RHCE Study Notes (31)-Firewall (top)

This section is more content, mainly to learn the use and configuration of FIREWALLD.

Before learning Firewalld, take a simple look at the other tool TCP wrapper. This is a host-based access control system that he generally complements and strengthens as a firewall. Some simple service access control, via TCP wrapper, is easy to implement.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/E6/wKioL1TAfYbBVYJyAAF5FoQgunY156.jpg "title=" 0.PNG " alt= "Wkiol1tafybbvyjyaaf5foqguny156.jpg"/>

Red Hat has an official document to view detailed explanations and examples.

Https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_ Guide-tcp_wrappers_and_xinetd-tcp_wrappers_configuration_files.html

Simply put, the configuration file has two/etc/hosts.allow and/etc/hosts.deny

From the name of the guess, put in allow the setting is allowed by default, put in deny the default is denied, if the two settings are not satisfied or not configured, the service is allowed by default.

The basic format is

Daemon1,daemon2, Daemon3. : Client1, Client2, Client3. : Option1, Option2,..

If you feel trouble, in any file, it is clear that allow or deny is also possible. For example, I can make the following definitions in the Hosts.allow file, rejecting the SSH request from 172.0.10.223

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/E6/wKioL1TAdT7x3oebAAIAGlGiGuw945.jpg "style=" float: none; "title=" 1.PNG "alt=" Wkiol1tadt7x3oebaaiaglgiguw945.jpg "/>

Test to see, sure enough was rejected.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/E8/wKiom1TAdGjiGK0BAACAJpoKONM503.jpg "style=" float: none; "title=" 2.PNG "alt=" Wkiom1tadgjigk0baacajpokonm503.jpg "/>

Either remove or change the Deny.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E6/wKioL1TAdT_SpXfUAABlbWZYDGA259.jpg "style=" float: none; "title=" 3.PNG "alt=" Wkiol1tadt_spxfuaablbwzydga259.jpg "/>

Try again and you can connect again.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E8/wKiom1TAdGnSq9BTAABlGIiMJ3E721.jpg "style=" float: none; "title=" 4.PNG "alt=" Wkiom1tadgnsq9btaablgiimj3e721.jpg "/>

However, not all services can be implemented with TCP wrapper, only the daemon connected to the LibWrap module.

Like httpd, No.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E9/wKiom1TAfQmg-lAVAABSmo6E9d4951.jpg "style=" float: none; "title=" 9.PNG "alt=" Wkiom1tafqmg-lavaabsmo6e9d4951.jpg "/>

But sshd can

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/58/E6/wKioL1TAfeGj6TboAABxqPsPqCw859.jpg "style=" float: none; "title=" 10.PNG "alt=" Wkiol1tafegj6tboaabxqpspqcw859.jpg "/>

Next, take a look at the plays, Firewalld. From RHEL7, the default firewall is no longer iptables, but Firewalld, although his bottom is still iptables.

Their differences and relationships can be consulted.

Https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html

One of the biggest advantages of FIREWALLD is that any change takes effect in real time, because he modifies only the changed parts, and iptables is recreating all the rule, thus breaking the current connection.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/EA/wKiom1TAk2rhXC9bAALHTVEfNyw418.jpg "title=" 00.PNG "alt=" Wkiom1tak2rhxc9baalhtvefnyw418.jpg "/>

The following is the main study of the use of a graphical interface and command line interface.

The system comes with a bunch of firewall software, they may conflict with each other, so put the mask off.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/E6/wKioL1TAdUXi-4oOAAK8I_eb8rw037.jpg "style=" float: none; "title=" 5.PNG "alt=" Wkiol1taduxi-4ooaak8i_eb8rw037.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/58/E6/wKioL1TAdUmDB1U7AAHNUOJ1Iik927.jpg "style=" float: none; "title=" 6.PNG "alt=" Wkiol1tadumdb1u7aahnuoj1iik927.jpg "/>

Firewalld inside the graphical interface can be opened with Frewall-config, command line can be achieved through the firewall-cmd.

First look at the graphical interface

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/58/E8/wKiom1TAdHShrSgTAAAudoaza2g572.jpg "style=" float: none; "title=" 7.PNG "alt=" Wkiom1tadhshrsgtaaaudoaza2g572.jpg "/>

There are a lot of options, and we'll go through every single function.

First look at the zone on the left. Zone is intended to mean the region, these different zones can be understood as different "security channel", each "security channel" pre-defined a series of different security policies. A network card can only be bound to a "security channel", that is, a zone inside.

The right side of each zone corresponds to a stack of functions, namely service, port, camouflage, port forwarding, ICMP filtering, rich rules, ports and sources.

Service option, tick the box to indicate the allowed service. The service is different on the default hook of different zone.

