masquerade: no #把no改成“yes",即把路由功能打开。
icmp-blocks:
rich rules:
[root@server ~]# firewall-cmd --permanent --add-masquerade
success
[root@server ~]# systemctl restart firewalld #开启路由功能后一定要重新启动防火墙
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ftp ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
[root @ server ~] # firewall -cmd --add-forward-port = port = 22: proto = tcp: toport = 22: toaddr = 172.25.254.35 # ip add address translation, when connected to the other ip ip, will default connection to IP: 172.25.254.35
Success
[the root Server @ ~] # --list-Firewall-cmd All
public (default, Active)
the interfaces: eth0
Sources:
Services: DHCPv6 Client FTP SSH-
the ports:
Masquerade: Yes
Forward-the ports : Port = 22 is: TCP = proto: toport = 22 is: toaddr = 172.25.254.35
ICMP-Blocks:
Rich the rules:
Client:
Test:
[root @ kehu ~] # SSH [email protected]
## default conversion address has been added to delete ip:
[root @ Server ~] # Firewall-cmd --remove-Forward-Port = Port = 22: proto = tcp: toport = 22: ## toaddr = 172.25.254.35 delete conversion address ip
Success