Configuration and use of Linux Firewall


This paper mainly introduces three kinds of firewalls commonly used in Linux system, which can be accessed through thewhereis xxxCommand to see if the system has been installed

Configuration and use of Linux Firewall

1、 Ubuntu comes with firewall UFW

$ sudo apt install ufw

#Turn on / off firewall (default setting is' Disable ')
$ sudo ufw enable|disable
#Set the default policy (e.g. "mostly open" vs. "mostly closed")
$ ufw default allow|deny

1. Example of UFW command

#Check the UFW status and all the rules of the firewall
ufw status

#Start UFW firewall
ufw enable

#Turn off firewall
ufw disable

#Start default defense (block external connections, release external connections)
ufw default deny

#It allows other hosts to access port 53 of the local computer. The protocol includes TCP and UDP
ufw allow 53

#Allow other hosts to use TCP protocol to access port 25 of the host
ufw allow 25/tcp

#UFW can also check the / etc / services file to understand the name of the server and the corresponding port and protocol
ufw allow smtp

#UFW also supports inlet and outlet filtration. Users can use in or out to specify in or out. If not specified, the default is inufw allow in HTTP permission to access the local HTTP port

#Access to external SMTP port is prohibited, and "blocked by firewall" is not informed
ufw reject out smtp

#Forbid external access, inform "blocked by firewall"
uwf deny out to

#To delete a rule, just add delete to the command
uwf delete allow 80/tcp

#The system log is saved in / var / log / ufw.log. Level specifies different levels. The default level is' low '
ufw logging on|off  LEVEL

#Allow data from to enter the host through eth0 network card
ufw allow out on eth1 to

#The data from domain TCP protocol pointing to port 25 is denied to enter the local machine
ufw deny proto tcp from to port 25

#It is allowed to enter via eth1, and the data sent by eth2 is routed locally
ufw route allow in on eth1 out on eth2


Allow access to SSH

sudo ufw allow 22/tcp

Set allow access to http

sudo ufw allow 80/tcp

Setting allow access to HTTPS

sudo ufw allow 443/tcp

2、 How to use firewalld firewall

Brief introduction and installation of firewall service

The default firewall of centos7 is firewall, which replaces the former iptables

Firewalld service introduces a concept of trust level to manage the connection and interface associated with it. It supports IPv4 and IPv6, and supports network bridge. It uses firewall CMD (command) or firewall config (GUI) to dynamically manage the temporary or permanent interface rules of kernel Netfilter, and takes effect in real time without restarting the service.

#Firewall installation
yum install firewalld

#View firewall version
firewall-cmd --version

Basic use of firewalld service

objective command
View firewall status systemctl status firewalld
Turn off the firewall and stop the firewall service systemctl stop firewalld
Open the firewall and start the firewall service systemctl start firewalld
Restart firewall, restart firewall service systemctl restart firewalld
Check whether the firewall service is started automatically systemctl is-enabled firewalld
Start firewall service automatically when power on systemctl enable firewalld.service
Automatically disable firewall service when power on systemctl disable firewalld.service

Firewalld CMD firewall command use

1. View firewall CMD status

#View firewall CMD status
firewall-cmd --state

#View all open ports
firewall-cmd --zone=public --list-ports

#Open the specified port (- - permanent takes effect permanently. It will be invalid after restart without this parameter)
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload

#Close the specified port
firewall-cmd --zone=public --remove-port=9898/tcp --permanent
firewall-cmd --reload

Modify the firewall port by modifying the public. XML file

vim /usr/lib/firewalld/zones/public.xml

Configuration and use of Linux Firewall

3、 Configuration and use of iptables firewall

View firewall configuration information

iptables -L

Configuration and use of Linux Firewall

Add configuration iptables.rules

There is no iptables configuration file in Ubuntu by default, which needs to be generated through 'iptables save > / etc / network / iptables. Up. Rules'

The path and file name of iptables configuration file are suggested to be / etc / network / iptables.up.rules, because executing iptables apply points to the file by default, or you can specify the file by - W parameter

Ubuntu does not have the command to restart iptables. Executing 'iptables apply' will take effect

By default, Ubuntu iptables will be cleared after restarting the server. You need to write 'pre up iptables restore < / etc / network / iptables. Up. Rules' in / etc / network / interfaces to make it work

Common iptables commands

#Allow all access to port 22
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#Deny all access to port 22
iptables -A INPUT -p tcp --dport 22 -j DROP

#Only is allowed to access port 22
iptables -A INPUT -p tcp --dport 22 -s -j ACCEPT

The permission policy must be written above the rejection, otherwise it is useless

#View iptables policy
iptables -L

#Save the policy to the specified file (the following file path and file name can be customized)
iptables-save > /etc/network/iptables.up.rules

#Application strategy

#Delete policy
You need to confirm which line to delete by 'cat / etc / network / iptables. Up. Rules', or you can directly operate the file' / etc / network / iptables. Up. Rules'
iptables -D INPUT 2

This work adoptsCC agreementReprint must indicate the author and the link of this article

Recommended Today

How to keep the stable output of services in case of traffic surge

Service adaptive load shedding protection design Design purpose Ensure that the system is not overwhelmed by excessive requests Provide higher throughput as much as possible on the premise of ensuring system stability Design considerations How to measure system load Whether it is in the virtual machine or container, it is necessary to read the load […]