02 architecture 12 firewall

Keywords: Linux network bash architecture

iptables firewall

Application scenario

1.Host firewall
2.Internal sharing and Internet access
3.Port and ip mapping

iptables workflow

1.Rule matching is performed from top to bottom
2.As long as it matches up, it doesn't match down
3.If no explicit rules are matched, the default rules will be matched (all are allowed by default and can be modified)
4.The default firewall rules are executed at the end of all setting rules

#Note: the more matching rules are, the more forward they are

iptables four tables and five chains

#Table IV:
1.Filter surface
2.NAT surface
3.Managle surface
4.Raw surface

#Five chains:
1.INPUT			Scope: used to specify the package to the local socket
2.FORWARD		Role: packets routed through
3.OUTPUT		Role: locally created data
4.PREROUTING	Function: change the incoming packet immediately
5.POSTRUTING	Function: change the packet information when the packet is about to go out

1.Filter table

The main function is to block and allow access
 Chains included:
1.INPUT: Filter packets entering the host
2.FORWARD: Responsible for forwarding packets flowing through the host
3.OUTPUT: Processing packets from the host

2.NAT table

The main function is port and IP forward
 Chains included:
1.OUTPUT: Processing packets from the host
2.PREROUTING: Judge when the packet arrives at the firewall and rewrite the destination address or port of the packet (port forwarding)
3.POSTRUTING: Judge when the packet arrives at the firewall and rewrite the destination address or port of the packet (LAN shared Internet access)

iptables preparation

1. Install iptables management command

[root@m01 ~]# yum install -y iptables-services

2. Load the kernel module of the firewall

[root@m01 ~]# modprobe ip_tables
[root@m01 ~]# modprobe iptable_filter
[root@m01 ~]# modprobe iptable_nat
[root@m01 ~]# modprobe ip_conntrack
[root@m01 ~]# modprobe ip_conntrack_ftp
[root@m01 ~]# modprobe ip_nat_ftp
[root@m01 ~]# modprobe ipt_state

#View loaded modules
[root@m01 ~]# lsmod | egrep 'filter|nat|ipt'

3. Stop firewalld and start iptables

[root@m01 ~]# systemctl stop firewalld
[root@m01 ~]# systemctl disable firewalld
[root@m01 ~]# systemctl start iptables.service

iptables common operations

1. View firewall rules (see filter table by default)

#View rules - L list rules - n display addresses and port numbers in numeric format
[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@m01 ~]#

2. View firewall rules and specify nat table

[root@m01 ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
[root@m01 ~]# 

3. Clear firewall rules

#Delete chain or all rules in all chains
[root@m01 ~]# iptables -F
#Delete user-defined chain
[root@m01 ~]# iptables -X
#Chain clearing
[root@m01 ~]# iptables -Z

[root@m01 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@m01 ~]#

4. Add firewall rules

[root@m01 ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j DROP

iptables    command
-t          Specify table
-A          Add rule to last
-p          Specify protocol
--dport     Specify destination port
-j          Specifies the action after matching
DROP        Discard, reject the request
ACCEPT      Accept, allow the request

5. Delete firewall rules

#View rule number
[root@m01 ~]# iptables -nL --line-numbers 
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
[root@m01 ~]# 


#Specify code deletion rule
[root@m01 ~]# iptables -D INPUT 1

iptables actual combat

1. Prohibit access to a port

[root@m01 ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j DROP

iptables    command
-t          Specify table
-A          Add rule to last
-p          Specify protocol
--dport     Specify destination port
-j          Specifies the action after matching
DROP        Discard, reject the request
ACCEPT      Accept, allow the request

2. Prohibit access to an IP

[root@m01 ~]# iptables -A INPUT -p tcp -s 10.0.0.7 -j DROP
[root@m01 ~]# iptables -A INPUT -p tcp -s 172.16.1.7 -j DROP

iptables    command
-A          Add rule to last
-p          Specify protocol
-s          Specify source address or network segment (192).168.1.0/24)! Reverse.
-j          Specifies the action after matching

DROP        Discard, reject the request
-I          Add rule to front

3. Prohibit access to an ip network segment

[root@m01 ~]# iptables -A INPUT -p tcp -s 10.0.0.0/24 -j DROP
[root@m01 ~]# iptables -A INPUT -p tcp -s 172.16.1.0/24 -j DROP

