Linux Centos 7 software firewall

Others 2020-01-13 20:35:32 views: null

Article Directory

I. Introduction

Linux firewall main work in the network layer for TCP / IP data packet filtering and limiting embodiment, typical packet filtering firewall.

Two, Linux software firewall role

May be used alone firewall / batch disable / enable a / by a plurality of data ports, data may be forwarded to a port to another port / ip.

Three, Linux software firewall tools

Mainly used in Centos 6 :

iptables (command management tools); more complicated operation.

Centos 7 is mainly used in:

firewall-config (graphical management tool);

firewall-cmd (command management tool), with more in production environments.

This paper describes Centos7 Firewalld firewall.

Four, Firewalld Profile

(1) supports network connectivity and security level interface dynamic firewall management tools defined area network

(2) support for IPv4, IPv6 firewall settings

(3) support services or applications to add firewall rules directly interfaces

(4) has two configuration modes,

Configuration and run-time permanent configuration.

4.1 firewalld firewall zones introduced

To simplify management, firewalld firewall all network traffic into multiple regions, each region has a different degree of rule by default, public is the default zone public areas, including all interfaces card.
Here Insert Picture Description

4.2 firewalld firewall workflow

Check the source of the data source address:

If the source address associated to a particular region, the region specified rule is executed;

If the source address is not associated to a specific area, using the incoming network interface region and executes the rules specified region;

If the network interface is not linked to a specific area, the default region and the region performing the specified rule.

Five, Firewalld firewall configuration

5.1 Runtime Configuration

With immediate effect, and continues to Firewalld restart or reload configuration;

Without interrupting existing connections;

You can not modify the service configuration.

5.2 permanent configuration

Do not take effect immediately unless Firewalld restart or reload configuration;

Interrupting existing connections;

You can modify the service configuration.

Six, Firewall-config graphics tools

Firewal-config is firewalld firewall that comes with a graphical management tool that can be used directly from the command firewall-config startup, you can simply do a lot of complicated firewall settings.

[root@localhost ~]# firewall-config

Here Insert Picture Description

Seven, firewall-cmd character tools

firewall-cmd is firewalld firewall that comes with the character management tool that can be used to set the various firewall rules.

Features:

(1) supports all firewall features;

(2) -permanent parameter: This parameter indicates the carrying permanent configuration, or represents a runtime configuration;

(3) [- zone = <zone>] Options: do not carry this option means for the default zone operation, or the designated area for.

7.1 Firewall process operation command
[root@localhost ~]# systemctl 选项 firewalld

Options: start stop restart status (open, stop, restart, status)

Common commands as follows:

7.2 Firewall operation command area

(1) show all rules and their area

[root@localhost ~]# firewall-cmd --list-all-zones

(2) internal rules show all regions

[root@localhost ~]# firewall-cmd --zone=internal --list-all

(3) show all regions of the default rule

[root@localhost ~]# firewall-cmd --list-all

(4) displays a default network connection or interface region

[root@localhost ~]# firewall-cmd --get-default-zone
public

(5) Set the default network connection or interface region is internal

[root@localhost ~]# firewall-cmd --set-default-zone=internal
success
[root@localhost ~]# firewall-cmd --get-default-zone
internal       '#默认区域已改为internal'
[root@localhost ~]#

(6) All display area activated

Activation condition: associated with at least one interface region or a source address / segment

[root@localhost ~]# firewall-cmd --get-active-zones
internal
  interfaces: ens33
[root@localhost ~]#

(7) a display area bound interface card ens33

[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
internal     '#绑定在默认区域'
[root@localhost ~]#

(8) as a work area change to the bonded interface ens33

[root@localhost ~]# firewall-cmd --zone=work --change-interface=ens33  '#更改接口'
The interface is under control of NetworkManager, setting zone to work.
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33      '#显示接口绑定区域'
work                             '#更改成功'

(9) as a work area remove the binding interface ens33

[root@localhost ~]# firewall-cmd --zone=work --remove-interface=ens33 '#删除接口'
The interface is under control of NetworkManager, setting zone to default.
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33    '#显示接口绑定区域'
internal                                               '#解绑成功'
[root@localhost ~]#

(10) the query area contains ens33 Interface

[root@localhost ~]# firewall-cmd --zone=work --query-interface=ens33
no
[root@localhost ~]#
7.3 Firewall Regional Operation Command Summary

Here Insert Picture DescriptionHere Insert Picture Description

7.4 Firewall port Operation Command

(1) enable the internal composition of TCP port region 22

[root@localhost ~]# firewall-cmd --zone=internal --add-port=22/tcp --timeout=5m
success

-timeout = 5m: means to delete the port 5 minutes.

(2) allows access to the port number displayed in the internal region

[root@localhost ~]# firewall-cmd --zone=internal --list-ports
22/tcp

(3) a combination of the TCP protocol disables internal port region 22

[root@localhost ~]# firewall-cmd --zone=internal --remove-port=22/tcp 
success

(4) whether the query internal area to enable TCP port 22

[root@localhost ~]# firewall-cmd --zone=internal --query-port=22/tcp 
no
7.5 Firewall port Operation Command Summary

Here Insert Picture Description

7.6 firewall blocking ICMP operation command

(1) Set the blocking ICMP echo-request type of work areas

[root@localhost ~]# firewall-cmd --zone=work --add-icmp-block=echo-request
success

(2) Show all ICMP types obstruction within the work area

[root@localhost ~]# firewall-cmd --zone=work --list-icmp-blocks 
echo-request
[root@localhost ~]#

(3) delete the work area has been blocked ICMP echo-request type

[root@localhost ~]# firewall-cmd --zone=work --remove-icmp-block=echo-request
success

(4) query work area types of ICMP echo-request is blocked

[root@localhost ~]# firewall-cmd --zone=work --query-icmp-block=echo-request
no
7.7 firewall blocking ICMP Operation Command Summary

Here Insert Picture Description

Time slow trip
Published 43 original articles · won praise 56 · views 7918
Private letter concerns

Guess you like

Origin blog.csdn.net/weixin_42953006/article/details/103463048
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com