iptables firewall
Application scenario
1.Host firewall 2.Internal sharing and Internet access 3.Port and ip mapping
iptables workflow
1.Rule matching is performed from top to bottom 2.As long as it matches up, it doesn't match down 3.If no explicit rules are matched, the default rules will be matched (all are allowed by default and can be modified) 4.The default firewall rules are executed at the end of all setting rules #Note: the more matching rules are, the more forward they are
iptables four tables and five chains
#Table IV: 1.Filter surface 2.NAT surface 3.Managle surface 4.Raw surface #Five chains: 1.INPUT Scope: used to specify the package to the local socket 2.FORWARD Role: packets routed through 3.OUTPUT Role: locally created data 4.PREROUTING Function: change the incoming packet immediately 5.POSTRUTING Function: change the packet information when the packet is about to go out
1.Filter table
The main function is to block and allow access Chains included: 1.INPUT: Filter packets entering the host 2.FORWARD: Responsible for forwarding packets flowing through the host 3.OUTPUT: Processing packets from the host
2.NAT table
The main function is port and IP forward Chains included: 1.OUTPUT: Processing packets from the host 2.PREROUTING: Judge when the packet arrives at the firewall and rewrite the destination address or port of the packet (port forwarding) 3.POSTRUTING: Judge when the packet arrives at the firewall and rewrite the destination address or port of the packet (LAN shared Internet access)
iptables preparation
1. Install iptables management command
[root@m01 ~]# yum install -y iptables-services
2. Load the kernel module of the firewall
[root@m01 ~]# modprobe ip_tables [root@m01 ~]# modprobe iptable_filter [root@m01 ~]# modprobe iptable_nat [root@m01 ~]# modprobe ip_conntrack [root@m01 ~]# modprobe ip_conntrack_ftp [root@m01 ~]# modprobe ip_nat_ftp [root@m01 ~]# modprobe ipt_state #View loaded modules [root@m01 ~]# lsmod | egrep 'filter|nat|ipt'
3. Stop firewalld and start iptables
[root@m01 ~]# systemctl stop firewalld [root@m01 ~]# systemctl disable firewalld [root@m01 ~]# systemctl start iptables.service
iptables common operations
1. View firewall rules (see filter table by default)
#View rules - L list rules - n display addresses and port numbers in numeric format [root@m01 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@m01 ~]#
2. View firewall rules and specify nat table
[root@m01 ~]# iptables -nL -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination [root@m01 ~]#
3. Clear firewall rules
#Delete chain or all rules in all chains [root@m01 ~]# iptables -F #Delete user-defined chain [root@m01 ~]# iptables -X #Chain clearing [root@m01 ~]# iptables -Z [root@m01 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@m01 ~]#
4. Add firewall rules
[root@m01 ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j DROP iptables command -t Specify table -A Add rule to last -p Specify protocol --dport Specify destination port -j Specifies the action after matching DROP Discard, reject the request ACCEPT Accept, allow the request
5. Delete firewall rules
#View rule number [root@m01 ~]# iptables -nL --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination [root@m01 ~]# #Specify code deletion rule [root@m01 ~]# iptables -D INPUT 1
iptables actual combat
1. Prohibit access to a port
[root@m01 ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j DROP iptables command -t Specify table -A Add rule to last -p Specify protocol --dport Specify destination port -j Specifies the action after matching DROP Discard, reject the request ACCEPT Accept, allow the request
2. Prohibit access to an IP
[root@m01 ~]# iptables -A INPUT -p tcp -s 10.0.0.7 -j DROP [root@m01 ~]# iptables -A INPUT -p tcp -s 172.16.1.7 -j DROP iptables command -A Add rule to last -p Specify protocol -s Specify source address or network segment (192).168.1.0/24)! Reverse. -j Specifies the action after matching DROP Discard, reject the request -I Add rule to front
3. Prohibit access to an ip network segment
[root@m01 ~]# iptables -A INPUT -p tcp -s 10.0.0.0/24 -j DROP [root@m01 ~]# iptables -A INPUT -p tcp -s 172.16.1.0/24 -j DROP
