Firewall D Concise Guide on CentOS

Keywords: firewall sudo iptables network

Original address: https://linux.cn/article-8098-1-rel.html

FirewallD Yes. The front-end controller of iptables is used to implement persistent network traffic rules. It provides command line and graphical interfaces, which are available in most Linux distribution repositories. There are two main differences between using Firewall D and directly controlling iptables:

  1. Firewall D uses regions and services rather than chain rules.
  2. It manages rule sets dynamically, allowing rules to be updated without breaking existing sessions and connections.

Firewall D is an encapsulation of iptables that makes it easier for you to manage iptables rules - it's not a replacement for iptables. Although the iptables command is still available for Firewall D, it is recommended that Firewall D command be used only when Firewall D is used.

This guide will introduce you to Firewall D's concepts of zones and services, as well as some basic configuration steps.

Installation and management of Firewall D

CentOS 7 and Fedora 20 + already contain Firewall D, but it is not activated by default. It can be controlled like any other system D unit.

1. Start the service and start it when the system boots:

    

  1. sudo systemctl start firewalld
    2. 

  2. sudo systemctl enable firewalld
    3.

Stop and disable:

    

  1. sudo systemctl stop firewalld
    2. 

  2. sudo systemctl disable firewalld
    3.

2. Check firewall status. The output should be running or not running. 

  1. sudo firewall-cmd --state

3. To see the status of the Firewall D daemon:

  1. sudo systemctl status firewalld

Example output

    

  1. firewalld.service - firewalld - dynamic firewall daemon
    2. 

  2.    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
    3. 

  3.    Active: active (running) since Wed 2015-09-02 18:03:22 UTC; 1min 12s ago
    4. 

  4.  Main PID: 11954 (firewalld)
    5. 

  5.    CGroup: /system.slice/firewalld.service
    6. 

  6.    └─11954 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
    7.

4. Reload Firewall D configuration:

  1. sudo firewall-cmd --reload

Configure Firewall D

Firewall D is configured using XML. Unless it's a very special configuration, you don't have to deal with them, you should use firewall-cmd instead.

Configuration files are located in two directories:

  • / Save default configurations, such as default regions and public services, under usr/lib/Firewall D. Avoid modifying them because they are overwritten every time firewall packages are updated.
  • / Save the system configuration file under etc/firewalld. These files will override the default configuration.

config set

Firewall D uses two configuration sets: "runtime" and "persistence". When the system restarts or restarts Firewall D, configuration changes at run time are not retained, and changes to the persistent configuration set are not applied to the running system.

By default, the firewall-cmd command applies to runtime configuration, but is saved to a persistent configuration using the -- permanent flag. To add and activate persistence rules, you can use one of two ways.

1. Adding rules to both persistent and runtime rule sets. Then

    

  1. sudo firewall-cmd --zone=public --add-service=http --permanent
    2. 

  2. sudo firewall-cmd --zone=public --add-service=http
    3.

2. Add rules to the persistent rule set and reload Firewall D. Then

    

  1. sudo firewall-cmd --zone=public --add-service=http --permanent
    2. 

  2. sudo firewall-cmd --reload
    3.

The reload command deletes all runtime configurations and applies permanent configurations. Because firewalld manages rule sets dynamically, it does not break existing connections and sessions.

Firewall area

Area is a set of pre-constructed rules for various levels of trust that a given location or scenario (such as family, public, trusted, etc.) may have. Different areas allow different types of network services and inbound traffic, while rejecting any other traffic. When Firewall D is first enabled, public will be the default area.

Zones can also be used for different network interfaces. For example, to separate the internal network from the Internet interface, you can allow DHCP in the internal area, but only in the external area. HTTP and SSH. Any interface that is not explicitly set to a specific area will be added to the default area.

To find the default region:

  1. sudo firewall-cmd --get-default-zone

To modify the default region:

  1. sudo firewall-cmd --set-default-zone=internal

To view the area of your network interface:

  1. sudo firewall-cmd --get-active-zones

Example output:

    

  1. public
    2. 

  2.   interfaces: eth0
    3.

To get all configurations for a particular area:

  1. sudo firewall-cmd --zone=public --list-all

Example output:

    

  1. public (default, active)
    2. 

  2.   interfaces: ens160
    3. 

  3.   sources:
    4. 

  4.   services: dhcpv6-client http ssh
    5. 

  5.   ports: 12345/tcp
    6. 

  6.   masquerade: no
    7. 

  7.   forward-ports:
    8. 

  8.   icmp-blocks:
    9. 

  9.   rich rules:
    10.

To get the configuration of all regions:

  1. sudo firewall-cmd --list-all-zones

Example output:

    

  1. block
    2. 

  2.   interfaces:
    3. 

  3.   sources:
    4. 

  4.   services:
    5. 

  5.   ports:
    6. 

  6.   masquerade: no
    7. 

  7.   forward-ports:
    8. 

  8.   icmp-blocks:
    9. 

  9.   rich rules:
    10. 

    11. 

  11.   ...
    12. 

    13. 

  13. work
    14. 

  14.   interfaces:
    15. 

  15.   sources:
    16. 

  16.   services: dhcpv6-client ipp-client ssh
    17. 

