RHCE Series (ii): How to do packet filtering, network address translation, and setting kernel runtime parameters

As mentioned in the first section ("Setting up static network Routing"), in this article (Part II of the RHCE series), we first introduce the principles of packet filtering and network address translation (NAT) in Red Hat Enterprise Linux 7 (RHEL), It then describes setting the runtime kernel parameters to change the run-time kernel behavior when certain conditions change or require changes.

Network packet filtering in RHEL 7

When we talk about packet filtering, we mean that the firewall reads the processing of each packet that attempts to pass through it. Then, according to the rules defined by the system administrator, filter the packets by taking the required actions.

As you may know, starting with RHEL 7, the default service for managing firewalls is FIREWALLD. Like Iptables, it interacts with the Linux kernel's NetFilter module to check and manipulate network packets. But unlike IPTABLES,FIREWALLD, updates can take effect immediately without disrupting active connections-you don't even need to restart the service.

Another advantage of FIREWALLD is that it allows us to define rules based on the preconfigured service name (which is described in more detail later).

However, you should remember that because packet filtering has not yet been introduced, we have disabled the firewall for router 2nd in order to simplify the example. Now let's look at how to send a received packet to a specific service or port on the destination.

First, let's add a permanent rule that allows inbound traffic from ENP0S3 (192.168.0.19) to Enp0s8 (10.0.0.18):

# firewall-cmd--permanent--direct--add-rule IPv4 filter FORWARD 0-i enp0s3-o enp0s8-j ACCEPT

The above command will save the rule to/etc/firewalld/direct.xml:

# Cat/etc/firewalld/direct.xml

Then enable the rule to take effect immediately:

# firewall-cmd--direct--add-rule IPv4 filter FORWARD 0-i enp0s3-o enp0s8-j ACCEPT

Now you can monitor the TCP traffic between the two machines by telnet to the Web server from RHEL 7 and running tcpdump again, and this time the router 2nd has a firewall enabled.

# telnet 10.0.0.20 80

# tcpdump-qnnvvv-i ENP0S3 Host 10.0.0.20

What if you want to only allow connections from 192.168.0.18 to the Web server (port 80th) to block other sources in the 192.168.0.0/24 network?

Add the following rule to the firewall of the Web server:

# firewall-cmd--add-rich-rule ' rule family= ' IPv4 ' source address= ' 192.168.0.18/24 ' service name= ' http ' accept '

# firewall-cmd--add-rich-rule ' rule family= ' IPv4 ' source address= ' 192.168.0.18/24 ' service name= ' http ' Accept '-- Permanent

# firewall-cmd--add-rich-rule ' rule family= ' IPv4 ' source address= ' 192.168.0.0/24 ' service name= ' http ' drop '

# firewall-cmd--add-rich-rule ' rule family= ' IPv4 ' source address= ' 192.168.0.0/24 ' service name= ' http ' drop '--permanent

You can now send HTTP requests to the Web server from other machines in 192.168.0.18 and 192.168.0.0/24. In the first case the connection completes successfully, but the second situation eventually times out.

Any of the following commands can verify this result:

# telnet 10.0.0.20 80

# wget 10.0.0.20

I strongly recommend that you look at the FIREWALLD Rich Language documentation in the Fedora Project Wiki for more detailed information about rich rules.

Network address Translation (NAT) in RHEL 7

Network address Translation (NAT) is the process of assigning a separate public IP address to a group of computers in a private network (or perhaps one of them). In this way, the internal network can still be distinguished by their own private IP address, but the external "looks" they are the same.

In addition, network address translation makes it possible for a computer in the internal network to send requests to external resources (such as the Internet), and then only the source system can receive the corresponding response.

In Router number 2nd, we move the ENP0S3 interface to the external zone (external), ENP0S8 to the inner Zone (external), or the NAT is enabled by default (masquerading):

# Firewall-cmd--list-all--zone=external

# Firewall-cmd--CHANGE-INTERFACE=ENP0S3--zone=external

# firewall-cmd--CHANGE-INTERFACE=ENP0S3--zone=external--permanent

# Firewall-cmd--change-interface=enp0s8--zone=internal

# firewall-cmd--change-interface=enp0s8--zone=internal--permanent

For our current settings, the internal area (internal)-and everything that is enabled with it is the default zone:

# Firewall-cmd--set-default-zone=internal

Next, let's reload the firewall rules and keep the state information:

# Firewall-cmd--reload

Finally, add router 2nd as the default gateway in the Web server:

# IP route add default via 10.0.0.18

Now you will find that in the Web server you can ping router 1th and external websites (for example, tecmint.com):

# ping-c 2 192.168.0.1

# ping-c 2 tecmint.com

setting kernel runtime parameters in RHEL 7

In Linux, you are allowed to change, enable, and deactivate kernel runtime parameters, and RHEL is no exception. When the operating conditions change, the/proc/sys interface (SYSCTL) allows you to set runtime parameters in real time to change system behavior without much hassle.

To achieve this, the/proc/sys/<category> file is written in the Shell's Echo, where <category> is typically one of the following:

Dev: A parameter that is connected to a specific device in the machine.

FS: File system configuration (for example, quotas and inodes).

Kernel: Kernel configuration.

NET: Network configuration.

VM: The use of virtual memory for the kernel.

To display a list of all currently available values, run

# Sysctl-a | Less

In the first part, we changed the value of the Net.ipv4.ip_forward parameter with the following command to allow the Linux machine to act as a router.

# echo 1 >/proc/sys/net/ipv4/ip_forward

Another run-time parameter you might want to set is KERNEL.SYSRQ, which enables the SYSRQ key on your keyboard to make the system better run some of the underlying features, such as restarting the system if for some reason freezes:

# echo 1 >/proc/sys/kernel/sysrq

To display values for a specific parameter, you can use Sysctl as follows:

# sysctl <parameter.name>

For example

# sysctl Net.ipv4.ip_forward

# sysctl KERNEL.SYSRQ

Some parameters, such as those mentioned above, require only one value, while others (for example, fs.inode-state) require multiple values

In any case, you will need to read the kernel documentation before making any changes.

Please note that these settings are lost after the system restarts. To make these changes permanent, we need to add the. conf file of the content to the/ETC/SYSCTL.D directory, like this:

# echo "Net.ipv4.ip_forward = 1" >/etc/sysctl.d/10-forward.conf

(where the Number 10 indicates the order in which other files in the same directory are processed).

Use the following command to enable the changes:

# sysctl-p/etc/sysctl.d/10-forward.conf

Summarize

In this guide we explain basic packet filtering, network address transformations, and setting kernel runtime parameters in a running system and making them persistent after a reboot. I hope this information will be useful to you.

Free pick up brother even it education original Linux OPS engineer video/Detailed Linux tutorials, details Inquiry official website customer Service: http://www.itxdl.cn/linux/

or hooking up with Q2430675018.

Welcome to the Linux Communication Group 478068715

RHCE Series (ii): How to do packet filtering, network address translation, and setting kernel runtime parameters