RHCE Study Notes (31)-Firewall (top)

Source: Internet
Author: User

This section is more content, mainly to learn the use and configuration of FIREWALLD.


Before learning Firewalld, take a simple look at the other tool TCP wrapper. This is a host-based access control system that he generally complements and strengthens as a firewall. Some simple service access control, via TCP wrapper, is easy to implement.


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/E6/wKioL1TAfYbBVYJyAAF5FoQgunY156.jpg "title=" 0.PNG " alt= "Wkiol1tafybbvyjyaaf5foqguny156.jpg"/>



Red Hat has an official document to view detailed explanations and examples.

Https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_ Guide-tcp_wrappers_and_xinetd-tcp_wrappers_configuration_files.html


Simply put, the configuration file has two/etc/hosts.allow and/etc/hosts.deny


From the name of the guess, put in allow the setting is allowed by default, put in deny the default is denied, if the two settings are not satisfied or not configured, the service is allowed by default.


The basic format is

Daemon1,daemon2, Daemon3. : Client1, Client2, Client3. : Option1, Option2,..


If you feel trouble, in any file, it is clear that allow or deny is also possible. For example, I can make the following definitions in the Hosts.allow file, rejecting the SSH request from 172.0.10.223


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/E6/wKioL1TAdT7x3oebAAIAGlGiGuw945.jpg "style=" float: none; "title=" 1.PNG "alt=" Wkiol1tadt7x3oebaaiaglgiguw945.jpg "/>


Test to see, sure enough was rejected.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/E8/wKiom1TAdGjiGK0BAACAJpoKONM503.jpg "style=" float: none; "title=" 2.PNG "alt=" Wkiom1tadgjigk0baacajpokonm503.jpg "/>


Either remove or change the Deny.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E6/wKioL1TAdT_SpXfUAABlbWZYDGA259.jpg "style=" float: none; "title=" 3.PNG "alt=" Wkiol1tadt_spxfuaablbwzydga259.jpg "/>


Try again and you can connect again.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E8/wKiom1TAdGnSq9BTAABlGIiMJ3E721.jpg "style=" float: none; "title=" 4.PNG "alt=" Wkiom1tadgnsq9btaablgiimj3e721.jpg "/>


However, not all services can be implemented with TCP wrapper, only the daemon connected to the LibWrap module.


Like httpd, No.


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E9/wKiom1TAfQmg-lAVAABSmo6E9d4951.jpg "style=" float: none; "title=" 9.PNG "alt=" Wkiom1tafqmg-lavaabsmo6e9d4951.jpg "/>


But sshd can

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/58/E6/wKioL1TAfeGj6TboAABxqPsPqCw859.jpg "style=" float: none; "title=" 10.PNG "alt=" Wkiol1tafegj6tboaabxqpspqcw859.jpg "/>






Next, take a look at the plays, Firewalld. From RHEL7, the default firewall is no longer iptables, but Firewalld, although his bottom is still iptables.


Their differences and relationships can be consulted.

Https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html


One of the biggest advantages of FIREWALLD is that any change takes effect in real time, because he modifies only the changed parts, and iptables is recreating all the rule, thus breaking the current connection.


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/EA/wKiom1TAk2rhXC9bAALHTVEfNyw418.jpg "title=" 00.PNG "alt=" Wkiom1tak2rhxc9baalhtvefnyw418.jpg "/>

The following is the main study of the use of a graphical interface and command line interface.


The system comes with a bunch of firewall software, they may conflict with each other, so put the mask off.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/E6/wKioL1TAdUXi-4oOAAK8I_eb8rw037.jpg "style=" float: none; "title=" 5.PNG "alt=" Wkiol1taduxi-4ooaak8i_eb8rw037.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/58/E6/wKioL1TAdUmDB1U7AAHNUOJ1Iik927.jpg "style=" float: none; "title=" 6.PNG "alt=" Wkiol1tadumdb1u7aahnuoj1iik927.jpg "/>



Firewalld inside the graphical interface can be opened with Frewall-config, command line can be achieved through the firewall-cmd.


First look at the graphical interface

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/58/E8/wKiom1TAdHShrSgTAAAudoaza2g572.jpg "style=" float: none; "title=" 7.PNG "alt=" Wkiom1tadhshrsgtaaaudoaza2g572.jpg "/>


There are a lot of options, and we'll go through every single function.


First look at the zone on the left. Zone is intended to mean the region, these different zones can be understood as different "security channel", each "security channel" pre-defined a series of different security policies. A network card can only be bound to a "security channel", that is, a zone inside.


The right side of each zone corresponds to a stack of functions, namely service, port, camouflage, port forwarding, ICMP filtering, rich rules, ports and sources.


Service option, tick the box to indicate the allowed service. The service is different on the default hook of different zone.

For example, the DMZ only allows SSH service access by default, home allows more services such as Samba-client,dhcpv6 and so on, while trusted allows access to all services, even if the service is not checked.



