Description of Firewalld ip camouflage and port forwarding instances

Description of Firewalld ip camouflage and port forwarding instances

(1)

Firewalldip camouflage and port forwarding

Disguise:

This enables the camouflage function of the region. The private network address is hidden and mapped to a public IP address. This is a form of address translation and is often used in routing. Due to kernel restrictions, the camouflage function can only be used for IPv4.

# Firewall-cmd -- permanent -- zone = -- add-masquerade

# Firewall-cmd -- permanent -- zone = -- add-rich-rule = 'rulefamily = 4154sourceaddress = 192.168.122.0/24masquerade'

Port forwarding:

# Firewall-cmd -- permanent -- zone = -- add-forward-port =

Port = 80: proto = tcp: toport = 8080: toaddr = 192.168.122.7

# Firewall-cmd -- permanent -- zone = -- add-rich-rule = 'rule' = 4154sourceaddress = 192.168.122.0/24forward-portport = 80 protocol = tcpto-port = 8080'

Experiment results:

[Root @ localhost ~] # Sshroot@192.168.122.7

Root@192.168.122.7 'spassword:

Lastlogin: MonNov720: 42: 262016from192. 168.122.1

[Root @ localhost ~] # Sshroot@192.168.122.7-p443

Root@192.168.122.7 'spassword:

Lastlogin: ThuNov1007: 14: 032016from192. 168.122.1

The experiment successfully forwarded port 443 to 22.

(2)

I. firewalld daemon

The firewall-cmd Command requires the firewalld process to be running. We can use systemctl status/start/stop/restart firewalld to control this daemon. The firewalld process provides services for the firewall.

Firewall does not take effect immediately after we modify some configurations (especially those in the configuration file. You can activate the latest systemctl restart firewalld and firewall-cmd -- reload methods in two ways. The previous method is to restart the firewalld service. We recommend that you use the latter method to "reload the configuration file ". After the configuration file is reloaded, the tcp session that is being connected will not be disconnected, and the Restart service will disconnect the tcp session.

2. control port/service

You can control port opening in two ways. One is to specify the port number, and the other is to specify the service name. Although the http service is open to port 80, it cannot be closed through the port number. That is to say, if the service is opened by specifying the service name, it must be closed by specifying the service name; if the port is opened by the specified port number, it must be disabled by the specified port number. Note that when specifying a port, you must specify the protocol, tcp or udp. After knowing this, you don't need to shut down the firewall every time, so that the firewall can take effect.

Firewall-cmd -- add-service = mysql # Open the mysql Port

Firewall-cmd -- remove-service = http # block http port

Firewall-cmd -- list-services # view open services

Firewall-cmd -- add-port = 3306/tcp # Open Access 3306 through tcp

Firewall-cmd -- remove-port = 80tcp # block tcp access 3306

Firewall-cmd -- add-port = 233/udp # Open Access 233 through udp

Firewall-cmd -- list-ports # view open ports

3. Disguised IP Address

The firewall can implement the function of disguising IP addresses. The following port forwarding will use this function.

Firewall-cmd -- query-masquerade # Check whether disguised IP addresses are allowed

Firewall-cmd -- add-masquerade # allow firewall to disguise IP addresses

Firewall-cmd -- remove-masquerade # disable firewall from disguising IP addresses

Iv. port forwarding

Port forwarding can forward traffic to the specified port of the specified address when the specified address accesses the specified port. If no ip address is specified for the purpose of forwarding, the local host is used by default. If an ip address is specified but no port is specified, the source port is used by default.

If port forwarding is disabled after configuration, check the following two problems:

For example, if I forward port 80 to port 8080, first check whether the local port 80 and the target port 8080 are listener enabled, and then check whether the disguised IP address is allowed. If not, enable the disguised IP address.

# Forward traffic from port 80 to port 8080

Firewall-cmd -- add-forward-port = 80: proto = tcp: toport = 8080

# Forward traffic from port 80

Firewall-cmd -- add-forward-port = 80: proto = tcp: toaddr = 192.168.1.0.11920.0.1

# Forward traffic from port 80 to port 8080 of 192.168.0.1

Firewall-cmd -- add-forward-port = 80: proto = tcp: toaddr = 192.168.0.1: toport = 8080

When we want to hide a port, we can block it from accessing the firewall, open an irregular port, configure the firewall port forwarding, and forward the traffic. Port forwarding can also be used for traffic distribution. A firewall will drag many machines running different services, and then use a firewall to forward traffic from different ports to different machines.

Forward traffic from port 80 to port 8080 of 192.168.0.1

Firewall-cmd -- add-forward-port = 80: proto = tcp: toaddr = 192.168.0.1: toport = 8080