Relationship between firewalld and iptables, firewalld configuration mode, firewalldiptables
Relationship between firewalld and iptables
Firewalld itself does not have the firewall function, but needs to be implemented through the kernel netfilter like iptables. That is to say, like firewalld and iptables, they are used to maintain rules, the real use of rules is the kernel's netfilter, but firewalld and iptables have different structures and usage methods.
FirewallD is the default firewall management tool available on CentOS 7 servers. Basically, it is an encapsulation of iptables, including the graphic configuration tool firewall-config and command line tool firewall-cmd. When using the iptables service, you must refresh the old rules for each change and read the new rules from/etc/sysconfig/iptables. However, firewalld only applies the changed parts.
Firewalld Configuration Mode
Firewalld configuration files are mainly in xml format (except for the main configuration file firewalld. conf). They have two storage locations.
1./etc/firewalld/user configuration file
2./usr/lib/firewalld/system configuration file and preset File
We know that each zone is a set of rules, but there are so many zones. Which zone should be used for processing a specific request? This issue is crucial. If we do not understand that everything else is a castle in the air, even if the rules are set well, we do not know how to use them or where to use them.
Firewalld determines which zone is used for an accepted request in three ways:
1. source, that is, the highest priority of the source address
2. interface: the secondary priority of the NIC that receives the request
3. The default zone configured in firewalld. conf has the lowest priority.
These three priorities are reduced in order. That is to say, if the values can be found by source, they will not be searched by interface. If neither of the first two can be found, the third priority will be used, that is, the firewalld that students mentioned earlier. the default zone configured in conf.
FirewallD uses services and zones to replace the rules and chains of iptables ).
(1) firewall area:
By default, the following zones are available:
Drop-discards all incoming network data packets and does not respond. Only outgoing network connections are available. Block-reject all incoming network packets and respond to an ICMP message forbidden by the host. Only outgoing network connections are available. Public-only accept selected incoming network connections for public areas. External-used to enable external network with address disguise and only accept selected incoming network connections. In the dmz-DMZ isolation zone, you can access the internal network externally and only accept the selected incoming network connection. Work-for computers in your workspace, only selected incoming network connections are accepted. Home-for computers in your home region, only selected incoming network connections are accepted. Internal-for computers in your internal network, only the selected incoming network connection is accepted. Trusted-all network connections are accepted.
To list all available regions, run:
# Firewall-cmd -- get-zones
Work drop internal external trusted home dmz public block
List default regions:
# Firewall-cmd -- get-default-zone
Public
Change the default region:
# Firewall-cmd -- set-default-zone = dmz
# Firewall-cmd -- get-default-zone
Dmz
(2) firewall Service:
The FirewallD service uses an XML configuration file to record the firewalld service information.
List all available services:
# Firewall-cmd -- get-services
Amanda-client amanda-k5-client bacula-client ceph-mon dhcp dhcpv6 dhcpv6-client dns
Docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability
Http https imap imaps ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt
Libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s
Postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba-client
Sane smtp smtps snmp snmptrap squid ssh synergy syslog-tls telnet tftp-client tinc tor-
Socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
The XML configuration file is stored in the/usr/lib/firewalld/services/and/etc/firewalld/services/directories.
(3) install firewalld, run, stop, and disable firewalld:
Root execution # yum install firewalld
Start: # systemctl start firewalld
View the status: # systemctl status firewalld or firewall-cmd -- state
Stop: # systemctl disable firewalld
Disable: # systemctl stop firewalld
Configure firewalld
View the version: $ firewall-cmd -- version
View help: $ firewall-cmd -- help
View settings:
Display status: $ firewall-cmd -- state
View region information: $ firewall-cmd -- get-active-zones
View the region of the specified interface: $ firewall-cmd -- get-zone-of-interface = eth0
Reject all packages: # firewall-cmd -- panic-on
Cancel rejection status: # firewall-cmd -- panic-off
Check whether the request is rejected: $ firewall-cmd -- query-panic
Update firewall rules: # firewall-cmd -- reload
# Firewall-cmd -- complete-reload
The difference between the two is that the first one does not need to be disconnected, that is, one of the firewalld features is to dynamically add rules, and the second one needs to be disconnected, similar to restarting services.
Add Interfaces to the region. The default interfaces are all in the public
# Firewall-cmd -- zone = public -- add-interface = eth0
Add -- permanent and reload the Firewall
Set the default Interface Area
# Firewall-cmd -- set-default-zone = public
Effective immediately without restarting
Open the port (it seems this is the most common)
View All opened ports:
# Firewall-cmd -- zone = dmz -- list-ports
Add a port to the region:
# Firewall-cmd -- zone = dmz -- add-port = 8080/tcp
The same method is used for permanent validity.
Opening a service is similar to visualizing the port. The service needs to be added to the configuration file. The/etc/firewalld directory contains the services folder. This is not detailed. For more information, see the documentation.
