IP camouflage and port forwarding
Firewall supports two types of network address translation
-
IP address masquerade
- It can share multiple addresses in LAN and access to the Internet with a single public address
- IP address camouflage only supports IPv4, not IPv6
- Address masquerading is enabled in the default external area
- Forward port
- Also known as destination address translation or port mapping
- Through port forwarding, the specified IP address and port traffic will be forwarded to different ports on the same computer, or to ports on different computers
Address camouflage configuration
- Add address camouflage function to specified area
firewall-cmd [--permanent] [--zone= zone] --add-masquerade [--timeout seconds] //--timeout=seconds: automatically delete the function after a period of time
- Remove address masquerading for the specified area
firewall-cmd [--permanent] [--zone= zone] --remove-masquerade
- Query whether the address camouflage function is enabled in the specified area
firewall-cmd [--permanent] [--zone=zone] --query-masquerade
Port forwarding configuration
- List port forwarding configuration
firewall-cmd [--permanent] [--zone=zone] --list-forward-ports
- Add port forwarding rule
firewall-cmd [--permanent] [--zone=zone] --add-forward-port=port=portid[-portid]:proto=protocol[:toport-portid[-portid]][:toaddr-address[/mask]][--timeout=seconds]
- Delete port forwarding rule
firewall-cmd [--permanent] [--zone=zone] --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
- Query port forwarding rules
firewall-cmd [--permanent] [--zone=zone] --query-forward-port-port-portid[-portid]:proto=protocol[:toport-portid[-portid]][:toaddr=address[/mask]]
Firewall direct rules
Direct interface
- Allow administrator manually written iptables, ip6tables, and ebtables rules to be inserted into the firewall managed zone
- Through the -- direct option in the firewall CMD command
- In addition to showing how to insert, match direct rules first
Custom rule chain
- Firewalld automatically creates a custom rule chain for areas configured with rules
- IN zone name deny: store the deny statement, which takes precedence over the rule of "IN zone domain name" allow "
- IN area name allow: store allow statement
Allow inbound traffic for TCP/9000 port
irewall-cmd --direct --add-rule ipv4 filter IN work_ allow 0 -p tcp --dport 9000 j ACCEPT
- In work "allow: match the rule chain of work area
- 0: stands for the rule with the highest priority, placed at the top of the rule
- You can add -- permanent option to indicate permanent configuration
Query all direct rules
firewall-cmd --direct --get-all-rules ipv4 filter IN_ work _allow 0 -p tcp --dport 9000 -j ACCEPT
- You can add -- permanent option to view permanent configuration
Firewall rich language rules
Rich language
- Expressive configuration language, no need to understand iptables syntax
- Used to express basic allow / deny rules, configuration records (for syslog and audited), port forwarding, spoofing, and rate limiting
rule [family="<rule family>"] [ source address="<address>" [invert "True"] ] [ destination address="<address>" [invert="True"] ] [ <element> ] [ log [prefix="<prefix text>"] [level="<log level>"] [limit value="rate/duration"] ] [ audit ] [ acceptlrejectldrop ]
Understanding rich language rule commands
- Common options for dealing with rich language rules in firewall CMD
| option | Explain |
|---|---|
| -add-rich-rule= 'RULE' | Add RULE to the specified area. If no area is specified, it is the default area. |
| --remove-rich-rule= 'RULE' | Remove RULE from the specified area. If no area is specified, it is the default area. |
| --query-rich-rule= 'RULE' | Query whether RULE has been added to the specified area. If no area is specified, it is the default area. < br / > if the RULE exists, return 0, otherwise return 1 |
| --list-rich-rules | Outputs all rich rules for the specified region, or the default region if no region is specified |
Rich language rule display is configured
- firewall-cmd --list-all
- firewall-cmd --list-all-zones
- --list-rich-rules
Rich language rules specific grammar
- source,destination, element, service, port, protocol,icmp-block,masquerade, forward-port, log, audit,acceptlreject|drop
Reject all traffic from 192.168.8.101
firewall-cmd --permanent --zone=work --add-rich-rule='rule family=ipv4 source address=192.168.8.101/32 reject'
- When the a ddress option uses source or destination, you must use family= ipv4 | ipv6
Accept TCP traffic of 192.168.1.0/24 subnet port range 8000-9000
firewall-cmd --permanent --one=work --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=8000-9000 protocol=tcp accept'
Discard all icmp packets
firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop'
Accept http traffic from 192.168.8.1 and log
firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.8.1/32 service name="http" log level=notice prefix= "NEW HTTP"limit value "3/s" accept'
- Visit http at 192.168.8.1 and observe / var/log/messages
Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT= MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131 LEN=52 TOS=0xOO PREC=0x00 TTL =64 ID=20582 DF PROTO=TCP SPT=65289 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT= MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131 LEN=52 TOS=0x0O PREC=0x0O TTL =64 ID=20590 DF PROTO=TCP SPT=65291 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT= MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131 LEN=52 TOS=0x0O PREC=0x0O TTL =64 ID=20602 DF PROTO=TCP SPT=65292 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0