Firewall firewall learning summary of RHEL Linux 7

Time:2020-9-15

Firewall firewall learning summary of RHEL Linux 7

 

This paper introduces firewall configuration tool firewalld under RHEL 7. Before RHEL 7, we generally used iptables firewall management tools. In fact, neither iptables nor firewalld are real firewalls. They are just firewall management tools used to define firewall policies. In other words, they are just a kind of service or program. Iptables service will assign the configured firewall policy to the Netfilter network filter at the kernel level, while the firewalld service will handle the configured firewall policy by the nftables packet filtering framework at the kernel level.

 

Firewalld (dynamic firewall manager of Linux systems) is the default firewall configuration management tool under rhle 7. It has two management methods based on cli (firewalld CMD) and GUI (firewalld config). Compared with the traditional firewall management and configuration tool, firewalld supports dynamic update technology and adds the concept of zone. In short, the zone is firewalld. Several sets of firewall policy sets (policy templates) are prepared in advance. Users can select appropriate policy sets according to different production scenarios, so as to realize the fast switching between firewall policies. It has support for IP V4 and IP V6 firewall settings.

 

Everything in the firewall is associated with one or more zones. The following describes each zone:

 

Zone                                    Description 
-----------------------------------------------------
drop (immutable)             Deny all incoming connections, outgoing ones are accepted. 
block (immutable)            Deny all incoming connections, with ICMP host prohibited messages issued. 
trusted (immutable)          Allow all network connections 
public                       Public areas, do not trust other computers
external                     For computers with masquerading enabled, protecting a local network 
dmz                          For computers publicly accessible with restricted access.  
work                         For trusted work areas 
home                         For trusted home network connections 
internal                     For internal network, restrict incoming connections

 

Drop

Any packets that flow into the network are discarded and no response is made. Only outgoing network connections are allowed. Even if some services (such as HTTP) are opened, the data of these services is not allowed to pass through.

 

Block (restriction)

Any incoming network connection is rejected, and ICMP host prohibited message of IPv4 or icmp6 ADM prohibited message of IPv6 is returned Message. Only network connections initiated by the system are allowed.

 

Trusted

All network connections are acceptable. Allow all network connections, even if no services are open, the traffic using this zone will still pass through (green light all the way)

 

Public

When used in public areas, you cannot believe that other computers in the network will not cause harm to your computer. You can only receive selected connections.

 

External (external)

In particular, external networks with camouflage enabled for routers. You cannot trust other calculations from the network, that they do not harm your computer, and that you can only receive selected connections.

 

DMZ (demilitarized zone)

It is used to allow computers in DMZ to be limited to external network access, and only selected services are allowed to pass through.

 

Work

For the workspace. You can basically believe that other computers in the network will not harm your computer. Only selected services are allowed to pass through.

 

Home

For home networking. You can basically trust other computers in the network without harming your computer. Only the selected services are allowed to pass through.

 

Internal

For internal network. You can basically trust other computers in your network to not threaten your computer. Only selected services are allowed to pass through.

 

 

 

 

 

Check firewall tools

 

If you want to determine whether RHEL 7 uses iptables or firewalld, you can use the command to determine

 

In the case of iptables:

 

# systemctl status iptables.service
● iptables.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

 

There is no iptables

 

 

# systemctl status iptables.service

Unit iptables.service could not be found.

 

 

Of course, the easiest way to do this is to use the following command

 

# systemctl is-active firewalld
active
# systemctl is-active iptables
inactive
# systemctl is-active ip6tables
inactive
# systemctl is-active ebtables
inactive

 

 

 

View firewall status

 

    # systemctl status firewalld

    # firewall-cmd –state

 

[[email protected] ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2018-03-07 11:46:34 HKT; 1 day 4h ago
 Main PID: 124126 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─124126 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
 
Mar 07 11:46:34 mylnx systemd[1]: Starting firewalld - dynamic firewall daemon...
Mar 07 11:46:34 mylnx systemd[1]: Started firewalld - dynamic firewall daemon.
 