4. Only one ip access is allowed

#There is no effect after configuration. It is allowed by default
[root@m01 ~]# iptables -A INPUT -p tcp -s 10.0.0.7 -i eth0 -j ACCEPT
[root@m01 ~]# iptables -A INPUT -p tcp -s 172.16.1.7 -i eth1 -j ACCEPT

#The following methods should be used
[root@m01 ~]# iptables -A INPUT -p tcp ! -s 10.0.0.0/24 -i eth0 -j DROP
[root@m01 ~]# iptables -A INPUT -p tcp ! -s 172.16.1.0/24 -i eth1 -j DROP

!       Reverse

5. Matching port range

#Deny access to multiple ports, which can be separated by commas
[root@m01 ~]# iptables -I INPUT -p tcp -m multiport --dport 21,22,23,24 -j DROP

-m          Specify extensions
multiport   Multi port matching
-I          Add rule to front

#The allowable port range can be written between ports with:
[root@m01 ~]# iptables -I INPUT -p tcp --dport 22:100 -j ACCEPT

6. Match ICMP type

#Prohibit ping
[root@m01 ~]# iptables -A INPUT -p icmp --icmp-type 8 -j DROP

-p             Specify protocol
--icmp-type    Specify protocol type
8              Protocol type 8 is ping request

#Only 10.0.0.7 ping is prohibited
[root@m01 ~]# iptables -A INPUT -p icmp --icmp-type 8 -s 10.0.0.7 -j DROP

#Only 10.0.0.7 ping is allowed
[root@m01 ~]# iptables -A INPUT -p icmp --icmp-type 8 -s 10.0.0.7 -j ACCEPT
[root@m01 ~]# iptables -A INPUT -p icmp --icmp-type 8 -j DROP
 perhaps
! Reverse
[root@m01 ~]# iptables -A INPUT -p icmp --icmp-type 8 ! -s 10.0.0.7 -j DROP

How to configure in the enterprise

1. Consider the following before configuring

1.Consider which machine the firewall is on
2.What services are deployed on this machine
	nginx
	keepalived
3.What port does the service open
	80
	443
	22
4.The default rule is reject all

2. Configure security rules

#Allow access to 80 and 443
iptables -I INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT

-I        Add rule to front

#Only the springboard machine is allowed to connect to port 22
iptables -A INPUT -p tcp -s 172.16.1.61 --dport 22 -j ACCEPT

#Prohibit ping
iptables -A INPUT -p icmp --icmp-type 8 ! -s 172.16.1.61 -j DROP

#Allow access to the Internet
iptables -A INPUT -i eth0 -j ACCEPT

#Reject all by default
iptables -P INPUT DROP


-p        change policy Default policy

Tiankeng:

According to the above configuration method, the default reject all rules are set in the last step. After the springboard machine is connected to the host, do not clean the firewall, otherwise nothing will be connected
 Because firewall rules will not be cleaned up'iptables -P INPUT DROP'This is the default rule, then the firewall default rule becomes all dorp Yes
 resolvent:
Need to operate on virtual machine or physical machine
1.iptables -P INPUT ACCEPT
2.systemctl restart iptables
3.Restart the physical machine (at risk)

#Avoidance methods:
1.take iptables -P INPUT ACCEPT Add to scheduled tasks (this method can be used in the test phase)
* * * * * /usr/sbin/iptables -P INPUT ACCEPT 
2.For other environment tests, copy all rules to the environment for execution after there is no problem in the test
3.Before configuration, save the previous firewall rules and modify them according to the previous rules
	[root@web01 ~]# iptables-save > iptables_m01_20200116
	Import rules after modification
	[root@web01 ~]# iptables-restore < iptables_m01_20200116

3. General enterprise configuration

iptables -F
iptables -X
iptables -Z
iptables -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -s 172.16.1.0/24 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -nL

Internal sharing and Internet access

1. Operate on m01

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -s 172.16.1.0/24 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -i eth1 -s 172.16.1.0/24 -j ACCEPT
iptables -A FORWARD -o eth0 -s 172.16.1.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -d 172.16.1.0/24 -j ACCEPT
iptables -A FORWARD -o eth1 -d 172.16.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source 10.0.0.61

-j            Specify action
SNAT          Source address translation   SRC NAT
--to-source   Source address translation point

2. Other host operations

[root@web01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV7INIT=yes
NAME=eth1
DEVICE=eth1
ONBOOT=yes
IPADDR=172.16.1.7
PREFIX=24
GATEWAY=172.16.1.61