4. Only one ip access is allowed
#There is no effect after configuration. It is allowed by default [root@m01 ~]# iptables -A INPUT -p tcp -s 10.0.0.7 -i eth0 -j ACCEPT [root@m01 ~]# iptables -A INPUT -p tcp -s 172.16.1.7 -i eth1 -j ACCEPT #The following methods should be used [root@m01 ~]# iptables -A INPUT -p tcp ! -s 10.0.0.0/24 -i eth0 -j DROP [root@m01 ~]# iptables -A INPUT -p tcp ! -s 172.16.1.0/24 -i eth1 -j DROP ! Reverse
5. Matching port range
#Deny access to multiple ports, which can be separated by commas [root@m01 ~]# iptables -I INPUT -p tcp -m multiport --dport 21,22,23,24 -j DROP -m Specify extensions multiport Multi port matching -I Add rule to front #The allowable port range can be written between ports with: [root@m01 ~]# iptables -I INPUT -p tcp --dport 22:100 -j ACCEPT
6. Match ICMP type
#Prohibit ping [root@m01 ~]# iptables -A INPUT -p icmp --icmp-type 8 -j DROP -p Specify protocol --icmp-type Specify protocol type 8 Protocol type 8 is ping request #Only 10.0.0.7 ping is prohibited [root@m01 ~]# iptables -A INPUT -p icmp --icmp-type 8 -s 10.0.0.7 -j DROP #Only 10.0.0.7 ping is allowed [root@m01 ~]# iptables -A INPUT -p icmp --icmp-type 8 -s 10.0.0.7 -j ACCEPT [root@m01 ~]# iptables -A INPUT -p icmp --icmp-type 8 -j DROP perhaps ! Reverse [root@m01 ~]# iptables -A INPUT -p icmp --icmp-type 8 ! -s 10.0.0.7 -j DROP
How to configure in the enterprise
1. Consider the following before configuring
1.Consider which machine the firewall is on 2.What services are deployed on this machine nginx keepalived 3.What port does the service open 80 443 22 4.The default rule is reject all
2. Configure security rules
#Allow access to 80 and 443 iptables -I INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT -I Add rule to front #Only the springboard machine is allowed to connect to port 22 iptables -A INPUT -p tcp -s 172.16.1.61 --dport 22 -j ACCEPT #Prohibit ping iptables -A INPUT -p icmp --icmp-type 8 ! -s 172.16.1.61 -j DROP #Allow access to the Internet iptables -A INPUT -i eth0 -j ACCEPT #Reject all by default iptables -P INPUT DROP -p change policy Default policy
Tiankeng:
According to the above configuration method, the default reject all rules are set in the last step. After the springboard machine is connected to the host, do not clean the firewall, otherwise nothing will be connected Because firewall rules will not be cleaned up'iptables -P INPUT DROP'This is the default rule, then the firewall default rule becomes all dorp Yes resolvent: Need to operate on virtual machine or physical machine 1.iptables -P INPUT ACCEPT 2.systemctl restart iptables 3.Restart the physical machine (at risk) #Avoidance methods: 1.take iptables -P INPUT ACCEPT Add to scheduled tasks (this method can be used in the test phase) * * * * * /usr/sbin/iptables -P INPUT ACCEPT 2.For other environment tests, copy all rules to the environment for execution after there is no problem in the test 3.Before configuration, save the previous firewall rules and modify them according to the previous rules [root@web01 ~]# iptables-save > iptables_m01_20200116 Import rules after modification [root@web01 ~]# iptables-restore < iptables_m01_20200116
3. General enterprise configuration
iptables -F iptables -X iptables -Z iptables -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 10.0.1.0/24 -j ACCEPT iptables -A INPUT -s 172.16.1.0/24 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -nL
Internal sharing and Internet access
1. Operate on m01
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf sysctl -p iptables -F iptables -X iptables -Z iptables -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT iptables -A INPUT -s 172.16.1.0/24 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A FORWARD -i eth1 -s 172.16.1.0/24 -j ACCEPT iptables -A FORWARD -o eth0 -s 172.16.1.0/24 -j ACCEPT iptables -A FORWARD -i eth0 -d 172.16.1.0/24 -j ACCEPT iptables -A FORWARD -o eth1 -d 172.16.1.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source 10.0.0.61 -j Specify action SNAT Source address translation SRC NAT --to-source Source address translation point