# Firewall-cmd -- zone = work -- add-service = smtp
Remove Service
# Firewall-cmd -- zone = work -- remove-service = smtp
Test: [root @ iotApp & iagri-44 ~] # Echo "hello felix" | nc-l 6666
Remote Host: telnetiotApp & iagri-44 6666 back:
Connected toiotApp & iagri-44
Escape character is '^]'.
Hello felix
Connection closed by foreign host.
The format or structure of the rich rule commands is as follows:
Rule [family = "rule family"]
[Source [NOT] [address = "address"] [mac = "mac-address"] [ipset = "ipset"]
[Destination [NOT] address = "address"]
[Element]
[Log [prefix = "prefix text"] [level = "log level"] [limit value = "rate/duration"]
[Audit]
[Action]
Elements:
The element can be only one of the following element types: service, port, protocol, masquerade, icmp-block, forward-port, and source-port.
Service name = service_name
Port = number_or_range protocol = protocol
Protocol value = protocol_name_or_ID
Icmp-block name = icmptype_name
Forward-port = number_or_range protocol = protocol/
To-port = number_or_range to-addr = address
Source-port = number_or_range protocol = protocol
Log [prefix = prefix text] [level = log level] limit value = rate/duration
Action:
Accept | reject [type = reject type] | drop | mark set = "mark [/mask]"
Using the Rich Rule Log Command Example 3:
Rule family = "ipv4" source address = "192.168.0.0/24" service name = "tftp" log prefix = "tftp" level = "info" limit value = "1/m" accept
Using the Rich Rule Log Command Example 4:
Rule family = "ipv6" source address = "1: 2: 3: 4: 6 :: "service name =" radius "log prefix =" dns "level =" info "limit value =" 3/m "reject
Rule family = "ipv6" service name = "radius" accept
[Root @ iotApp & iagri-44 ~] # Firewall-cmd -- add-rich-rule = 'rule' = ipv4 source address = 0.0.0.0/16 accept '-- permanent
[Root @ iotApp & iagri-44 ~] # Firewall-cmd -- help
Usage: firewall-cmd [OPTIONS...]
General Options
-H, -- help Prints a short help text and exists
-V, -- version Print the version string of firewalld
-Q, -- quiet Do not print status messages
Status Options
-- State Return and print firewalld state
-- Reload Reload firewall and keep state information
-- Complete-reload Reload firewall and loose state information
-- Runtime-to-permanent
Create permanent from runtime configuration
Permanent Options
-- Permanent Set an option permanently
Usable for options maked with [P]
Zone Options
-- Get-default-zone Print default zone for connections and interfaces
-- Set-default-zone =
Set default zone
-- Get-active-zones Print currently active zones
-- Get-zones Print predefined zones [P]
-- Get-services Print predefined services [P]
-- Get-icmptypes Print predefined icmptypes [P]
-- Get-zone-of-interface =
Print name of the zone the interface is bound to [P]
-- Get-zone-of-source = [/]
Print name of the zone the source [/mask] is bound to [P]
-- List-all-zones List everything added for or enabled in all zones [P]
-- New-zone = Add a new zone [P only]
-- Delete-zone = Delete an existing zone [P only]
-- Zone = Use this zone to set or query options, else default zone
Usable for options maked with [Z]
-- Get-target Get the zone target [P] [Z]
-- Set-target =
Set the zone target [P] [Z]
IcmpType Options
-- New-icmptype =
Add a new icmptype [P only]
-- Delete-icmptype =
Delete and existing icmptype [P only]
Service Options
-- New-service =
Add a new service [P only]
-- Delete-service =
Delete and existing service [P only]
Options to Adapt and Query Zones
-- List-all List everything added for or enabled in a zone [P] [Z]
-- List-services List services added for a zone [P] [Z]
-- Timeout = Enable an option for timeval time, where timeval is
A number followed by one of letters's or 'M' or 'H'
Usable for options maked with [T]
-- Add-service =
Add a service for a zone [P] [Z] [T]
-- Remove-service =
Remove a service from a zone [P] [Z]
-- Query-service =
Return whether service has been added for a zone [P] [Z]
-- List-ports List ports added for a zone [P] [Z]
-- Add-port = [-]/
Add the port for a zone [P] [Z] [T]
-- Remove-port = [-]/
Remove the port from a zone [P] [Z]
-- Query-port = [-]/
Return whether the port has been added for zone [P] [Z]
-- List-icmp-blocks List Internet ICMP type blocks added for a zone [P] [Z]
-- Add-icmp-block =
Add an ICMP block for a zone [P] [Z] [T]
-- Remove-icmp-block =
Remove the ICMP block from a zone [P] [Z]
-- Query-icmp-block =
Return whether an ICMP block has been added for a zone
[P] [Z]
-- List-forward-ports List IPv4 forward ports added for a zone [P] [Z]
