First, what is firewalld firewall?
firewalld Linux firewall host in isolation is actually a tool, we only do the judging process a request from the host is. That is just out of it, as you came to do what the scope is not in the jurisdiction of the firewalld. Edge firewalld work with the network, which according to our pre-specified rules of good judgment request message is not within the Rules, in the words allows, is not, shut out, this is firewalld.
Second, then what rules firewalld have it? How to set firewall rules?
Speaking of which rules there? emmmm ...... This is hard to say, because the rules are set by people, you want to set any rules, there is what the rules (of course, is in the range of functions allows it). You can specify the protocol, port, packet type set to deny access rule, such as: DROP, REJECT (both a little different, the latter will specifically); it may be determined you allow packets to pass through the Set keyword, of course, that you have to understand to operate.
Before the operation, you have to know where you can add firewalld by what means the rules, that is, four firewalld Table V chain it, then start with the next five chain, because the chain is included five in four of the table, so we started to learn it from the inside out.
Pentachain
1, PREROUTING
packets before entering the routing table (a target address translation (DNAT).)
2, the INPUT
by the destination routing table based machine
3, FORWORD
the routing table by, native Destination
4, OUTPUT
produced by the local, outwardly forwarding
5, POSTROUTING
before sending to the interface card. (For the source address translation (the SNAT))
See the role of each of the above chain is not forced to look ignorant, totally do not know what this is? Haha, do not worry, I just saw also forced to look ignorant, but after school, I am even more ignorant to force you, this is exactly what the hell? I completely subvert the concept of IT, because I understand fully set position and the actual setting position is not the same So, emmmm, hope you do not come with their own subjective idea to learn to understand firewalld rule set, or will be very difficult.
Na Na Na, five chain finished, first do whatever it is that an idea can be, take a look at the following four tables:
Four tables
table is made chains, to perform different functions, there are four default iptables table, and the default chain comprising
1, filter: filtering the general
filter is used for storing all operations firewall default table.
INPUT
the FORWARD
OUTPUT
filter table has two regular modes
Destination IP IP-based machine, start the native firewall rules, only after INPUT and OUTPUT chains.
Destination IP is the external IP network, start a network firewall rules, through the INPUT chain, FORWARD and OUTPUT chains.
2, nat: nat functions for (port mapping, address mapping, etc.)
the PREROUTING
the INPUT
the OUTPUT
the POSTROUTING
. 3, the mangle: for modifying a particular packet
the PREROUTING
the INPUT
the FORWARD
the OUTPUT
the POSTROUTING
. 4, raw: the highest level is limited, when the raw disposed generally in order not to let iptables do link tracking packet processing, improve the performance of
the INPUT
the OUTPUT
the FORWARD
You can see, each table contains the corresponding chain, we have to do is carry out operations in the chain, but must first indicate that the chain is operating on a table, each table is not the same function, so it we have to do is to thoroughly understand each table has what function? What this table chain? These chains in turn may require action, thoroughly understand, can operate up!
Iptables is operating on a not very eager to want to host? NO! NO! NO! Not yet, because you do not know what iptables commands that are doing it, so, here we take a look at the iptables command. (Yeah, I was not yet say why we have to learn is firewalld, now how to say iptables Yeah, in fact, this is very simple, firewalld is based on a kernel of a network isolation tool, its rules by iptables to call and set up, on and food in the pot, you want to use to eat a bowl Sheng reason.)
iptables command
command format:
iptables [-t the Table] the COMMAND catena alberghiera [-m matchname [match-per-Options]] -j targetName [per-target-Options]
Option Meaning
chain management
-N: new, custom a new rule chain;
the -X-: delete, delete a custom rule chain; delete both of the following three conditions need to
1. 0 reference count is
2. There is no empty chain rule
3. chain custom
-P: policy, set the default policy; for chain filter table, the default strategies:
ACCEPT: accepts
DROP: discarding
rEJECT: rejected
-E: rename a custom chain; reference count is not 0 is defined chain can not be renamed, can not be delete;
see
-L: list, list all the rules on the designated chain; L Here is a modified several options,
-n: Numberic, display addresses and port numbers in numeric format;
-v: verbose, detailed information;
-x : exactly, the results show the exact value of the counter;
-line-Numbers: the rule numbers are displayed;
rule management
-A: append, additionally;
-I: insert, insert, to indicate the position, the first showing is omitted;
-D: Delete, Delete;
(1) specified in rule number;
(2) specified in the rule itself;
-R & lt: Replace, specify the replacement of the designated chain rule;
-F: the flush, emptied specified rule chain;
:; the -Z zERO, zero
each rule iptables has two counters:
the number of packets (1) to match;