2. Other host operations
[root@web01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1 TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV7INIT=yes NAME=eth1 DEVICE=eth1 ONBOOT=yes IPADDR=172.16.1.7 PREFIX=24 GATEWAY=172.16.1.61 [root@web01 ~]# systemctl restart network [root@web01 ~]# ifdown eth0 [root@web01 ~]# vim /etc/resolv.conf nameserver 223.5.5.5
Port forwarding
[root@m01 ~]# iptables -t nat -A PREROUTING -d 10.0.0.61 -p tcp --dport 9000 -j DNAT --to-destination 172.16.1.7:22 [root@m01 ~]# iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source 10.0.0.61 -d Designated purpose ip DNAT Destination address translation --to-destination Target address translation point
IP forwarding
[root@m01 ~]# iptables -t nat -A PREROUTING -d 10.0.0.61 -j DNAT --to-destination 172.16.1.7 iptables -A FORWARD -i eth1 -s 172.16.1.0/24 -j ACCEPT iptables -A FORWARD -o eth0 -s 172.16.1.0/24 -j ACCEPT iptables -A FORWARD -i eth0 -d 172.16.1.0/24 -j ACCEPT iptables -A FORWARD -o eth1 -d 172.16.1.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source 10.0.0.61 iptables -t nat -A OUTPUT -d 10.0.0.61 -j DNAT --to-destination 172.16.1.7
Firewall rules take effect permanently
#Write rules to iptables configuration file [root@m01 ~]# vim /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT #Save configured rules [root@m01 ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
extend
(2)COMMAND:
(a)Chain management:
-N: new, Customize a new rule chain;
-X: delete,Delete the custom rule chain;
Note: only empty chains with user-defined reference count of 0 can be deleted;
-P: Policy,Set default policy; pair filter For the chains in the table, the default policies are:
ACCEPT: accept
DROP: discard
REJECT: refuse
-E: Rename the user-defined chain; the user-defined chain whose reference count is not 0 cannot be renamed or deleted;
(b)Rule management:
-A: append,Add;
-I: insert, Insert, indicate the position, and omit to indicate the first item;
-D: delete,Delete;
(1) Specify the rule serial number;
(2) Specify the rule itself;
-R: replace,Replace the specified rule on the specified chain;
-F: flush,Clear the specified rule chain;
-Z: zero,Set to zero;
iptables Each rule in has two counters:
(1) Number of matched messages;
(2) The sum of the sizes of all matched messages;
(2) The sum of the sizes of all matched messages;
(c)see:
-L: list, List all rules on the specified chain;
-n: numberic,Display the address and port number in digital format;
-v: verbose,Details;
-vv, -vvv
-x: exactly,Display the exact value of the counter result;
--line-numbers: Display the sequence number of the rule;
Security framework
1.Hardware Cabinet locking Virtual machine 2.The network can restrict access ip [and port] firewalld iptables bandwidth appoint ip Access, all others denied 3.system prohibit root Sign in No password, no key Modify default port 22 4.service Hide version number After the service is stable, update the small version in time 5.Website[ http\https] sql injection Vulnerability injection ddos attack Firewall provider Niu Dunyun Safety dog
firewalld firewall
Basic overview of firewall
stay CentOS7 Several firewall management tools are integrated in the system. The default is enabled firewalld(Dynamic firewall manager) firewall management tool, Firewalld support CLI(Command line), and GUI(Two management methods of graphics). For contact Linux Earlier personnel Iptables Familiar, but due to Iptables The rules are troublesome and have certain requirements for the network, so the learning cost is high firewalld Learning on the network is not so high requirements, relatively iptables It's a lot simpler, so it's recommended that you just get in touch CentOS7 Direct learning of system personnel Firewalld.
It should be noted that if the firewall tool is enabled and no allowed rules are configured, access to the firewall device from the outside will be blocked by default, but if the traffic directly flows from the inside of the firewall to the outside will be allowed by default. firewalld Can only do and IP/Port Relevant restrictions, web dependent http/https Restrictions cannot be achieved.