[root@web01 ~]# systemctl restart network 
[root@web01 ~]# ifdown eth0
[root@web01 ~]# vim /etc/resolv.conf 
nameserver 223.5.5.5

Port forwarding

[root@m01 ~]# iptables -t nat -A PREROUTING -d 10.0.0.61 -p tcp --dport 9000 -j DNAT --to-destination 172.16.1.7:22

[root@m01 ~]# iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source 10.0.0.61

-d                  Designated purpose ip
DNAT                Destination address translation
--to-destination    Target address translation point

IP forwarding

[root@m01 ~]# iptables -t nat -A PREROUTING -d 10.0.0.61 -j DNAT --to-destination 172.16.1.7

iptables -A FORWARD -i eth1 -s 172.16.1.0/24 -j ACCEPT
iptables -A FORWARD -o eth0 -s 172.16.1.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -d 172.16.1.0/24 -j ACCEPT
iptables -A FORWARD -o eth1 -d 172.16.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source 10.0.0.61

iptables -t nat -A OUTPUT -d 10.0.0.61 -j DNAT --to-destination 172.16.1.7

Firewall rules take effect permanently

#Write rules to iptables configuration file
[root@m01 ~]# vim /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

#Save configured rules
[root@m01 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

extend

(2)COMMAND: 
(a)Chain management:
    -N: new, Customize a new rule chain;
    -X:  delete,Delete the custom rule chain;
            Note: only empty chains with user-defined reference count of 0 can be deleted;
    -P: Policy,Set default policy; pair filter For the chains in the table, the default policies are:
           ACCEPT: accept
           DROP: discard
           REJECT: refuse
    -E: Rename the user-defined chain; the user-defined chain whose reference count is not 0 cannot be renamed or deleted;
    
(b)Rule management:
    -A: append,Add;
    -I: insert, Insert, indicate the position, and omit to indicate the first item;
    -D: delete,Delete;
        (1) Specify the rule serial number;
        (2) Specify the rule itself;
    -R: replace,Replace the specified rule on the specified chain;

    -F: flush,Clear the specified rule chain;
    -Z: zero,Set to zero;
        iptables Each rule in has two counters:
            (1) Number of matched messages;
            (2) The sum of the sizes of all matched messages;
           (2) The sum of the sizes of all matched messages;        
(c)see:
-L: list, List all rules on the specified chain;
    -n: numberic,Display the address and port number in digital format;
    -v: verbose,Details;
        -vv, -vvv
    -x: exactly,Display the exact value of the counter result;
    --line-numbers: Display the sequence number of the rule;
    

Security framework

1.Hardware
	Cabinet locking
	Virtual machine
	
2.The network can restrict access ip [and port]
	firewalld
	iptables
	bandwidth
	appoint ip Access, all others denied

3.system
	prohibit root Sign in
	No password, no key
	Modify default port 22

4.service
	Hide version number
	After the service is stable, update the small version in time

5.Website[ http\https]
	sql injection
	Vulnerability injection
	ddos attack

Firewall provider
 Niu Dunyun
 Safety dog

firewalld firewall

Basic overview of firewall

stay CentOS7 Several firewall management tools are integrated in the system. The default is enabled firewalld(Dynamic firewall manager) firewall management tool, Firewalld support CLI(Command line), and GUI(Two management methods of graphics).

For contact Linux Earlier personnel Iptables Familiar, but due to Iptables The rules are troublesome and have certain requirements for the network, so the learning cost is high firewalld Learning on the network is not so high requirements, relatively iptables It's a lot simpler, so it's recommended that you just get in touch CentOS7 Direct learning of system personnel Firewalld. 
It should be noted that if the firewall tool is enabled and no allowed rules are configured, access to the firewall device from the outside will be blocked by default, but if the traffic directly flows from the inside of the firewall to the outside will be allowed by default.

firewalld Can only do and IP/Port Relevant restrictions, web dependent http/https Restrictions cannot be achieved.

