Linux System Management –rhel-7 firewall Chapter

Linux System Management –rhel-7 Firewall Chapter

Linux The firewall functionality of the system is implemented by the kernel:

2.0 version of the kernel, the packet filtering mechanism is IPFW , the management tool is Ipfwadm

2.2 version of the kernel, the packet filtering mechanism is ipchain , the management tool is IPChains

2.4 and later kernels, the packet filtering mechanism is netfilter , the management tool is iptables

3.10 version of the kernel, the packet filtering mechanism is FIREWALLD , the management tool is Firewall-cmd

we should all know that. RHEL7 kernel version is 3.10, in this version of the kernel firewall packet filtering mechanism is FIREWALLD , although its tools have changed, but the ' firewall-cmd ' command is actually called iptables

[[email protected] ~]# for SERVICE in iptables ip6tables ebtables; Do

> Systemctl Mask${service}.service

> Done

packet filtering firewalls are working in the network layer of TCP/IP

Attachment TCP/IP

Rules table

A firewall rule with a similar purpose, which is collocated into different "tables" as a set of rule chains after different processing times are differentiated to different rule chains

The default 4 rules table

Raw table: Determines whether the packet is being tracked for status

mangle Table: Setting tags for packets

Nat table: Modifying source, Destination IP in a packet address or Port

filter table: Determine if the packet is released (filtered)

where the filter table,the NAT table is the most commonly used, each table has different functions, through the data matching rules are also different, in the future use, please confirm and then use the mangle table can be special tag packets, The combination of these tags can be in the filter table for selective processing of packets (such as "Policy Routing", for example, the gateway host has two ADSL lines, respectively, using the interface of Netcom, Telecom, you can access the data of the Netcom server to the Netcom ADSL interface, while access to telecommunications server data to the telco ADSL interface)raw table is self -1.2.9 later version of iptables The new table, mainly used to determine whether the packet is handled by the state tracking mechanism, the current application of raw tables is still rare

Attachment Rules Table

Rule chain

The main feature of the " packet filtering " firewall is the filtering of IP packets at the network layer . In fact , when applying the iptables rule, it is found that some rules are applied to the transport layer, the link layer of These rules are implemented by a rule called "Rule chain" is the role of the packet filtering or processing, according to the different processing time, Various rules are organized in different "chains" where the rule chain is a collection of firewall rules / policies. The five default types of these rule chains are:

INPUT : Processing Inbound packets

OUTPUT : processing Outbound packets

FORWARD : handling forwarded packets

postrouting : Processing a packet after routing is selected

prerouting : processing a packet before routing is selected

Host firewall " many to Input output chain is mainly applied in " Network firewall " Forward prerouting postrouting< Span style= "font-family: ' The song Body '; > The application of the chain is the main

     : When packets from outside the world reach the firewall, they are first Prerouting rule chain processing (whether to modify packet address, etc.), followed by routing (to determine where the packet should be sent), if the destination address of the packet is the firewall native (such as Internet The user accesses the firewall host web The packet of the service, then the kernel passes it to input chain for processing (decide whether to allow through, etc.), and then hand over to the upper layer of the system later applications (such as Httpd

     forwarding data flow : When packets from outside the world reach the firewall, they are first Prerouting rule chain processing, followed by routing, if the destination address of the packet is a different external address (such as a LAN user accessing Qq forward chain for processing (whether forwarding or blocking), and then handing it over to Postrouting

Outbound Data Flow : The firewall native to the external address of the packet sent (such as in the firewall host to test the public DNS service), first by the OUTPUT rule chain processing, followed by routing, Pass to the posttouting rule chain (whether to modify the address of the packet, etc.) for processing

Attachment rule Chain

Firewall Zone

Firewall Area Many pre-defined area transport Firewalld, each with its own purpose , each of which is associated with other areas, and when no region is specified, the default zone is public , the default zone is not a separate area; instead, it points to a different area of the system definition, common areas in the RHEL7 are

Trusted : Allow all incoming traffic

Home : deny incoming traffic, allow out-of-Office and service ssh,mdns ,ipp-client,samba-client,dhcpv6-client

internal ssh ipp-client , Dhcpv6-client )

  Work :        deny incoming traffic, allow out-of-Office and services SSH Ipp-client dhcpv6-client

  Public :      deny incoming traffic, allow out-of-Office and services SSH dhcpv6-client

  External : Deny incoming traffic, allow out-of-Office and services SSH MDNs Ipp-client Samba-client Dhcpv6-client IPV4

DMZ : deny incoming traffic, allow out-of-Office and service ssh

block : deny traffic access

Drop : Discard all incoming traffic, unless out of traffic-related (not even responding to ICMP protocol Errors)

If the source address of the incoming packet matches the rule setting of a zone, the packet is routed through the zone , and if a packet incoming interface matches the setting of a zone rule, the zone is used.

