1. Firewall rules directly
Firewall provides a "direct interface (direct interface)", which allows the administrator to manually written iptables, ip6tables, ebtables rule inserted directly into the firewall of the management area for the application, instead of the application; direct port using firewall-cmd --direct options to achieve command
1) Example: khaki blacklist, add some rules to a range of IP blacklist
firewall-cmd --direct --permanent -add-chain ipv4 raw blacklist
\# 使用firewall-cmd命令调用iptables规则参数,在raw表中创建规则链“blacklist”。 ipv4 指的是iptables
firewall-cmd --direct --permanent --add-rule Ipv4 raw PREROUTING 0 -s 192.168.1.0/24 -j blacklist
\# 在路由之前检测到192.168.1.0/24网段的IP地址的数据包,加入到blocklist规则链中。
firewall-cmd --direct --permanent --add-rule ipv4 raw blacklist 0 -m limit --limit 1/min -j LOG --log-prefix blacklisted
\# 每分钟生成以下日志文件
firewall-cmd --direct --permanent --add-rule ipv4 raw blacklist 1 -j DROP
\# 将来自规则链“blacklist”中的数据包丢弃
2) firewall execution priority
Direct rule> Fu Rules> regional rules
2. firewall-cmd command of the rich rule (RULE)
firewall-cmd There are four options for handling rich rules, all of these options can be used
`--add-rich-rule 向指定的区域中添加RULE,如没有指定区域,则是默认区域`
`--remove-rich-rule 在指定的区域中删除RULE,如没有指定区域,则是默认区域`
`--query-rich-rule 查看RULE是否已添加到指定的区域,存在返回0,否则1`
`--list-rich-rules 输出指定区域的所有富规则,如果位置区域,为默认区域`
3. Rich language
富语言提供了一种不需要了解iptables语法通过语言配置复杂ipv4和ipv6防火墙规则的机制。
富语言规则可用于表达基本的允许/拒绝规则,也可用与配置记录(syslog、auditd)、端口转发、端口伪装、速率限制
1) rich language format
rule [ family= ipv4|ipv6 ] [ source address=ip/mask] [ destination address=ip/mask ] [要素/对象] [ audit ] [ accept|reject|drop ]
- Options:
family= :如果对某个网段或IP进行规则时,需要指定ipv4还是ipv6
source address : 限制的源IP地址,可以是ipv4、ipv6,也可以是一个地址段,例: 192.168.1.0/24
destination address :要素,限制的对象,以下是要素的类型
service :指定服务名称,格式为: service name=服务名称
port:指定端口号,可以是一个独立的端口号或一个范围,TCP/UDP 命令格式: port port=5000-5050 protocol=TCP/UDP
或者 port port=8888/tcp
protocol:协议,可以是一个协议号或者协议名称,命令格式: 如果有端口号 : port port=port protocol=TCP/UDP
如果没有端口号: protocol value=协议名
icmp-block:阻断一个或多个ICMP类型,命令格式:icmp-block name=icmp type_name
masquerade:规则里的IP伪装,启用IP伪装
forward-port:将指定TCP或UDP协议的数据包转发到本机的其他端 口,命令格式forward-port port=端口号 protocol=TCP/UDP to-port=端口号 to-addr=address
log:注册有内核日志的连接请求到规则中,日志级别:emerg、alert、crit、error、warning、notice、info、debug ; 命令格式:log[perfix=perfix text] [level=log level] limit values=时间/单位 ;单位: s(秒)、m(钟)、h(时)、d(天)
audit:审核,
accept|reject|drop:
4. rich language - examples
1) Example: Using the new connection ipv4 and ipv6 Authentication Header protocol AH
[root@localhost ~]# firewall-cmd --add-rich-rule='rule protocol value=ah accept'
Success
2) Example: ipv4 and ipv6 allows new connection FTP, and use the audit record once per minute
[root@localhost ~]# firewall-cmd --add-rich-rule='rule service name=ftp log limit value=1/m audit accept'
3) Allow TFTP protocol from the network 1.0.0.0/8 ipv4 connection and use the system log recorded once per minute
[root@localhost ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="1.0.0.0/8" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept'
4) The source address 192.168.1.2 is added to the whitelist, and allows all the links from this address
[root@localhost ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.2" accept'
5) IP address from the public area reject all the traffic 192.168.1.1
[root@localhost ~]# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.1.1/24 reject'
6) Discard all incoming packets from the default protocol ipsec esp region anywhere
[root@localhost ~]# firewall-cmd --add-rich-rule='rule protocol value="esp" drop'
Success
dmz zone 7) sub 192.168.1.0/24 subnet, accept all of the TCP ports 7900-7905
[root@localhost ~]# firewall-cmd --zone=dmz --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=7900-7905 protocol=tcp accept'
Success
8) to accept a new connection from the work area to ssh to notice message level and a maximum of three per minute manner newly connected to syslog
[root@localhost ~]# firewall-cmd --zone=dmz --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=7900-7905 protocol=tcp accept'
Success
9) in the next five minutes, the rejection region from the default subnet 192.168.2.0/24 newly connected to the DNS, and the rejected record audit system is connected to, and up to one hour
[root@localhost ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.2.0/24 service name=dns audit limit value=1/h reject' --timeout=300
success