Firewall usage Zone Management

So compared with the traditional Iptables Firewall, firewalld Support dynamic update and join the region zone Concept of

In short, the area is firewalld Several sets of firewall policy sets (policy templates) are prepared in advance. Users can select different policy templates according to different scenarios, so as to realize the rapid switching between firewall policies
It should be noted that Firewalld Areas and interfaces in

A network card can only bind to one region, eth0 --> A region
 However, multiple network cards can be bound to a region. A region--> eth0 eth1 eth2
 You can also set different rules according to the address of the source. For example, everyone can access port 80, but only the company's IP To allow access to port 22.

region

regionDefault rule policy
trustedAllow all packets to flow in and out
homeReject incoming flow unless related to outgoing flow; If the traffic is related to ssh, mdns, IPP client, AMBA client and DHCPv6 client services, the traffic is allowed
internalEquivalent to home area
workReject incoming flow unless related to outgoing flow; If the traffic is related to ssh, IPP client and DHCPv6 client services, the traffic is allowed
publicReject incoming flow unless related to outgoing flow; If the traffic is related to ssh and DHCPv6 client services, the traffic is allowed
externalReject incoming flow unless related to outgoing flow; If the traffic is related to ssh service, the traffic is allowed
dmzReject incoming flow unless related to outgoing flow; If the traffic is related to ssh service, the traffic is allowed
blockReject incoming flow unless related to outgoing flow
dropReject incoming flow unless related to outgoing flow
#The three areas that must be remembered, the others don't matter
trusted		White list
public		Default rule
drop		blacklist

Firewall basic instruction parameters

Firewall offline CMD [add the firewall to the firewall configuration file when it is not started, and implement it in about 5 seconds. It is not recommended officially]

Firewall CMD command classification list

parametereffect
zone related instructions
–get-default-zoneGets the default zone name
– set default zone = < zone name >Set the default area to take effect permanently
–get-active-zonesDisplays the name of the area and network card currently in use
–get-zonesDisplays the total available areas
–new-zone=mcy --permanentNew Area
–delete-zone=mcy --permanentDelete area
services service related commands
–get-servicesList all manageable services in the service list
–add-service=Set the default area to allow the flow of this filling service
–remove-service=Setting the default area does not allow the service to delete traffic
–list-servicesDisplays the services allowed in the default area
Port port related instructions
– add port = < port number / protocol >Set the default area to allow the port to add traffic
– remove port = < port number / protocol >The default area does not allow the deletion of traffic on this port
–list-portDisplays the ports allowed in the default area
Interface website related instructions
– get zone of interface = < network card name >Check which area the interface is in
– add interface = < network card name >Direct all traffic from the network card to a specified area
– remove interface = < network card name >Unbind area of network card
– change interface = < network card name >Associate an interface with an area
Address source related commands
–add-source=Add source address
–remove-source=Remove source address
Other relevant instructions
–list-allDisplays the network card configuration parameters, resources, ports and services in the current area
–reloadMake the "permanently effective" configuration rule take effect immediately and overwrite the current configuration rule
–panic-onBlock all network connections
–panic-offRestore network connection
#Temporarily added areas cannot work. You must add -- permanent to work
[root@web01 ~]# firewall-cmd --new-zone=mc
usage: see firewall-cmd man page			#Usage: refer to the firewall command man help man page
Option can be used only with --permanent.	#Option can only be used with -- permanent
[root@web01 ~]# firewall-cmd --new-zone=mcy  --permanent
success
#The added [mcy] new area can be seen only after the firewall is overloaded
[root@web01 ~]# firewall-cmd --reload 
success
[root@web01 ~]# firewall-cmd --get-zones
block dmz drop external home internal mcy public trusted work

Firewall zone configuration policy

1.For normal use firewalld Services and related tools to manage the firewall must be started firewalld Service, and close the old firewall related services. You should pay attention firewalld There are two states for the rules:

runtime Runtime: The modification rule will take effect immediately, but it will fail if the service is restarted. Test suggestions.
permanent Persistent configuration: Required after modifying rules reload Overload service will take effect, production recommendations.

1. Disabling and disabling

#Disable firewall [to prevent conflicts between firewalld and iptables]
[root@web01 ~]# systemctl mask iptables.service 
Created symlink from /etc/systemd/system/iptables.service to /dev/null.
#Disable firewall
[root@web01 ~]# systemctl unmask iptables.service 
Removed symlink /etc/systemd/system/iptables.service.

2. Start the firewall and add the startup self startup

[root@web01 ~]# systemctl start firewalld
[root@web01 ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.

