Relationship between firewalld and iptables, firewalld configuration mode, firewalldiptables

Relationship between firewalld and iptables, firewalld configuration mode, firewalldiptables

Relationship between firewalld and iptables

Firewalld itself does not have the firewall function, but needs to be implemented through the kernel netfilter like iptables. That is to say, like firewalld and iptables, they are used to maintain rules, the real use of rules is the kernel's netfilter, but firewalld and iptables have different structures and usage methods.

FirewallD is the default firewall management tool available on CentOS 7 servers. Basically, it is an encapsulation of iptables, including the graphic configuration tool firewall-config and command line tool firewall-cmd. When using the iptables service, you must refresh the old rules for each change and read the new rules from/etc/sysconfig/iptables. However, firewalld only applies the changed parts.

Firewalld Configuration Mode

Firewalld configuration files are mainly in xml format (except for the main configuration file firewalld. conf). They have two storage locations.

1./etc/firewalld/user configuration file

2./usr/lib/firewalld/system configuration file and preset File

We know that each zone is a set of rules, but there are so many zones. Which zone should be used for processing a specific request? This issue is crucial. If we do not understand that everything else is a castle in the air, even if the rules are set well, we do not know how to use them or where to use them.

Firewalld determines which zone is used for an accepted request in three ways:

1. source, that is, the highest priority of the source address

2. interface: the secondary priority of the NIC that receives the request

3. The default zone configured in firewalld. conf has the lowest priority.

These three priorities are reduced in order. That is to say, if the values can be found by source, they will not be searched by interface. If neither of the first two can be found, the third priority will be used, that is, the firewalld that students mentioned earlier. the default zone configured in conf.

FirewallD uses services and zones to replace the rules and chains of iptables ).

(1) firewall area:

By default, the following zones are available:

Drop-discards all incoming network data packets and does not respond. Only outgoing network connections are available. Block-reject all incoming network packets and respond to an ICMP message forbidden by the host. Only outgoing network connections are available. Public-only accept selected incoming network connections for public areas. External-used to enable external network with address disguise and only accept selected incoming network connections. In the dmz-DMZ isolation zone, you can access the internal network externally and only accept the selected incoming network connection. Work-for computers in your workspace, only selected incoming network connections are accepted. Home-for computers in your home region, only selected incoming network connections are accepted. Internal-for computers in your internal network, only the selected incoming network connection is accepted. Trusted-all network connections are accepted.

To list all available regions, run:

# Firewall-cmd -- get-zones

Work drop internal external trusted home dmz public block

List default regions:

# Firewall-cmd -- get-default-zone

Public

Change the default region:

# Firewall-cmd -- set-default-zone = dmz

# Firewall-cmd -- get-default-zone

Dmz

(2) firewall Service:

The FirewallD service uses an XML configuration file to record the firewalld service information.

List all available services:

# Firewall-cmd -- get-services

Amanda-client amanda-k5-client bacula-client ceph-mon dhcp dhcpv6 dhcpv6-client dns

Docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability

Http https imap imaps ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt

Libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s

Postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba-client

Sane smtp smtps snmp snmptrap squid ssh synergy syslog-tls telnet tftp-client tinc tor-

Socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

The XML configuration file is stored in the/usr/lib/firewalld/services/and/etc/firewalld/services/directories.

(3) install firewalld, run, stop, and disable firewalld:

Root execution # yum install firewalld

Start: # systemctl start firewalld

View the status: # systemctl status firewalld or firewall-cmd -- state

Stop: # systemctl disable firewalld

Disable: # systemctl stop firewalld

Configure firewalld

View the version: $ firewall-cmd -- version

View help: $ firewall-cmd -- help

View settings:

Display status: $ firewall-cmd -- state

View region information: $ firewall-cmd -- get-active-zones

View the region of the specified interface: $ firewall-cmd -- get-zone-of-interface = eth0

Reject all packages: # firewall-cmd -- panic-on

Cancel rejection status: # firewall-cmd -- panic-off

Check whether the request is rejected: $ firewall-cmd -- query-panic

Update firewall rules: # firewall-cmd -- reload

# Firewall-cmd -- complete-reload

The difference between the two is that the first one does not need to be disconnected, that is, one of the firewalld features is to dynamically add rules, and the second one needs to be disconnected, similar to restarting services.

Add Interfaces to the region. The default interfaces are all in the public

# Firewall-cmd -- zone = public -- add-interface = eth0

Add -- permanent and reload the Firewall

Set the default Interface Area

# Firewall-cmd -- set-default-zone = public

Effective immediately without restarting

Open the port (it seems this is the most common)

View All opened ports:

# Firewall-cmd -- zone = dmz -- list-ports

Add a port to the region:

# Firewall-cmd -- zone = dmz -- add-port = 8080/tcp

The same method is used for permanent validity.

Opening a service is similar to visualizing the port. The service needs to be added to the configuration file. The/etc/firewalld directory contains the services folder. This is not detailed. For more information, see the documentation.