 
# firewall-cmd --state
running

 

 

Start the firewall service:

 

 

# systemctl start firewalld

or

# systemctl start firewalld.service

 

 

Restart the firewall service:

 

# systemctl restart firewalld.service

 

or

 

# systemctl restart firewalld

 

 

Turn off the firewall:

 

systemctl stop firewalld

 

 

[[email protected] ~]# systemctl stop firewalld
[[email protected] ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Thu 2018-03-08 16:35:17 HKT; 6s ago
  Process: 124126 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 124126 (code=exited, status=0/SUCCESS)
 
Mar 07 11:46:34 mylnx systemd[1]: Starting firewalld - dynamic firewall daemon...
Mar 07 11:46:34 mylnx systemd[1]: Started firewalld - dynamic firewall daemon.
Mar 08 16:35:16 mylnx systemd[1]: Stopping firewalld - dynamic firewall daemon...
Mar 08 16:35:17 mylnx systemd[1]: Stopped firewalld - dynamic firewall daemon.
[[email protected] ~]# 

 

 

Disable & enable firewall:

 

Enable & disable firewall at power on

 

# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.

 

 

Firewall CMD help information

 

# firewall-cmd –help

 

 

 

Configure firewall

 

 

Firewall CMD has two modes: runtime and permanent. The original state will be restored after temporary reload or server restart, while permanent setting will not. The parameter — permanent indicates the permanent setting. If the parameter — permanent is specified, it means permanent.

 

 

 

1: List the current zones

 

 

[[email protected] ~]# firewall-cmd –get-zones

block dmz drop external home internal public trusted work

[[email protected] ~]#

 

 

2:  View the currently active area (zone)

 

[[email protected] ~]# firewall-cmd –get-active-zones

public

  interfaces: eth0

[[email protected] ~]#

 

3: View current default zone

 

[[email protected] ~]# firewall-cmd –get-default-zone

public

 

 

4: Set the current default region

 

[[email protected] ~]# firewall-cmd –set-default-zone=public

Warning: ZONE_ALREADY_SET: public

success

 

5: Check out the services that firewalld supports.

 

 
[[email protected] ~]# firewall-cmd --get-service   
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https

 

 

6: Check the services that will be activated after the next reload.

 

[[email protected] ~]# firewall-cmd --get-service --permanent
 
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https

 

 

7: Lists the ports that are open to the zone

 

[[email protected] ~]# firewall-cmd –zone=public –list-ports

8123/tcp 8124/tcp 8217/tcp 80/tcp 443/tcp 3306/tcp 10050/tcp

 

 

8: Lists the settings information for the specified area

 

[[email protected] ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources: 
  services: dhcpv6-client ssh
  ports: 8123/tcp 8124/tcp 8217/tcp 80/tcp 443/tcp 3306/tcp 10050/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

 

 

9: Open the specific port number of the specified area

 

 

For example, we need to open port number 8123

 

# firewall-cmd –zone=public –add-port=8123/tcp –permanent

success

# firewall-cmd –reload  #Update firewall rules

 

–zone              #Scope

–add-port=8123/tcp     #Add a port in the format of port / communication protocol

–permanent         #It is permanently effective. It will be invalid after restart without this parameter

 

Note: is there a difference between the — reload option

 

[[email protected] ~]# firewall-cmd --zone=public --add-port=8124/tcp --permanent 
success
[[email protected] ~]# firewall-cmd --zone=public --list-ports
8123/tcp
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --zone=public --list-ports
8123/tcp 8124/tcp

 

In addition, we also need to pay attention to the difference between — reload and — complete reload

 

# firewall-cmd –reload

# firewall-cmd –complete-reload

 

The difference between the two is that the first does not need to be disconnected, that is, one of the firewalld features adds rules dynamically, and the second one needs to be disconnected, similar to restarting a service

 

 

 

 

How to open more than one port at a time? There are two methods, which are summarized as follows:

 

Method 1: use shell script to add multiple ports in a loop.