650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/E6/wKioL1TAdVGTZDZ9AALPW_5MucU464.jpg "style=" float: none; "title=" 8.PNG "alt=" Wkiol1tadvgtzdz9aalpw_5mucu464.jpg "/>


Let's see what the command line does with zone


We can get (get) all the zone information, but cannot create a new zone by ourselves, the graphical tools also have no option to create


You can use tab to get what commands, get has a lot, but set has only one


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/EA/wKiom1TAlevCL01LAADhyeE7nA4488.jpg "title=" 18.PNG "alt=" Wkiom1talevcl01laadhyee7na4488.jpg "/>


Check out the zone options

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E7/wKioL1TAh4iQmx-jAABYCwBd48s872.jpg "style=" float: none; "title=" 11.PNG "alt=" Wkiol1tah4iqmx-jaabycwbd48s872.jpg "/>


Let's see what the tacit zone is.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E7/wKioL1TAh4jjukMXAAA-fvbpMcQ617.jpg "style=" float: none; "title=" 12.PNG "alt=" Wkiol1tah4jjukmxaaa-fvbpmcq617.jpg "/>


We can change it to home manually.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E9/wKiom1TAhrKDn4g-AABuCdnyxEM949.jpg "style=" float: none; "title=" 13.PNG "alt=" Wkiom1tahrkdn4g-aabucdnyxem949.jpg "/>


The home zone is automatically bold and black when you finish the change.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/58/E7/wKioL1TAh4uDIWajAAFFT8R5jQ4069.jpg "style=" float: none; "title=" Capture.png "alt=" Wkiol1tah4udiwajaafft8r5jq4069.jpg "/>



See below how to modify the service


The service itself corresponds to 1 or more related ports, which are predefined and well-defined. If a service is open, all the corresponding ports will open.


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/EA/wKiom1TAlQTD_vFAAAG9ypJRQzI330.jpg "title=" 17.PNG "alt=" Wkiom1talqtd_vfaaag9ypjrqzi330.jpg "/>


command line to see what services are available


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E7/wKioL1TAl3uTw8vTAAFfdP5j8-E772.jpg "title=" 19.PNG "Style=" Float:none; "alt=" wkiol1tal3utw8vtaaffdp5j8-e772.jpg "/>



The configuration service under the graphical interface is simple, just tick it.


For example, I am currently able to remotely access the HTTP service for 172.0.10.206. This is the service that I configured when I was doing kickstart in the front.


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/E7/wKioL1TAlNuj2QxHAAJenG6EmOw248.jpg "style=" float: none; "title=" 14.PNG "alt=" Wkiol1talnuj2qxhaajeng6emow248.jpg "/>


This time on the 172.0.10.206 HTTP service is checked, if I remove his

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/EA/wKiom1TAlArSq-WiAAGyFtaV3gY059.jpg "style=" float: none; "title=" 15.PNG "alt=" Wkiom1talarsq-wiaagyftav3gy059.jpg "/>


Then the remote server will not be able to access the

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E7/wKioL1TAlOXg4TODAAFemJlOEBE895.jpg "style=" float: none; "title=" 16.PNG "alt=" Wkiol1taloxg4todaafemjloebe895.jpg "/>




So the command line how to tell if a service is open, you can use the query command, Query command a lot of queries, service with Query-service on the line


No, it means the service is off.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/58/E7/wKioL1TAmUPhYknDAAEvkVaW1ew830.jpg "style=" float: none; "title=" 20.PNG "alt=" Wkiol1tamuphykndaaevkvaw1ew830.jpg "/>


Add the service and confirm the success

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/EA/wKiom1TAmG7S6JiVAAByPz-gCD4077.jpg "style=" float: none; "title=" 21.PNG "alt=" Wkiom1tamg7s6jivaabypz-gcd4077.jpg "/>


Open the graphical interface and look, it's already hooked up.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/E8/wKioL1TAmVSwl5J2AAJnLA985IE865.jpg "style=" float: none; "title=" 22.PNG "alt=" Wkiol1tamvswl5j2aajnla985ie865.jpg "/>


However, if you change the configuration from runtime to permanent in the upper left corner, it is not checked, which indicates that the service is only temporarily in effect and the reboot is gone.


650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/EA/wKiom1TAmIbDFPrQAAIfmrQwwkw939.jpg "style=" float: none; "title=" 23.PNG "alt=" Wkiom1tamibdfprqaaifmrqwwkw939.jpg "/>


Confirm the difference.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E8/wKioL1TAmV_BOH1dAABtlexvd6o726.jpg "style=" float: none; "title=" 24.PNG "alt=" Wkiol1tamv_boh1daabtlexvd6o726.jpg "/>


When configured, add--permanent to the permanent effect.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/EA/wKiom1TAmImhQA06AABN1Ni4-dA405.jpg "style=" float: none; "title=" 25.PNG "alt=" Wkiom1tamimhqa06aabn1ni4-da405.jpg "/>


This article is from the "Mapo Tofu" blog, please be sure to keep this source http://beanxyz.blog.51cto.com/5570417/1606990

RHCE Study Notes (31)-Firewall (top)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.