# Firewall-cmd -- zone = work -- add-service = smtp

Remove Service

# Firewall-cmd -- zone = work -- remove-service = smtp

Test: [root @ iotApp & iagri-44 ~] # Echo "hello felix" | nc-l 6666

Remote Host: telnetiotApp & iagri-44 6666 back:

Connected toiotApp & iagri-44

Escape character is '^]'.

Hello felix

Connection closed by foreign host.

The format or structure of the rich rule commands is as follows:

Rule [family = "rule family"]

[Source [NOT] [address = "address"] [mac = "mac-address"] [ipset = "ipset"]

[Destination [NOT] address = "address"]

[Element]

[Log [prefix = "prefix text"] [level = "log level"] [limit value = "rate/duration"]

[Audit]

[Action]

Elements:

The element can be only one of the following element types: service, port, protocol, masquerade, icmp-block, forward-port, and source-port.

Service name = service_name

Port = number_or_range protocol = protocol

Protocol value = protocol_name_or_ID

Icmp-block name = icmptype_name

Forward-port = number_or_range protocol = protocol/

To-port = number_or_range to-addr = address

Source-port = number_or_range protocol = protocol

Log [prefix = prefix text] [level = log level] limit value = rate/duration

Action:

Accept | reject [type = reject type] | drop | mark set = "mark [/mask]"

Using the Rich Rule Log Command Example 3:

Rule family = "ipv4" source address = "192.168.0.0/24" service name = "tftp" log prefix = "tftp" level = "info" limit value = "1/m" accept

Using the Rich Rule Log Command Example 4:

Rule family = "ipv6" source address = "1: 2: 3: 4: 6 :: "service name =" radius "log prefix =" dns "level =" info "limit value =" 3/m "reject

Rule family = "ipv6" service name = "radius" accept

[Root @ iotApp & iagri-44 ~] # Firewall-cmd -- add-rich-rule = 'rule' = ipv4 source address = 0.0.0.0/16 accept '-- permanent

[Root @ iotApp & iagri-44 ~] # Firewall-cmd -- help

Usage: firewall-cmd [OPTIONS...]

General Options

-H, -- help Prints a short help text and exists

-V, -- version Print the version string of firewalld

-Q, -- quiet Do not print status messages

Status Options

-- State Return and print firewalld state

-- Reload Reload firewall and keep state information

-- Complete-reload Reload firewall and loose state information

-- Runtime-to-permanent

Create permanent from runtime configuration

Permanent Options

-- Permanent Set an option permanently

Usable for options maked with [P]

Zone Options

-- Get-default-zone Print default zone for connections and interfaces

-- Set-default-zone =

Set default zone

-- Get-active-zones Print currently active zones

-- Get-zones Print predefined zones [P]

-- Get-services Print predefined services [P]

-- Get-icmptypes Print predefined icmptypes [P]

-- Get-zone-of-interface =

Print name of the zone the interface is bound to [P]

-- Get-zone-of-source = [/]

Print name of the zone the source [/mask] is bound to [P]

-- List-all-zones List everything added for or enabled in all zones [P]

-- New-zone = Add a new zone [P only]

-- Delete-zone = Delete an existing zone [P only]

-- Zone = Use this zone to set or query options, else default zone

Usable for options maked with [Z]

-- Get-target Get the zone target [P] [Z]

-- Set-target =

Set the zone target [P] [Z]

IcmpType Options

-- New-icmptype =

Add a new icmptype [P only]

-- Delete-icmptype =

Delete and existing icmptype [P only]

Service Options

-- New-service =

Add a new service [P only]

-- Delete-service =

Delete and existing service [P only]

Options to Adapt and Query Zones

-- List-all List everything added for or enabled in a zone [P] [Z]

-- List-services List services added for a zone [P] [Z]

-- Timeout = Enable an option for timeval time, where timeval is

A number followed by one of letters's or 'M' or 'H'

Usable for options maked with [T]

-- Add-service =

Add a service for a zone [P] [Z] [T]

-- Remove-service =

Remove a service from a zone [P] [Z]

-- Query-service =

Return whether service has been added for a zone [P] [Z]

-- List-ports List ports added for a zone [P] [Z]

-- Add-port = [-]/

Add the port for a zone [P] [Z] [T]

-- Remove-port = [-]/

Remove the port from a zone [P] [Z]

-- Query-port = [-]/

Return whether the port has been added for zone [P] [Z]

-- List-icmp-blocks List Internet ICMP type blocks added for a zone [P] [Z]

-- Add-icmp-block =

Add an ICMP block for a zone [P] [Z] [T]

-- Remove-icmp-block =

Remove the ICMP block from a zone [P] [Z]

-- Query-icmp-block =

Return whether an ICMP block has been added for a zone

[P] [Z]

-- List-forward-ports List IPv4 forward ports added for a zone [P] [Z]

-- Add-forward-port = [-]: proto = [: toport = [-] [: toaddr =

[/]

Add the IPv4 forward port for a zone [P] [Z] [T]

-- Remove-forward-port = [-]: proto = [: toport = [-] [: toaddr =

[/]