Firewall usage Zone Management
So compared with the traditional Iptables Firewall, firewalld Support dynamic update and join the region zone Concept of In short, the area is firewalld Several sets of firewall policy sets (policy templates) are prepared in advance. Users can select different policy templates according to different scenarios, so as to realize the rapid switching between firewall policies
It should be noted that Firewalld Areas and interfaces in A network card can only bind to one region, eth0 --> A region However, multiple network cards can be bound to a region. A region--> eth0 eth1 eth2 You can also set different rules according to the address of the source. For example, everyone can access port 80, but only the company's IP To allow access to port 22.
region
| region | Default rule policy |
|---|---|
| trusted | Allow all packets to flow in and out |
| home | Reject incoming flow unless related to outgoing flow; If the traffic is related to ssh, mdns, IPP client, AMBA client and DHCPv6 client services, the traffic is allowed |
| internal | Equivalent to home area |
| work | Reject incoming flow unless related to outgoing flow; If the traffic is related to ssh, IPP client and DHCPv6 client services, the traffic is allowed |
| public | Reject incoming flow unless related to outgoing flow; If the traffic is related to ssh and DHCPv6 client services, the traffic is allowed |
| external | Reject incoming flow unless related to outgoing flow; If the traffic is related to ssh service, the traffic is allowed |
| dmz | Reject incoming flow unless related to outgoing flow; If the traffic is related to ssh service, the traffic is allowed |
| block | Reject incoming flow unless related to outgoing flow |
| drop | Reject incoming flow unless related to outgoing flow |
#The three areas that must be remembered, the others don't matter trusted White list public Default rule drop blacklist
Firewall basic instruction parameters
Firewall offline CMD [add the firewall to the firewall configuration file when it is not started, and implement it in about 5 seconds. It is not recommended officially]
Firewall CMD command classification list
| parameter | effect |
|---|---|
| zone related instructions | |
| –get-default-zone | Gets the default zone name |
| – set default zone = < zone name > | Set the default area to take effect permanently |
| –get-active-zones | Displays the name of the area and network card currently in use |
| –get-zones | Displays the total available areas |
| –new-zone=mcy --permanent | New Area |
| –delete-zone=mcy --permanent | Delete area |
| services service related commands | |
| –get-services | List all manageable services in the service list |
| –add-service= | Set the default area to allow the flow of this filling service |
| –remove-service= | Setting the default area does not allow the service to delete traffic |
| –list-services | Displays the services allowed in the default area |
| Port port related instructions | |
| – add port = < port number / protocol > | Set the default area to allow the port to add traffic |
| – remove port = < port number / protocol > | The default area does not allow the deletion of traffic on this port |
| –list-port | Displays the ports allowed in the default area |
| Interface website related instructions | |
| – get zone of interface = < network card name > | Check which area the interface is in |
| – add interface = < network card name > | Direct all traffic from the network card to a specified area |
| – remove interface = < network card name > | Unbind area of network card |
| – change interface = < network card name > | Associate an interface with an area |
| Address source related commands | |
| –add-source= | Add source address |
| –remove-source= | Remove source address |
| Other relevant instructions | |
| –list-all | Displays the network card configuration parameters, resources, ports and services in the current area |
| –reload | Make the "permanently effective" configuration rule take effect immediately and overwrite the current configuration rule |
| –panic-on | Block all network connections |
| –panic-off | Restore network connection |
#Temporarily added areas cannot work. You must add -- permanent to work [root@web01 ~]# firewall-cmd --new-zone=mc usage: see firewall-cmd man page #Usage: refer to the firewall command man help man page Option can be used only with --permanent. #Option can only be used with -- permanent [root@web01 ~]# firewall-cmd --new-zone=mcy --permanent success #The added [mcy] new area can be seen only after the firewall is overloaded [root@web01 ~]# firewall-cmd --reload success [root@web01 ~]# firewall-cmd --get-zones block dmz drop external home internal mcy public trusted work
Firewall zone configuration policy
1.For normal use firewalld Services and related tools to manage the firewall must be started firewalld Service, and close the old firewall related services. You should pay attention firewalld There are two states for the rules: runtime Runtime: The modification rule will take effect immediately, but it will fail if the service is restarted. Test suggestions. permanent Persistent configuration: Required after modifying rules reload Overload service will take effect, production recommendations.
1. Disabling and disabling
#Disable firewall [to prevent conflicts between firewalld and iptables] [root@web01 ~]# systemctl mask iptables.service Created symlink from /etc/systemd/system/iptables.service to /dev/null. #Disable firewall [root@web01 ~]# systemctl unmask iptables.service Removed symlink /etc/systemd/system/iptables.service.