  17.   ports:
    18. 

  18.   masquerade: no
    19. 

  19.   forward-ports:
    20. 

  20.   icmp-blocks:
    21. 

  21.   rich rules:
    22.

Use with services

Firewall D allows related traffic based on predefined rules for specific network services. You can create your own custom system rules and add them to any area. The configuration file of the default supported service is located in / usr/lib/firewalld/services, and the service file created by the user is in / etc/firewalld/services.

To view the default available services:

  1. sudo firewall-cmd --get-services

For example, to enable or disable HTTP services:

    

  1. sudo firewall-cmd --zone=public --add-service=http --permanent
    2. 

  2. sudo firewall-cmd --zone=public --remove-service=http --permanent
    3.

Allow or reject arbitrary ports/protocols

For example: allow or disable TCP traffic on port 12345.

    

  1. sudo firewall-cmd --zone=public --add-port=12345/tcp --permanent
    2. 

  2. sudo firewall-cmd --zone=public --remove-port=12345/tcp --permanent
    3.

Port forwarding

The following is to forward traffic from port 80 to port 12345 on the same server.

  1. sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345

To forward the port to another server:

1. Activate masquerade in the required area.

  1. sudo firewall-cmd --zone=public --add-masquerade

2. Add forwarding rules. In the example, the local traffic of port 80 is forwarded to port 8080 on a remote server with IP address 123.456.78.9. Then

  1. sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.456.78.9

To delete the rule, replace it with -- remove -- add. For example:

  1. sudo firewall-cmd --zone=public --remove-masquerade

Constructing Rule Sets with Firewall D

For example, here's how to use Firewall D to configure the basic rules for your server (if you're running a web server).

  1. Set the default area of eth0 to dmz. In the default area provided, dmz (demilitarized zone) is best suited for this program because it only allows SSH and ICMP.
    

  1. sudo firewall-cmd --set-default-zone=dmz
    2. 

  2. sudo firewall-cmd --zone=dmz --add-interface=eth0
    3.

2. Add HTTP and HTTPS to the dmz area by adding permanent service rules:

    

  1. sudo firewall-cmd --zone=dmz --add-service=http --permanent
    2. 

  2. sudo firewall-cmd --zone=dmz --add-service=https --permanent
    3.

3. Reload Firewall D to make the rules take effect immediately:

  1. sudo firewall-cmd --reload

If you run firewall-cmd --zone=dmz --list-all, you will have the following output:

    

  1. dmz (default)
    2. 

  2.   interfaces: eth0
    3. 

  3.   sources:
    4. 

  4.   services: http https ssh
    5. 

  5.   ports:
    6. 

  6.   masquerade: no
    7. 

  7.   forward-ports:
    8. 

  8.   icmp-blocks:
    9. 

  9.   rich rules:
    10.

This tells us that the dmz region is our default region, which is used for the source addresses and ports of all networks in the eth0 interface. It allows incoming HTTP (port 80), HTTPS (port 443) and SSH (port 22) traffic, and these are applicable to IPv4 and IPv6 because there are no IP version controls. IP camouflage and port forwarding are not allowed. We don't have ICMP blocks, so ICMP traffic is completely allowed. Rich rules are not enriched to allow all outbound traffic.

Advanced Configuration

Services and ports are suitable for basic configurations, but may be more restrictive for advanced scenarios. Rich rules and Direct direct interfaces allow you to move to any region for any port, protocol, address, and operation Add fully customized firewall rules.

Enriching the Rules

There are many rules-rich grammars, but they are fully documented in ___________. firewalld.richlanguage(5) Manual pages (or terminals) firewalld.richlanguage. Use -- add-rich-rule, -- list-rich-rules, -- remove-rich-rule, and The firewall-cmd command manages them.

Here are some common examples:

Allow all IPv4 traffic from host 192.168.0.14.

  1. sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.0.14 accept'

Reject TCP traffic from host port 192.168.1.10 to port 22.

  1. sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject'

IPv4 TCP traffic from host 10.1.0.3 to 80 ports is allowed and forwarded to port 6532. Then

  1. sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=10.1.0.3 forward-port port=80 protocol=tcp to-port=6532'

Forward IPv4 traffic from port 80 on host 172.31.4.2 to port 8080 (masquerade needs to be activated in the area).

  1. sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=172.31.4.2'

List your current rich rules:

  1. sudo firewall-cmd --list-rich-rules

Direct interface of iptables

For the most advanced use, or for iptables experts, Firewall D provides a direct Direct interface that allows you to pass the original iptables command to it. Direct interface rules are not permanent unless they are used -- permanent.

To view all custom chains or rules added to Firewall D:

    

  1. firewall-cmd --direct --get-all-chains
    2. 

  2. firewall-cmd --direct --get-all-rules
    3.

Discussing the specific syntax of iptables is beyond the scope of this article. If you want to learn more, you can check out our iptables guide.

More information

You can refer to the following resources for more information on this topic. Although we hope that what we provide is effective, please note that we cannot guarantee the accuracy or timeliness of external materials.

Posted by stonecold on Mon, 17 Jun 2019 15:54:45 -0700

Hot Keywords

©2024 Programmer Group