 

#!/bin/bash
for i in 22  21 1337 3306 31337
do
  firewall-cmd --zone=public --add-port=${i}/tcp
done

 

Method 2: if the port is an interval segment, you can use the following command:

 

# firewall-cmd --zone=public --add-port=6001-6020/tcp --permanent
success
# firewall-cmd --reload
success
# firewall-cmd --zone=public --list-ports
8123/tcp 8124/tcp 8217/tcp 80/tcp 443/tcp 3306/tcp 10050/tcp 6001-6020/tcp

 

 

 

 

10: Remove open ports

 

 

firewall-cmd –zone= public –remove-port=80/tcp –permanent

 

 

 

Remove the port number of an interval segment:

 

# firewall-cmd –zone=public –remove-port=6001-6020/tcp –permanent

success

 

# firewall-cmd  –reload

success

 

 

11: See which services can be opened.

 

 

# firewall-cmd –get-services

 

 

12: Opening up a service

 

# firewall-cmd –add-service=zabbix-agent –permanent

success

 

# firewall-cmd –zone=public –add-service=zabbix-agent –permanent

success

 

 

 

13: Shut down a service

 

# firewall-cmd –remove-service=zabbix-agent –permanent

success

# firewall-cmd –reload

success

 

 

 

14:   See which services are currently open

 

 

# firewall-cmd –list-services

dhcpv6-client ssh

 

# firewall-cmd –zone=public –list-services

dhcpv6-client ssh

 

 

Query whether a service is open

 

# firewall-cmd –query-service ftp

no

# firewall-cmd –query-service ssh

yes

 

15:  Some unusual emergency orders

 

Firewall CMD -- panic on ා if all traffic is rejected, the remote connection will be disconnected immediately and only local users can log in
Firewall CMD -- panic off ා cancel the emergency mode, but you need to restart firewalld before remote SSH
Firewall CMD -- Query panic ා to check whether it is in emergency mode

 

16: Set some IP to allow access to a service

 

 

firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.0.4/24" service name="ssh" accept"
firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" source address="192.168.0.4/24" service name="ssh" accept"

 

 

 

 

 

 

 

Firewall configuration file

 

Here are some default files. Such as default region and public service. Avoid modifying them because they are overwritten every time the firewall package is updated

 

 

$ ls -lrt /usr/lib/firewalld
total 16
drwxr-xr-x. 2 root root  224 Feb 18 11:03 helpers
drwxr-xr-x. 2 root root   20 Feb 18 11:03 ipsets
drwxr-xr-x. 2 root root 4096 Feb 18 11:03 icmptypes
drwxr-xr-x. 2 root root 8192 Feb 18 11:03 services
drwxr-xr-x. 2 root root  163 Feb 18 11:03 zones

 

 

User defined data is stored here

 

$ ls -lrt /etc/firewalld
total 8
drwxr-x---. 2 root root   46 Feb  5 00:29 zones
drwxr-x---. 2 root root    6 Feb  5 00:29 services
-rw-r--r--. 1 root root  272 Feb  5 00:29 lockdown-whitelist.xml
drwxr-x---. 2 root root    6 Feb  5 00:29 ipsets
drwxr-x---. 2 root root    6 Feb  5 00:29 icmptypes
drwxr-x---. 2 root root    6 Feb  5 00:29 helpers
-rw-r--r--. 1 root root 2006 Feb  5 00:29 firewalld.conf

 

 

The firewall command is very rich and flexible. Due to its length and experience, it is impossible to cover all aspects. Here we just summarize some common and simple commands. In the follow-up work encountered some special needs, in the continuous learning and improvement.

 

 

Recommended Today

How to share queues with hypertools 2.5

Share queue with swote To realize asynchronous IO between processes, the general idea is to use redis queue. Based on the development of swote, the queue can also be realized through high-performance shared memory table. Copy the code from the HTTP tutorial on swoole’s official website, and configure four worker processes to simulate multiple producers […]