For example, the DMZ only allows SSH service access by default, home allows more services such as Samba-client,dhcpv6 and so on, while trusted allows access to all services, even if the service is not checked.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/E6/wKioL1TAdVGTZDZ9AALPW_5MucU464.jpg "style=" float: none; "title=" 8.PNG "alt=" Wkiol1tadvgtzdz9aalpw_5mucu464.jpg "/>

Let's see what the command line does with zone

We can get (get) all the zone information, but cannot create a new zone by ourselves, the graphical tools also have no option to create

You can use tab to get what commands, get has a lot, but set has only one

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/EA/wKiom1TAlevCL01LAADhyeE7nA4488.jpg "title=" 18.PNG "alt=" Wkiom1talevcl01laadhyee7na4488.jpg "/>

Check out the zone options

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E7/wKioL1TAh4iQmx-jAABYCwBd48s872.jpg "style=" float: none; "title=" 11.PNG "alt=" Wkiol1tah4iqmx-jaabycwbd48s872.jpg "/>

Let's see what the tacit zone is.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E7/wKioL1TAh4jjukMXAAA-fvbpMcQ617.jpg "style=" float: none; "title=" 12.PNG "alt=" Wkiol1tah4jjukmxaaa-fvbpmcq617.jpg "/>

We can change it to home manually.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E9/wKiom1TAhrKDn4g-AABuCdnyxEM949.jpg "style=" float: none; "title=" 13.PNG "alt=" Wkiom1tahrkdn4g-aabucdnyxem949.jpg "/>

The home zone is automatically bold and black when you finish the change.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/58/E7/wKioL1TAh4uDIWajAAFFT8R5jQ4069.jpg "style=" float: none; "title=" Capture.png "alt=" Wkiol1tah4udiwajaafft8r5jq4069.jpg "/>

See below how to modify the service

The service itself corresponds to 1 or more related ports, which are predefined and well-defined. If a service is open, all the corresponding ports will open.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/EA/wKiom1TAlQTD_vFAAAG9ypJRQzI330.jpg "title=" 17.PNG "alt=" Wkiom1talqtd_vfaaag9ypjrqzi330.jpg "/>

command line to see what services are available

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E7/wKioL1TAl3uTw8vTAAFfdP5j8-E772.jpg "title=" 19.PNG "Style=" Float:none; "alt=" wkiol1tal3utw8vtaaffdp5j8-e772.jpg "/>

The configuration service under the graphical interface is simple, just tick it.

For example, I am currently able to remotely access the HTTP service for 172.0.10.206. This is the service that I configured when I was doing kickstart in the front.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/E7/wKioL1TAlNuj2QxHAAJenG6EmOw248.jpg "style=" float: none; "title=" 14.PNG "alt=" Wkiol1talnuj2qxhaajeng6emow248.jpg "/>

This time on the 172.0.10.206 HTTP service is checked, if I remove his

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/EA/wKiom1TAlArSq-WiAAGyFtaV3gY059.jpg "style=" float: none; "title=" 15.PNG "alt=" Wkiom1talarsq-wiaagyftav3gy059.jpg "/>

Then the remote server will not be able to access the

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E7/wKioL1TAlOXg4TODAAFemJlOEBE895.jpg "style=" float: none; "title=" 16.PNG "alt=" Wkiol1taloxg4todaafemjloebe895.jpg "/>

So the command line how to tell if a service is open, you can use the query command, Query command a lot of queries, service with Query-service on the line

No, it means the service is off.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/58/E7/wKioL1TAmUPhYknDAAEvkVaW1ew830.jpg "style=" float: none; "title=" 20.PNG "alt=" Wkiol1tamuphykndaaevkvaw1ew830.jpg "/>

Add the service and confirm the success

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/EA/wKiom1TAmG7S6JiVAAByPz-gCD4077.jpg "style=" float: none; "title=" 21.PNG "alt=" Wkiom1tamg7s6jivaabypz-gcd4077.jpg "/>

Open the graphical interface and look, it's already hooked up.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/E8/wKioL1TAmVSwl5J2AAJnLA985IE865.jpg "style=" float: none; "title=" 22.PNG "alt=" Wkiol1tamvswl5j2aajnla985ie865.jpg "/>

However, if you change the configuration from runtime to permanent in the upper left corner, it is not checked, which indicates that the service is only temporarily in effect and the reboot is gone.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/58/EA/wKiom1TAmIbDFPrQAAIfmrQwwkw939.jpg "style=" float: none; "title=" 23.PNG "alt=" Wkiom1tamibdfprqaaifmrqwwkw939.jpg "/>

Confirm the difference.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/E8/wKioL1TAmV_BOH1dAABtlexvd6o726.jpg "style=" float: none; "title=" 24.PNG "alt=" Wkiol1tamv_boh1daabtlexvd6o726.jpg "/>

When configured, add--permanent to the permanent effect.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/58/EA/wKiom1TAmImhQA06AABN1Ni4-dA405.jpg "style=" float: none; "title=" 25.PNG "alt=" Wkiom1tamimhqa06aabn1ni4-da405.jpg "/>

This article is from the "Mapo Tofu" blog, please be sure to keep this source http://beanxyz.blog.51cto.com/5570417/1606990

RHCE Study Notes (31)-Firewall (top)