(2) matched to the the size of the packets and all;
matching conditions
substantially matching conditions: without loading any modules provided by iptables / netfilter self
-s, --source address [/ mask] [, ...]: checks the source IP packets address here whether the specified address or range;
-d, --destination address [/ mask] [, ...]: checks the destination IP address of the packet meets here specified address or range;
-p, --protocol protocol, specified protocol, commonly used with TCP, UDP, ICMP
-i, --in-interface name: interface data packet flows; can be applied to the text data link packet flows, only be applied to the PREROUTING, INPUT and FORWARD chain;
-o, --out-interface name: interface data packet flows; can be Link text to datagram outflow, can only be applied FORWARD, OUTPUT and POSTROUTING chain;
Implicit extension
does not require manual loading extension modules; because they are an extension of the protocol, so that whenever the protocol specified with the -p, has indicated that it means a module to be expanded; - TCP
--source-Port, --sport port [: port]: matches the source port of the packet; can be a port range;
--destination-port, - dport port [: port]: destination port matches packets; can be a port range;
--tcp the flags- CoMP mask, wherein the mask is a list that can be SYN, ACK, FIN, RST, comp is the list mask flag must be set to 1. For example: "- tcp-flags SYN, ACK, FIN, RST SYN" indicates, to check the flag is SYN, ACK, FIN, RST four, SYN-1 must be remaining must be 0;
--syn : used to match the first handshake, corresponding to "--tcp-flags SYN, ACK, FIN, RST SYN";
no manual loading extension modules; because they are an extension of the protocol, so that whenever a specified using -p agreement, it means has indicated that extension modules to; - UDP
--source-port, --sport port [: port]: matches the source port of the packet; can be a port range;
--destination-port, - dport port [: port]: matching packet destination port; it can be a port range;
no manual loading extension modules; because they are an extension of the protocol, so that whenever the protocol specified with the -p, has indicated that it means to extension modules; - ICMP
--icmp-type {type [/ code] |} typename
Explicit extension
must be specified with the -m option extension mechanism to invoke the extension module;
Multiport: discrete or continuous manner to define multiple port match conditions, up to 15; herein refers to a maximum of 15, such as so designated 20:25 if only count two ports. Rather than count six ports.
iprange: in a continuous block of addresses to the IP address specified multiple match condition;
--src-Range from [-to]
[-to] from --dst-Range
Time: The time range of the time packet reaches the specified match, commonly used options
--timestart HH: mm [: SS]
--timestop HH: mm [: SS]
--weekdays Day [, Day ...]
--monthdays Day [, Day ...]
- YYYY DateStart [-MM [-DD [Thh [: mm [: SS]]]]]
--datestop YYYY [-MM [-DD [Thh [: mm [: SS]]]]]
--kerneltz: the kernel configuration rather than the default time zone UTC;
--string: application layer data packets do string pattern matching detection
--algo {bm | kmp}: string matching detection algorithm;
--string pattern: to be detected string pattern;
--hex-string pattern: string patterns to be detected, hexadecimal format;
connlimit: made according to each client IP number of concurrent connections match;
--connlimit upto-n: the number of connections less match n;
--connlimit above-n: n is greater than the number of match connections;
limit: Based Transceivers Wen made the rate matching
--limit rate [/ second | / minute | / hour | / day] ## maximum rate
--limit-burst number ## represents the maximum number of requests can accept
state: "connecting tracking mechanism" to check the status of the connection;
--state the sTATE
the conntrack mechanism: trace relationships between request and response on the machine; state are the following:
- nEW: new request; track information entry for this connection there is no connection template Therefore, it is recognized as the first request is issued;
- the eSTABLISHED: after NEW state, the connection state in the communication period until the tracking template for the establishment of an entry failure performed;
- the RELATED: associated connections; such as ftp relationship data connection with the command protocol between the connection;
- iNVALID: invalid connection;
- untracked: connecting track is not performed;
processing operation
ACCEPT: accepts
DROP: discarding
REJECT Refused
RETURN: To return the call chain
REDIRECT: Port Redirection
LOG: Logging
MARK: do firewall marks
DNAT: Destination Translation
SNAT: source address translation
MASQUERADE: masquerading
Wow, it is not so much see the above commands and options, suddenly a big head and two friends, in fact I just saw is prohibitive, so much? ? ? I was playing with it? I did not how clever, how can remember so much? ? ? In fact, ah, so many commands more than 80% are not commonly used, you can be selective memories and finishing, I did the whole thing because if you encounter after the command, and I find it easy, know what it means , ghost know what the future heavyweights that will write a cow batch of service, rather abruptly to use this command, and I do not know and can not find more embarrassing is not it? He said a lot of gossip, the following practical operation began slightly! ! (How I feel a little excited about it ???)