Remove the IPv4 forward port from a zone [P] [Z]

-- Query-forward-port = [-]: proto = [: toport = [-] [: toaddr =

[/]

Return whether the IPv4 forward port has been added

A zone [P] [Z]

-- Add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T]

-- Remove-masquerade Disable IPv4 masquerade for a zone [P] [Z]

-- Query-masquerade Return whether IPv4 masquerading has been enabled for

Zone [P] [Z]

-- List-rich-rules List rich language rules added for a zone [P] [Z]

-- Add-rich-rule =

Add rich language rule 'rule' for a zone [P] [Z] [T]

-- Remove-rich-rule =

Remove rich language rule 'rule' from a zone [P] [Z]

-- Query-rich-rule =

Return whether a rich language rule 'rule' has been

Added for a zone [P] [Z]

Options to Handle Bindings of Interfaces

-- List-interfaces List interfaces that are bound to a zone [P] [Z]

-- Add-interface =

Bind the to a zone [P] [Z]

-- Change-interface =

Change zone the is bound to [Z]

-- Query-interface =

Query whether is bound to a zone [P] [Z]

-- Remove-interface =

Remove binding of from a zone [P] [Z]

Options to Handle Bindings of Sources

-- List-sources List sources that are bound to a zone [P] [Z]

-- Add-source = [/]

Bind [/] to a zone [P] [Z]

-- Change-source = [/]

Change zone the [/] is bound to [Z]

-- Query-source = [/]

Query whether [/] is bound to a zone

[P] [Z]

-- Remove-source = [/]

Remove binding of [/] from a zone [P] [Z]

Direct Options

-- Direct First option for all direct options

-- Get-all-chains

Get all chains [P]

-- Get-chains {ipv4 | ipv6 | eb}

Get all chains added to the table [P]

-- Add-chain {ipv4 | ipv6 | eb}

Add a new chain to the table [P]

-- Remove-chain {ipv4 | ipv6 | eb}

Remove the chain from the table [P]

-- Query-chain {ipv4 | ipv6 | eb}

Return whether the chain has been added to the table [P]

-- Get-all-rules

Get all rules [P]

-- Get-rules {ipv4 | ipv6 | eb}

Get all rules added to chain in table [P]

-- Add-rule {ipv4 | ipv6 | eb}

...

Add rule to chain in table [P]

-- Remove-rule {ipv4 | ipv6 | eb}

...

Remove rule with priority from chain in table [P]

-- Remove-rules {ipv4 | ipv6 | eb}

Remove rules from chain in table [P]

-- Query-rule {ipv4 | ipv6 | eb}

...

Return whether a rule with priority has been added

Chain in table [P]

-- Passthrough {ipv4 | ipv6 | eb }...

Pass a command through (untracked by firewalld)

-- Get-all-passthroughs

Get all tracked passthrough rules [P]

-- Get-passthroughs {ipv4 | ipv6 | eb }...

Get tracked passthrough rules [P]

-- Add-passthrough {ipv4 | ipv6 | eb }...

Add a new tracked passthrough rule [P]

-- Remove-passthrough {ipv4 | ipv6 | eb }...

Remove a tracked passthrough rule [P]

-- Query-passthrough {ipv4 | ipv6 | eb }...

Return whether the tracked passthrough rule has been

Added [P]

Lockdown Options

-- Lockdown-on Enable lockdown.

-- Lockdown-off Disable lockdown.

-- Query-lockdown Query whether lockdown is enabled

Lockdown Whitelist Options

-- List-lockdown-whitelist-commands

List all command lines that are on the whitelist [P]

-- Add-lockdown-whitelist-command =

Add the command to the whitelist [P]

-- Remove-lockdown-whitelist-command =

Remove the command from the whitelist [P]

-- Query-lockdown-whitelist-command =

Query whether the command is on the whitelist [P]

-- List-lockdown-whitelist-contexts

List all contexts that are on the whitelist [P]

-- Add-lockdown-whitelist-context =

Add the context to the whitelist [P]

-- Remove-lockdown-whitelist-context =

Remove the context from the whitelist [P]

-- Query-lockdown-whitelist-context =

Query whether the context is on the whitelist [P]

-- List-lockdown-whitelist-uids

List all user ids that are on the whitelist [P]

-- Add-lockdown-whitelist-uid =

Add the user id uid to the whitelist [P]

-- Remove-lockdown-whitelist-uid =

Remove the user id uid from the whitelist [P]

-- Query-lockdown-whitelist-uid =

Query whether the user id uid is on the whitelist [P]

-- List-lockdown-whitelist-users

List all user names that are on the whitelist [P]

-- Add-lockdown-whitelist-user =

Add the user name user to the whitelist [P]

-- Remove-lockdown-whitelist-user =

Remove the user name user from the whitelist [P]

-- Query-lockdown-whitelist-user =

Query whether the user name user is on the whitelist [P]

Panic Options

-- Panic-on Enable panic mode

-- Panic-off Disable panic mode

-- Query-panic Query whether panic mode is enabled