Linux System Management –rhel-7 Firewall Chapter
Linux The firewall functionality of the system is implemented by the kernel:
2.0 version of the kernel, the packet filtering mechanism is IPFW , the management tool is Ipfwadm
2.2 version of the kernel, the packet filtering mechanism is ipchain , the management tool is IPChains
2.4 and later kernels, the packet filtering mechanism is netfilter , the management tool is iptables
3.10 version of the kernel, the packet filtering mechanism is FIREWALLD , the management tool is Firewall-cmd
we should all know that. RHEL7 kernel version is 3.10, in this version of the kernel firewall packet filtering mechanism is FIREWALLD , although its tools have changed, but the ' firewall-cmd ' command is actually called iptables
[[email protected] ~]# for SERVICE in iptables ip6tables ebtables; Do
> Systemctl Mask${service}.service
> Done
packet filtering firewalls are working in the network layer of TCP/IP
Attachment TCP/IP
Rules table
A firewall rule with a similar purpose, which is collocated into different "tables" as a set of rule chains after different processing times are differentiated to different rule chains
The default 4 rules table
Raw table: Determines whether the packet is being tracked for status
mangle Table: Setting tags for packets
Nat table: Modifying source, Destination IP in a packet address or Port
filter table: Determine if the packet is released (filtered)
where the filter table,the NAT table is the most commonly used, each table has different functions, through the data matching rules are also different, in the future use, please confirm and then use the mangle table can be special tag packets, The combination of these tags can be in the filter table for selective processing of packets (such as "Policy Routing", for example, the gateway host has two ADSL lines, respectively, using the interface of Netcom, Telecom, you can access the data of the Netcom server to the Netcom ADSL interface, while access to telecommunications server data to the telco ADSL interface)raw table is self -1.2.9 later version of iptables The new table, mainly used to determine whether the packet is handled by the state tracking mechanism, the current application of raw tables is still rare
Attachment Rules Table
Rule chain
The main feature of the " packet filtering " firewall is the filtering of IP packets at the network layer . In fact , when applying the iptables rule, it is found that some rules are applied to the transport layer, the link layer of These rules are implemented by a rule called "Rule chain" is the role of the packet filtering or processing, according to the different processing time, Various rules are organized in different "chains" where the rule chain is a collection of firewall rules / policies. The five default types of these rule chains are:
INPUT : Processing Inbound packets
OUTPUT : processing Outbound packets
FORWARD : handling forwarded packets
postrouting : Processing a packet after routing is selected
prerouting : processing a packet before routing is selected
Host firewall " many to Input output chain is mainly applied in " Network firewall " Forward prerouting postrouting< Span style= "font-family: ' The song Body '; > The application of the chain is the main
: When packets from outside the world reach the firewall, they are first Prerouting rule chain processing (whether to modify packet address, etc.), followed by routing (to determine where the packet should be sent), if the destination address of the packet is the firewall native (such as Internet The user accesses the firewall host web The packet of the service, then the kernel passes it to input chain for processing (decide whether to allow through, etc.), and then hand over to the upper layer of the system later applications (such as Httpd
forwarding data flow : When packets from outside the world reach the firewall, they are first Prerouting rule chain processing, followed by routing, if the destination address of the packet is a different external address (such as a LAN user accessing Qq forward chain for processing (whether forwarding or blocking), and then handing it over to Postrouting
Outbound Data Flow : The firewall native to the external address of the packet sent (such as in the firewall host to test the public DNS service), first by the OUTPUT rule chain processing, followed by routing, Pass to the posttouting rule chain (whether to modify the address of the packet, etc.) for processing
Attachment rule Chain
Firewall Zone
Firewall Area Many pre-defined area transport Firewalld, each with its own purpose , each of which is associated with other areas, and when no region is specified, the default zone is public , the default zone is not a separate area; instead, it points to a different area of the system definition, common areas in the RHEL7 are
Trusted : Allow all incoming traffic
Home : deny incoming traffic, allow out-of-Office and service ssh,mdns ,ipp-client,samba-client,dhcpv6-client
internal ssh ipp-client , Dhcpv6-client )
Work : deny incoming traffic, allow out-of-Office and services SSH Ipp-client dhcpv6-client
Public : deny incoming traffic, allow out-of-Office and services SSH dhcpv6-client
External : Deny incoming traffic, allow out-of-Office and services SSH MDNs Ipp-client Samba-client Dhcpv6-client IPV4
DMZ : deny incoming traffic, allow out-of-Office and service ssh
block : deny traffic access
Drop : Discard all incoming traffic, unless out of traffic-related (not even responding to ICMP protocol Errors)
If the source address of the incoming packet matches the rule setting of a zone, the packet is routed through the zone , and if a packet incoming interface matches the setting of a zone rule, the zone is used.
