05-CentOS firewall

Outline

CentOS firewall there are many, such as SELinux, Firewall, TCP Wrappers, iptables / netfilter.
Each has its own firewall good place.
Here mainly speak two: SELinux and Firewall.

SElinux

Why SElinux?

Linux in the program can not have too much authority, otherwise it will invade our systems, our data acquisition (such as a database file), free installation program (such as the back door).
It's like download some unofficial software on Windows, after installation there will be "fun Blue Moon," "Legend" or advertising icon on the desktop.

SElinux role:

SElinux mainly for internal defense, such as file permissions internal port authority. In this case, the application would not have too much authority.

SELinux three modes

enforcing	    #强制模式,拦截不合法请求(默认状态)
permissive	    #只警告不拦截
disabled	    #对于越权行为不警告也不拦截(即关闭SELinux)

SELinux mode to view the current state

getenforce      #查看SELinux当前的模式

getsebool -a    #查询当前各项规则的布尔值

#举例：
semanage fcontext -a -t httpd_sys_content_t /home/wwwroot/      #放开httpd这个程序对/home/wwwroot/的权限

Switch SELinux

• Temporary switch (without restarting)

setenforce 0	#临时关闭SELinux
setenforce 1	#临时开启SELinux

• Permanent switch (need to restart)

vim /etc/selinux/config
    SELINUX=disabled        #将SELinux的状态设置为disabled(关闭)

• How normally closed and open SElinux

Effective because the temporary switch temporary, permanent switch needs to restart.
So we usually combined in two ways.
Such as turning off SELinux:

setenforce 0	#临时关闭SELinux
vim /etc/selinux/config
    SELINUX=disabled

Firewalld

Unlike SELinux, this is mainly used to prevent external firewall. For example: to prevent other hosts on the network access to a port.
Firewalld There are other very powerful features: such as NAT forwarding.

Temporary release port

firewall-cmd --add-port=8080/tcp            #放行8080端口的TCP协议
firewall-cmd --add-port=8080-8090/tcp       #放行8080端口~8090端口的TCP协议

#注意：上面端口的UDP协议还是会被拦截。

A temporary release agreement

firewall-cmd --add-service=https        #临时放行https协议(与放行443端口作用一样)

Temporary block a protocol

firewall-cmd --remove-service=https     #临时拦截https协议(与拦截443端口作用一样)

#同理：拦截端口用的命令是--remove-port

View firewalld the rules

firewall-cmd --list-all     #查看当前的规则(包括临时)
firewall-cmd --list-all --permanent     #查看永久规则

Permanent release or intercept

Mentioned earlier are temporary effective after the restart firewalld, the rule will fail (as it will reread the configuration file).

• Port permanent release - Method 1

firewall-cmd --add-port=8080/tcp --permanent        #只会将规则写入文件，但不立即生效
firewall-cmd --add-port=8080/tcp 

• Port permanent release - Method 2

firewall-cmd --add-port=8080/tcp --permanent        #只会将规则写入文件，但不立即生效
firewall-cmd --reload       #重启firewlld(会重新读取配置文件)