Configuration of the firewall

RHEL7 provides three types of firewall management : ① command mode using commands Firewall-cmd② the graphical interface to modify the configuration file under the command Firewall-config③ /etc/firewalld/ , here we focus on the first command-line pattern.

①firewall-cmd have to say RHEL7 in the firewall command is two or three rows, and there are many I have not seen the options and parameters, as to what options and parameters , I listed to show you

Example to set access permissions for the WAB service

Verify that firewall is enabled

The first step Systemctl status Firewalld. Service

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/48/29/wKioL1QFxWaQroquAAHYv0xtjYU292.jpg "style=" float: none; "title=" Qq20140902201124.png "alt=" Wkiol1qfxwaqroquaahyv0xtjyu292.jpg "/>

Step Two Install httpd,mod_ssl packages and turn on httpd services and self-booting

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/48/29/wKioL1QFxWfSj0dgAAD_m9-u-bU827.jpg "style=" float: none; "Title=" Installs Httpd.png "alt=" Wkiol1qfxwfsj0dgaad_m9-u-bu827.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/48/27/wKiom1QFxWWTffm3AADzxMovUrA562.jpg "style=" float: none; "Title=" opens the service. png "alt=" wkiom1qfxwwtffm3aadzxmovura562.jpg "/>

Step three Create the WAB Service home page file

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/48/29/wKioL1QFxWqxfcPsAADb0ozFIEI442.jpg "style=" float: none; "title=" Home file. png "alt=" wkiol1qfxwqxfcpsaadb0ozfiei442.jpg "/>

Fourth Step Default configuration Firewall on host Server1 allows all traffic to pass through the DMZ zone

Firewall-cmd–set-defaule-zone=dmz

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/48/29/wKioL1QFxWejJfMgAABdTE9U6ZM650.jpg "style=" float: none; "title=" area Dmz.png "alt=" Wkiol1qfxwejjfmgaabdte9u6zm650.jpg "/>

Fifth Step Configure firewall to host Server1 network

segment the flow through that allows the 172.25.1.0/24 to pass through the DMZ zone

Firewall-cmd--permanent--zone=work--add-source=172.25.1.0/24

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/48/29/wKioL1QFxWjBJ3OIAABT0Vyj2hw631.jpg "style=" float: none; "Title=" allows Ip.png "alt=" Wkiol1qfxwjbj3oiaabt0vyj2hw631.jpg "/>

Sixth Step Configure Area work allows access to the WAB service stream

amount of Access (HTTPS)

Firewall-cmd--permanent--zone=work--add-service=https

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/48/29/wKioL1QFxWmghGKZAABa6kv7GQ4186.jpg "style=" float: none; "title=" allows service. png "alt=" wkiol1qfxwmghgkzaaba6kv7gq4186.jpg "/>

Sixth Step make the firewall configuration effective

Firewall-cmd--reload

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/48/27/wKiom1QFxWjzOC07AABK9WTl4zc618.jpg "style=" float: none; "title=" reread. png "alt=" wkiom1qfxwjzoc07aabk9wtl4zc618.jpg "/>

Seventh Step detection of the configuration of Server1 network segment firewalls

Firewall-cmd--get-default-zone

Firewall-cmd--get-active-z

Ones

Firewall-cmd--zone=work--list-all

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/48/27/wKiom1QFxWaD1z61AAGn9LESdjk414.jpg "style=" float: none; "title=" Authentication 1.png "alt=" Wkiom1qfxwad1z61aagn9lesdjk414.jpg "/>

Eighth Step switch to Server1 to verify that the webpage is accessible

Curl http://server0.example.com

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/48/27/wKiom1QFxWTh0DtEAACzyAseFm4289.jpg "style=" float: none; "title=" Yanzheng.png "alt=" Wkiom1qfxwth0dteaaczyasefm4289.jpg "/>

This article is from the "technical Support my Dream" blog, please be sure to keep this source http://hblbk.blog.51cto.com/7645149/1548025

Linux System Management –rhel-7 firewall Chapter