Configuration of the firewall
RHEL7 provides three types of firewall management : ① command mode using commands Firewall-cmd② the graphical interface to modify the configuration file under the command Firewall-config③ /etc/firewalld/ , here we focus on the first command-line pattern.
①firewall-cmd have to say RHEL7 in the firewall command is two or three rows, and there are many I have not seen the options and parameters, as to what options and parameters , I listed to show you
Example to set access permissions for the WAB service
Verify that firewall is enabled
The first step Systemctl status Firewalld. Service
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/48/29/wKioL1QFxWaQroquAAHYv0xtjYU292.jpg "style=" float: none; "title=" Qq20140902201124.png "alt=" Wkiol1qfxwaqroquaahyv0xtjyu292.jpg "/>
Step Two Install httpd,mod_ssl packages and turn on httpd services and self-booting
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/48/29/wKioL1QFxWfSj0dgAAD_m9-u-bU827.jpg "style=" float: none; "Title=" Installs Httpd.png "alt=" Wkiol1qfxwfsj0dgaad_m9-u-bu827.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/48/27/wKiom1QFxWWTffm3AADzxMovUrA562.jpg "style=" float: none; "Title=" opens the service. png "alt=" wkiom1qfxwwtffm3aadzxmovura562.jpg "/>
Step three Create the WAB Service home page file
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/48/29/wKioL1QFxWqxfcPsAADb0ozFIEI442.jpg "style=" float: none; "title=" Home file. png "alt=" wkiol1qfxwqxfcpsaadb0ozfiei442.jpg "/>
Fourth Step Default configuration Firewall on host Server1 allows all traffic to pass through the DMZ zone
Firewall-cmd–set-defaule-zone=dmz
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/48/29/wKioL1QFxWejJfMgAABdTE9U6ZM650.jpg "style=" float: none; "title=" area Dmz.png "alt=" Wkiol1qfxwejjfmgaabdte9u6zm650.jpg "/>
Fifth Step Configure firewall to host Server1 network
segment the flow through that allows the 172.25.1.0/24 to pass through the DMZ zone
Firewall-cmd--permanent--zone=work--add-source=172.25.1.0/24
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/48/29/wKioL1QFxWjBJ3OIAABT0Vyj2hw631.jpg "style=" float: none; "Title=" allows Ip.png "alt=" Wkiol1qfxwjbj3oiaabt0vyj2hw631.jpg "/>
Sixth Step Configure Area work allows access to the WAB service stream
amount of Access (HTTPS)
Firewall-cmd--permanent--zone=work--add-service=https
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/48/29/wKioL1QFxWmghGKZAABa6kv7GQ4186.jpg "style=" float: none; "title=" allows service. png "alt=" wkiol1qfxwmghgkzaaba6kv7gq4186.jpg "/>
Sixth Step make the firewall configuration effective
Firewall-cmd--reload
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/48/27/wKiom1QFxWjzOC07AABK9WTl4zc618.jpg "style=" float: none; "title=" reread. png "alt=" wkiom1qfxwjzoc07aabk9wtl4zc618.jpg "/>
Seventh Step detection of the configuration of Server1 network segment firewalls
Firewall-cmd--get-default-zone
Firewall-cmd--get-active-z
Ones
Firewall-cmd--zone=work--list-all
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/48/27/wKiom1QFxWaD1z61AAGn9LESdjk414.jpg "style=" float: none; "title=" Authentication 1.png "alt=" Wkiom1qfxwad1z61aagn9lesdjk414.jpg "/>
Eighth Step switch to Server1 to verify that the webpage is accessible
Curl http://server0.example.com
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/48/27/wKiom1QFxWTh0DtEAACzyAseFm4289.jpg "style=" float: none; "title=" Yanzheng.png "alt=" Wkiom1qfxwth0dteaaczyasefm4289.jpg "/>
This article is from the "technical Support my Dream" blog, please be sure to keep this source http://hblbk.blog.51cto.com/7645149/1548025
Linux System Management –rhel-7 firewall Chapter