2. Start the firewall and add the startup self startup
[root@web01 ~]# systemctl start firewalld [root@web01 ~]# systemctl enable firewalld Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service. Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
3. After firewalld is started, we need to know what area is used and what are the rules details of the area?
#View the default area used [root@web01 ~]# firewall-cmd --get-default-zone public #View all available areas [root@web01 ~]# firewall-cmd --get-zones block dmz drop external home internal public trusted work #View the public configuration of the specified space [root@web01 ~]# firewall-cmd --list-all --zone=public public (active) target: default icmp-block-inversion: no interfaces: eth0 eth1 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: #View the default space public configuration [root@m01 ~]# firewall-cmd --list-all public (active) #Area name (active) target: default #Target: default icmp-block-inversion: no #ICMP block: no [this option can be turned on if there is ICMP attack] interfaces: eth0 eth1 #Network card allowed to access sources: #Allowed source IP address services: ssh dhcpv6-client #Allowed services ports: #Allowed ports protocols: #Allowed agreements masquerade: no #ip camouflage forward-ports: #Port forwarding source-ports: #Source port icmp-blocks: rich rules: #Rich rules
4. Use firewalld to adjust the default public area to reject all traffic in combination with the configuration of various area rules, but it is allowed if the source IP is 10.0.0.0/24 network segment
#Configure the default zone to deny all access
[root@web01 ~]# firewall-cmd --remove-service={ssh,dhcpv6-client}
#Configure the allowed network segment and place it in the whitelist area trusted [it can only take effect if it is placed in the whitelist area]
[root@web01 ~]# firewall-cmd --add-source=10.0.0.8 --zone=trusted
#View areas used
[root@web01 ~]# firewall-cmd --get-active-zones
public
interfaces: eth0
trusted
sources: 10.0.0.8
5. Query whether the public area allows requests for SSH and HTTPS protocol traffic
#View the configuration of a single [root@m01 ~]# firewall-cmd --zone=public --query-service=ssh yes [root@m01 ~]# firewall-cmd --zone=public --query-service=https no
6. Clean up firewall rules (clean up temporary configuration)
[root@m01 ~]# firewall-cmd --reload success
Firewall configuration release policy
Note: - Permanent means permanent if added, otherwise it is temporary
1.firewalld release service
#Configure release service [root@web01 ~]# firewall-cmd --add-service=http #Configuration reject [root@web01 ~]# firewall-cmd --remove-service=http success
2.firewalld release port
#Release port [root@web01 conf.d]# firewall-cmd --add-port=80/tcp success [root@web01 conf.d]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: 80/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: #Reject port [root@web01 conf.d]# firewall-cmd --remove-port=80/tcp success
3.firewalld release custom service
#1. The name represents the service name added later
[root@m01 ~]# cp /usr/lib/firewalld/services/{http.xml,tomcat.xml}
Modification content [note, service name and port]
#Service name
<short>......</short>
#notes
<description>......</description>
#Service name and port
<port protocol="..." port="..."/>
#Module name [some services have some services not]
<module name="..."/>
#2. Reload firewalld
[root@m01 ~]# firewall-cmd --reload
success
#3. Add customized service name
[root@m01 ~]# firewall-cmd --add-service=tomcat
success
Suggestion: in the future, just add a port directly. The function is the same as releasing custom services.
Firewall Port Forwarding Policy
Port forwarding refers to the traditional target address mapping, which enables the external network to access the internal network resources The traffic forwarding syntax is: firewalld-cmd --permanent --zone=<region> --add-forward-port=port=<Source port number>:proto=<agreement>:toport=<Destination port number>:toaddr=<target IP address> If necessary, the local 10.0.0.7:5555 Port forwarding to backend 172.16.1.9:22 port
1.firewalld implements port forwarding (port mapping) and can only forward tcp related services
#1. Add forwarding port [root@m01 ~]# firewall-cmd --add-forward-port=port=5555:proto=tcp:toport=22:toaddr=172.16.1.7 success #2. Enable camouflage ip conversion [root@m01 ~]# firewall-cmd --add-masquerade success #3. View area configuration [root@m01 ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth1 eth0 sources: services: ssh dhcpv6-client ports: protocols: masquerade: yes forward-ports: port=5555:proto=tcp:toport=22:toaddr=172.16.1.7 source-ports: icmp-blocks: rich rules: #4. Implement forwarding test [c:\~]$ ssh 10.0.0.7 5555 Connecting to 10.0.0.7:5555... Connection established. To escape to local shell, press Ctrl+Alt+]. Last login: Fri Jan 3 17:20:16 2020 from 10.0.0.1 [root@web03 ~]#