3. After firewalld is started, we need to know what area is used and what are the rules details of the area?

#View the default area used
[root@web01 ~]# firewall-cmd --get-default-zone 
public
#View all available areas
[root@web01 ~]# firewall-cmd --get-zones 
block dmz drop external home internal public trusted work
#View the public configuration of the specified space
[root@web01 ~]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

#View the default space public configuration
[root@m01 ~]# firewall-cmd --list-all
public (active)					#Area name (active)
  target: default           	#Target: default
  icmp-block-inversion: no  	#ICMP block: no [this option can be turned on if there is ICMP attack]
  interfaces: eth0 eth1     	#Network card allowed to access
  sources:                  	#Allowed source IP address
  services: ssh dhcpv6-client   #Allowed services
  ports:                    	#Allowed ports
  protocols:                	#Allowed agreements
  masquerade: no            	#ip camouflage
  forward-ports:            	#Port forwarding
  source-ports:             	#Source port
  icmp-blocks: 
  rich rules:               	#Rich rules

4. Use firewalld to adjust the default public area to reject all traffic in combination with the configuration of various area rules, but it is allowed if the source IP is 10.0.0.0/24 network segment

#Configure the default zone to deny all access
[root@web01 ~]# firewall-cmd --remove-service={ssh,dhcpv6-client}

#Configure the allowed network segment and place it in the whitelist area trusted [it can only take effect if it is placed in the whitelist area]
[root@web01 ~]# firewall-cmd --add-source=10.0.0.8 --zone=trusted

#View areas used
[root@web01 ~]# firewall-cmd --get-active-zones 
public
  interfaces: eth0
trusted
  sources: 10.0.0.8

5. Query whether the public area allows requests for SSH and HTTPS protocol traffic

#View the configuration of a single
[root@m01 ~]# firewall-cmd --zone=public --query-service=ssh
yes
[root@m01 ~]# firewall-cmd --zone=public --query-service=https
no

6. Clean up firewall rules (clean up temporary configuration)

[root@m01 ~]# firewall-cmd --reload
success

Firewall configuration release policy

Note: - Permanent means permanent if added, otherwise it is temporary

1.firewalld release service

#Configure release service
[root@web01 ~]# firewall-cmd --add-service=http

#Configuration reject
[root@web01 ~]# firewall-cmd --remove-service=http
success

2.firewalld release port

#Release port
[root@web01 conf.d]# firewall-cmd --add-port=80/tcp
success
[root@web01 conf.d]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh
  ports: 80/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
#Reject port
[root@web01 conf.d]# firewall-cmd --remove-port=80/tcp
success

3.firewalld release custom service

#1. The name represents the service name added later
[root@m01 ~]# cp /usr/lib/firewalld/services/{http.xml,tomcat.xml}
Modification content [note, service name and port]
#Service name
<short>......</short>
#notes
<description>......</description>
#Service name and port
<port protocol="..." port="..."/>
#Module name [some services have some services not]
<module name="..."/>

#2. Reload firewalld
[root@m01 ~]# firewall-cmd --reload
success

#3. Add customized service name
[root@m01 ~]#  firewall-cmd --add-service=tomcat
success

Suggestion: in the future, just add a port directly. The function is the same as releasing custom services.

Firewall Port Forwarding Policy

Port forwarding refers to the traditional target address mapping, which enables the external network to access the internal network resources
 The traffic forwarding syntax is:
firewalld-cmd --permanent --zone=<region> --add-forward-port=port=<Source port number>:proto=<agreement>:toport=<Destination port number>:toaddr=<target IP address>

If necessary, the local 10.0.0.7:5555 Port forwarding to backend 172.16.1.9:22 port

1.firewalld implements port forwarding (port mapping) and can only forward tcp related services

#1. Add forwarding port
[root@m01 ~]# firewall-cmd --add-forward-port=port=5555:proto=tcp:toport=22:toaddr=172.16.1.7
success

#2. Enable camouflage ip conversion
[root@m01 ~]# firewall-cmd --add-masquerade 
success

#3. View area configuration
[root@m01 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth1 eth0
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: port=5555:proto=tcp:toport=22:toaddr=172.16.1.7
  source-ports: 
  icmp-blocks: 
  rich rules: 

#4. Implement forwarding test
[c:\~]$ ssh 10.0.0.7 5555
Connecting to 10.0.0.7:5555...
Connection established.
To escape to local shell, press Ctrl+Alt+].
Last login: Fri Jan  3 17:20:16 2020 from 10.0.0.1
[root@web03 ~]#