-- Add-forward-port = [-]: proto = [: toport = [-] [: toaddr =
[/]
Add the IPv4 forward port for a zone [P] [Z] [T]
-- Remove-forward-port = [-]: proto = [: toport = [-] [: toaddr =
[/]
Remove the IPv4 forward port from a zone [P] [Z]
-- Query-forward-port = [-]: proto = [: toport = [-] [: toaddr =
[/]
Return whether the IPv4 forward port has been added
A zone [P] [Z]
-- Add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T]
-- Remove-masquerade Disable IPv4 masquerade for a zone [P] [Z]
-- Query-masquerade Return whether IPv4 masquerading has been enabled for
Zone [P] [Z]
-- List-rich-rules List rich language rules added for a zone [P] [Z]
-- Add-rich-rule =
Add rich language rule 'rule' for a zone [P] [Z] [T]
-- Remove-rich-rule =
Remove rich language rule 'rule' from a zone [P] [Z]
-- Query-rich-rule =
Return whether a rich language rule 'rule' has been
Added for a zone [P] [Z]
Options to Handle Bindings of Interfaces
-- List-interfaces List interfaces that are bound to a zone [P] [Z]
-- Add-interface =
Bind the to a zone [P] [Z]
-- Change-interface =
Change zone the is bound to [Z]
-- Query-interface =
Query whether is bound to a zone [P] [Z]
-- Remove-interface =
Remove binding of from a zone [P] [Z]
Options to Handle Bindings of Sources
-- List-sources List sources that are bound to a zone [P] [Z]
-- Add-source = [/]
Bind [/] to a zone [P] [Z]
-- Change-source = [/]
Change zone the [/] is bound to [Z]
-- Query-source = [/]
Query whether [/] is bound to a zone
[P] [Z]
-- Remove-source = [/]
Remove binding of [/] from a zone [P] [Z]
Direct Options
-- Direct First option for all direct options
-- Get-all-chains
Get all chains [P]
-- Get-chains {ipv4 | ipv6 | eb}
Get all chains added to the table [P]
-- Add-chain {ipv4 | ipv6 | eb}
Add a new chain to the table [P]
-- Remove-chain {ipv4 | ipv6 | eb}
Remove the chain from the table [P]
-- Query-chain {ipv4 | ipv6 | eb}
Return whether the chain has been added to the table [P]
-- Get-all-rules
Get all rules [P]
-- Get-rules {ipv4 | ipv6 | eb}
Get all rules added to chain in table [P]
-- Add-rule {ipv4 | ipv6 | eb}
...
Add rule to chain in table [P]
-- Remove-rule {ipv4 | ipv6 | eb}
...
Remove rule with priority from chain in table [P]
-- Remove-rules {ipv4 | ipv6 | eb}
Remove rules from chain in table [P]
-- Query-rule {ipv4 | ipv6 | eb}
...
Return whether a rule with priority has been added
Chain in table [P]
-- Passthrough {ipv4 | ipv6 | eb }...
Pass a command through (untracked by firewalld)
-- Get-all-passthroughs
Get all tracked passthrough rules [P]
-- Get-passthroughs {ipv4 | ipv6 | eb }...
Get tracked passthrough rules [P]
-- Add-passthrough {ipv4 | ipv6 | eb }...
Add a new tracked passthrough rule [P]
-- Remove-passthrough {ipv4 | ipv6 | eb }...
Remove a tracked passthrough rule [P]
-- Query-passthrough {ipv4 | ipv6 | eb }...
Return whether the tracked passthrough rule has been
Added [P]
Lockdown Options
-- Lockdown-on Enable lockdown.
-- Lockdown-off Disable lockdown.
-- Query-lockdown Query whether lockdown is enabled
Lockdown Whitelist Options
-- List-lockdown-whitelist-commands
List all command lines that are on the whitelist [P]
-- Add-lockdown-whitelist-command =
Add the command to the whitelist [P]
-- Remove-lockdown-whitelist-command =
Remove the command from the whitelist [P]
-- Query-lockdown-whitelist-command =
Query whether the command is on the whitelist [P]
-- List-lockdown-whitelist-contexts
List all contexts that are on the whitelist [P]
-- Add-lockdown-whitelist-context =
Add the context to the whitelist [P]
-- Remove-lockdown-whitelist-context =
Remove the context from the whitelist [P]
-- Query-lockdown-whitelist-context =
Query whether the context is on the whitelist [P]
-- List-lockdown-whitelist-uids
List all user ids that are on the whitelist [P]
-- Add-lockdown-whitelist-uid =
Add the user id uid to the whitelist [P]
-- Remove-lockdown-whitelist-uid =
Remove the user id uid from the whitelist [P]
-- Query-lockdown-whitelist-uid =
Query whether the user id uid is on the whitelist [P]
-- List-lockdown-whitelist-users
List all user names that are on the whitelist [P]
-- Add-lockdown-whitelist-user =
Add the user name user to the whitelist [P]
-- Remove-lockdown-whitelist-user =
Remove the user name user from the whitelist [P]
-- Query-lockdown-whitelist-user =
Query whether the user name user is on the whitelist [P]
Panic Options
-- Panic-on Enable panic mode
-- Panic-off Disable panic mode
-- Query-panic Query whether panic mode is enabled