Case practical operation
filter table
iptables -F: Clear all policies
iptables -X: Empty-defined chain (be sure to empty prior to this step)
iptables -N old_forward: Customize a chain
iptables -E old_forward new_forward: Modify the name of self-defined chain of
iptables -P fORWARD dROP: the default policy forward chain filter labeled drop
iptables -L -n-number the --line: Check filter table shows the number of lines and strategy
iptables -t filter -D fORWARD 9: delete the filter table forward chain the article 9 policy
iptables -t filter -A INPUT -s 0.0.0.0/0 -d 192.168.254.24 -p icmp -j rEJECT: restrict all hosts (0.0.0.0), ping the host rejection
iptables -t filter -A INPUT -d 192.168.254.24 -i ens33 -p icmp -j rEJECT: Show all hosts (0.0.0.0) ens33 rejected by the host card ping present
practical operation:
before starting the operation, first: iptables -t filter -F and iptables -t filter -X all the rules to clear the filter table. (Firewalld if the open state Oh, you can also look at the default rules after opening: iptables -t filter -L -n)
The machine is prohibited to ping: iptables -t filter -A INPUT -s 0.0.0.0/0 -d VM IP -p icmp -j REJECT (not connected is displayed using REJECT port)
iptables -t filter -A INPUT -d VM IP -p icmp -j DROP (displayed Request Timeout)
It can be seen that you REJECT the packet came, I received it, but I refuse to get back to you; and I received DROP is not received will not tell you directly discard the packet.
nat table
# network source address of 192.168.250.0 ip address through the firewall are converted into 192.168.31.100 ip address (SNAT: Source Address Translation)
! iptables -t nat -A -s 192.168.250.0/24 the POSTROUTING -d 192.168 .250.0 / 24--j SNAT --to-Source 192.168.31.100
# to access the target address is 192.168.31.200 this machine and is forwarded to 192.168.250.1 (DNAT target address translation) tcp protocol on port 80 and
iptables -t nat - PREROUTING -p tcp -d 192.168.31.200 a --dport 80 -j DNAT --to-Where do you want 192.168.250.1:80
# to access the target address is 192.168.31.200 and the machine is both protocol forwarded to 192.168 tcp port 80. 31.100 9999 port number (destination port address translation DNAT)
iptables -t NAT -A the PREROUTING -p TCP -d 192.168.31.200 --dport 80 -j DNAT --to-192.168.31.100:9999 Where do you want
: practical operation
before starting operation first: iptables -t nat -F iptables -t nat -X clear all the rules of the nat table. Need to open three virtual machines, respectively, s1, s2, s3, where s1 is the access terminal, s2 is the end firewalls, s3 is the server.
s1 is provided: IP 192.168.27.5/24 gateway: 192.168.27.1 network firewall closed state.
s2 Setting: ens33 IP 192.168.27.1/24 ens37 IP 112.112.112.1/24 gateways do so, the network firewall is turned on. (Two NICs)
S3 settings: IP 112.112.112.10/24 112.112.112.1 gateway firewall closed state. Download httpd service, write index.html file contents.
In this case s2: Open routing forwarding echo 1> / proc / sys / net / ipv4 / ip_forward, in this case can ping s1 ping s2.
In s1 with: curl 112.112.112.10 can see the contents of index.html written at the end s3: tailf / var / log / httpd / access_log can see the IP s1 is successfully accessed.
Back add s2 original address translation rule: iptables -t nat -A POSTROUTING -s 192.168.27.5 -d 112.112.112.10 -j SNAT --to-source 112.112.112.1
in s1 with: curl 112.112.112.10 can be seen in the index .html content written in s3 end: tailf / var / log / httpd / access_log can see 112.112.112.1 IP successful visit.
At the end of the download httpd service s1 and write index.html file in / var / www / html.
Add the destination address translation rule s2: iptables -t nat -A PREROUTING -s 112.112.112.10 -d 112.112.112.1 -j DNAT --to-destination 192.168.27.5
At this point in s3: curl 112.112.112.1 can see the contents of s1 index.html to view the log will find s1 is 112.112.112.10 successful visit.
Add port translation rule s2: iptables -t nat -I PREROUTING -d 112.112.112.1 -p tcp --dport 80 -j DNAT --to-destination 112.112.112.10:80
this time to see the log in s3 will see 192.168 .27.5 successful visit. (Port previous step can be replaced with anything else there is no other occupation, also entered into force)
Ok! Because we work in the actual process, the raw table and used the opportunity to mangle table is too small, including the situation I have not encountered to set rules on the two tables, so I did not study how this two tables set up on the rules, and so one day I busy, and want to come back on the next fill Ha. In addition, I was hands-on experiments conducted in a virtual machine, did not dare to do it on the host, in case of operational errors, that is, "ritual apology" thing, so it is recommended that a small partner in the experiments on the virtual machine, make sure no problem and then take on the host performs, safety first!
Operating basically so much, let's say something else!
firewalld priority
policy application priority: raw, mangle, nat, filter
strategy commonly used priority: filter, nat, mangle, raw
iptables packet to
1. The packet arrives at the network interface, such as ens33.
2. Go raw table PREROUTING chain, this chain effect is to process packets before the catch connection tracking.
3. If the connecting track, in this process.
4. Go to mangle table PREROUTING chain, this can modify the data packets, such as TOS like.
5. Enter the nat table PREROUTING chain, this can be done DNAT, but do not filter.
6. Decides that route, is to see the local host or forwarded to other hosts.
Er er, seemingly operating on firewalld, I come into contact with it so much, I was late and if there is content to add, I hope small partners have experience looking after, also welcome message exchange! ! !