Firewall rich language rule policy

firewalld The rich language rule in represents a more detailed firewall policy configuration. It can make more targeted policy configuration for many information such as system service, port number, original address and target address. The priority is also the highest among all firewall policies, as shown below firewalld Rich language rule help manual
[root@m01 ~]# man firewall-cmd
[root@m01 ~]# man firewalld.richlanguage
    rule
         [source]
         [destination]
         service|port|protocol|icmp-block|icmp-type|masquerade|forward-port|source-port
         [log]
         [audit]
         [accept|reject|drop|mark]

rule [family="ipv4|ipv6"]
source address="address[/mask]" [invert="True"]
service name="service name"
port port="port value" protocol="tcp|udp"
protocol value="protocol value"
forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"
accept | reject [type="reject type"] | drop

#Rich language rule related commands
--add-rich-rule='<RULE>'        #Add a rich language rule in the specified region
--remove-rich-rule='<RULE>'     #Delete a rich language rule in the specified area
--query-rich-rule='<RULE>'      #Rule found returns 0, rule not found returns 1
--list-rich-rules               #Lists all rich language rules in the specified area

example:

1. For example, 10.0.0.1 hosts are allowed to access http services, and 172.16.1.0/24 hosts are allowed to access port 10050

#Allow 10.0.0.1 hosts to access http services
[root@web01 services]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=10.0.0.1 service name=http accept"

#Allow 172.16.1.0/24 to access 10050 port
[root@web01 services]# firewall-cmd --add-rich-rule="rule family=ipv4 source address=172.16.1.0/24 port port=8080 protocol=tcp accept"

2. By default, the public area is open to the public. Everyone can connect through ssh service, but refuses to connect to the server through ssh in the 172.16.1.0/24 network segment

[root@m01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 service name=ssh drop'

3. Using firewalld, everyone is allowed to access HTTP and HTTPS services, but only 10.0.0.1 hosts can access ssh services

[root@m01 ~]# firewall-cmd --remove-service=ssh
[root@m01 ~]# firewall-cmd --add-service={http,https}
[root@m01 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=ssh accept' --permanent

4. When the source IP address of the user is 10.0.0.1 host, the 5555 port requested by the user is forwarded to port 22 of 172.16.1.7

[root@m01 ~]# firewall-cmd --add-masquerade
[root@m01 ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.0.0.1" forward-port port="5555" protocol="tcp" to-port="22" to-addr="172.16.1.7"'

5. Check the set rules. If the – permanent parameter is not added, restarting firewalld will become invalid. Rich rules are matched in order, and the rules that are matched first take effect

[root@m01 ~]# firewall-cmd --list-rich-rules 
rule family="ipv4" source address="10.0.0.1" service name="http" accept
rule family="ipv4" source address="172.16.1.0/24" service name="ssh" drop
rule family="ipv4" source address="10.0.0.1" service name="ssh" accept
rule family="ipv4" source address="10.0.0.1" forward-port port="5555" protocol="tcp" to-port="22" to-addr="172.16.1.9"

Usage scenario: generally, all are rejected or accepted. The configuration is in the default area. When the specified ip accesses the specified port or service, the rich rule is used

Backup of firewall rules

#All permanently added rules written for the public area will be written to the backup file (- - permanent) /etc/firewalld/zones/public.xml

#Just back up the above files

Firewall open internal internet access

With public network in the specified IP Started on an instance of Firewalld Firewall NAT Address installation and change, so as to achieve the internal host Internet access.

1. Enable IP camouflage in firewall [host corresponding to gateway IP]

[root@m01 ~]# firewall-cmd --add-masquerade --permanent
[root@m01 ~]# firewall-cmd --reload

2. The firewall turns on the kernel forwarding (the ip conversion is automatically turned on when the above is turned on)

#Configure kernel forwarding
[root@m01 ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

#Commands that take effect after opening in CentOS6
[root@m01 ~]# sysctl -p

#Check whether kernel forwarding is enabled
[root@m01 ~]# sysctl -a|grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1

3. Client intranet address configuration

[root@web03 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
GATEWAY=172.16.1.61

[root@web03 ~]# cat /etc/resolv.conf
nameserver 223.5.5.5

4. Restart the network card

[root@web01 ~]# ifdown eth1 && ifup eth1

5. Test whether the back-end web network is normal

[root@web03 ~]# ping baidu.com
PING baidu.com (123.125.115.110) 56(84) bytes of data.
64 bytes from 123.125.115.110 (123.125.115.110): icmp_seq=1 ttl=127 time=9.08 ms

Posted by mikeblaszczec on Fri, 03 Dec 2021 19:23:35 -0800