Linux Beginner-firewall article

Linux Beginner-firewall article

Firewalld is a firewall of another program, and iptables the same, but the use of more than iptables simple point, do not need to know 3 tables and 5 chains can also be used.

1. Basic commands of Firewall

"Firewall-cmd--list-all". View information and configuration for the current firewall.

"Firewall-cmd--reload". Reload the firewall configuration,

"Firewall-cmd--add-service=xxxx". Add a service, for example, to add HTTP so that the data for this service can pass, but this addition is temporary and will disappear when the configuration is reloaded.

"Firewall-cmd--permanent--add-service=xxxx". This service can be added permanently.

"Vim/etc/firewalld/zones/public.xml". Firewall The default mode "public" configuration file, as shown, you can see that the added services are inside, if you add "FTP" in the format, the service is added after reloading.

"Firewall-cmd--remove-service=xxxx". You can remove a service.

"Cd/usr/lib/firewalld/services/". After entering this directory, as shown, enter "LS", you can see which services can be added, and you can see the names of these services.

"Firewall-cmd--permanent--add-port=xxxx/tcp". Enables data for a port to pass. For example, if you change the port to 8080 in the Apache configuration file, you will not be able to access even if HTPP is added to the firewall because the port it is set to pass is 80. At this point, you need to add 8080 port with the above command, then you can use Apache to access it.

"Firewall-cmd--permanent--add-source=172.25.254.102--zone=trusted". Indicates that all data from "172.25.254.102" is passed. If on, firewall does not add HTTP and is not added to the firewall after changing to port 8080, the "172.25.254.102" host can also access Apache. "Add" is changed to "Remove" to cancel.

"Firewall-cmd--permanent--remove-interface=eth1--zone=public". Remove the eth1 NIC from public mode.

"Firewall-cmd--permanent--add-interface=eth1--zone=trusted". Add the eth1 NIC to trusted mode. However, you will need to restart the firewall "systemctl restart Firewalld" to take effect after completion.

2, the firewall mode

"Firewall-cmd--get-default-zone". View the default mode for firewall, which is public.

"Firewall-cmd--get-zones". See what kinds of patterns are available in firewall.

"Firewall-cmd--set-default-zone=xxx". Change the default mode of firewall to XXX, which is a temporary change.

Some of the patterns commonly used in firewall are as follows:

Trusted: Trust. All network connections are acceptable.

Home: Home. For home networking, accept only dhcpv6-client ipp-client mdns samba-client ssh service connections.

Work: working. Work network, only accept dhcpv6-client ipp-client SSH service connections.

Public: publicly. Public areas are used, only dhcpv6-client SSH service connections are accepted, which is the default zone for FIREWALLD.

external: External. Out of the IPv4 network connection is spoofed and forwarded through this zone and only accepts SSH service connections.

DMZ: demilitarized zone. Only SSH service connections are accepted.

Block: Limit. Deny all network connections.

Drop: Discard. Any received network packets are discarded without any reply.

3, the application of firewall

For example, the host of the client can connect to the server host via SSH. Remove the SSH service that is added on the server host so that none of the hosts can connect. Then configure the Firewall-cmd--permanent--direct--add-rule-ipv4 filter INPUT 0 on the server host! -S 172.25.254.102-p TCP--dport 22-j ACCEPT ", this policy indicates that the data of the host except the 172.25.254.102 can be passed through Port 22. You can use "Firewall-cmd--direct--get-all-rules" To view the added policies after you add them.

After completion with the client test, re-ssh connection, found that the connection is not on.

Remove this policy to change "add" to "remove".

4. Firewall Routing Strategy

As with iptables, firewall can also add routing policies so that hosts of different network segments can also connect. The IP and gateway of the three hosts are the same as in the Iptables chapter.

"Firewall-cmd--list-all". It's basically the initial appearance.

The routing policy configuration for firewall is as follows:

"Firewall-cmd--permanent--add-masquerade". The address spoofing feature is turned on.

"Firewall-cmd--permanent--add-rich-rule=" rule Family=ipv4 source address=172.25.254.202 Masquerade "". This policy indicates that the data from the server host will be encapsulated as an IP "172.25.254.202".

"Firewall-cmd--permanent--add-rich-rule=" rule family=ipv4 source address=172.25.254.0/24 Forward-port port=22 Protocol=tcp to-port=22 to-addr=172.25.2.102 "". This policy indicates that data passing through Port 22 on all "172.25.254" segments is transferred to the "172.25.2.102" host.

Restart firewall after completion is in effect. "Firewall-cmd--list-all" can see these policies.

During the test, the client host of the "2" segment can successfully connect to the "172.25.254.2" host of the "254" network segment. The same as iptables, "172.25.254.2" on the host to see is still "172.25.254.202" connection, SSH connection this IP will automatically connect to the "2" network segment of the client host.

Iptables and firewall are two kinds of programs commonly used in firewalls, which can be used flexibly.

Linux Beginner-firewall article