Firewall rich language rule policy
firewalld The rich language rule in represents a more detailed firewall policy configuration. It can make more targeted policy configuration for many information such as system service, port number, original address and target address. The priority is also the highest among all firewall policies, as shown below firewalld Rich language rule help manual
[root@m01 ~]# man firewall-cmd
[root@m01 ~]# man firewalld.richlanguage
rule
[source]
[destination]
service|port|protocol|icmp-block|icmp-type|masquerade|forward-port|source-port
[log]
[audit]
[accept|reject|drop|mark]
rule [family="ipv4|ipv6"]
source address="address[/mask]" [invert="True"]
service name="service name"
port port="port value" protocol="tcp|udp"
protocol value="protocol value"
forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
accept | reject [type="reject type"] | drop
#Rich language rule related commands
--add-rich-rule='<RULE>' #Add a rich language rule in the specified region
--remove-rich-rule='<RULE>' #Delete a rich language rule in the specified area
--query-rich-rule='<RULE>' #Rule found returns 0, rule not found returns 1
--list-rich-rules #Lists all rich language rules in the specified area
example:
1. For example, 10.0.0.1 hosts are allowed to access http services, and 172.16.1.0/24 hosts are allowed to access port 10050
#Allow 10.0.0.1 hosts to access http services [root@web01 services]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=10.0.0.1 service name=http accept" #Allow 172.16.1.0/24 to access 10050 port [root@web01 services]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=172.16.1.0/24 port port=8080 protocol=tcp accept"
2. By default, the public area is open to the public. Everyone can connect through ssh service, but refuses to connect to the server through ssh in the 172.16.1.0/24 network segment
[root@m01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 service name=ssh drop'
3. Using firewalld, everyone is allowed to access HTTP and HTTPS services, but only 10.0.0.1 hosts can access ssh services
[root@m01 ~]# firewall-cmd --remove-service=ssh
[root@m01 ~]# firewall-cmd --add-service={http,https}
[root@m01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=ssh accept' --permanent
4. When the source IP address of the user is 10.0.0.1 host, the 5555 port requested by the user is forwarded to port 22 of 172.16.1.7
[root@m01 ~]# firewall-cmd --add-masquerade [root@m01 ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.0.0.1" forward-port port="5555" protocol="tcp" to-port="22" to-addr="172.16.1.7"'
5. Check the set rules. If the – permanent parameter is not added, restarting firewalld will become invalid. Rich rules are matched in order, and the rules that are matched first take effect
[root@m01 ~]# firewall-cmd --list-rich-rules rule family="ipv4" source address="10.0.0.1" service name="http" accept rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop rule family="ipv4" source address="10.0.0.1" service name="ssh" accept rule family="ipv4" source address="10.0.0.1" forward-port port="5555" protocol="tcp" to-port="22" to-addr="172.16.1.9"
Usage scenario: generally, all are rejected or accepted. The configuration is in the default area. When the specified ip accesses the specified port or service, the rich rule is used
Backup of firewall rules
#All permanently added rules written for the public area will be written to the backup file (- - permanent) /etc/firewalld/zones/public.xml #Just back up the above files
Firewall open internal internet access
With public network in the specified IP Started on an instance of Firewalld Firewall NAT Address installation and change, so as to achieve the internal host Internet access.
1. Enable IP camouflage in firewall [host corresponding to gateway IP]
[root@m01 ~]# firewall-cmd --add-masquerade --permanent [root@m01 ~]# firewall-cmd --reload
2. The firewall turns on the kernel forwarding (the ip conversion is automatically turned on when the above is turned on)
#Configure kernel forwarding [root@m01 ~]# vim /etc/sysctl.conf net.ipv4.ip_forward = 1 #Commands that take effect after opening in CentOS6 [root@m01 ~]# sysctl -p #Check whether kernel forwarding is enabled [root@m01 ~]# sysctl -a|grep net.ipv4.ip_forward net.ipv4.ip_forward = 1
3. Client intranet address configuration
[root@web03 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1 GATEWAY=172.16.1.61 [root@web03 ~]# cat /etc/resolv.conf nameserver 223.5.5.5
4. Restart the network card
[root@web01 ~]# ifdown eth1 && ifup eth1
5. Test whether the back-end web network is normal
[root@web03 ~]# ping baidu.com PING baidu.com (123.125.115.110) 56(84) bytes of data. 64 bytes from 123.125.115.110 (123.125.115.110): icmp_seq=1 ttl=127 time=9.08 ms