Introduction to Linux Firewall

Time:2020-2-12

CentOS-Logo

The Internet provides a variety of network services, and the firewall can set various rules to restrict access and protect the server.


Summary

LinuxThe firewall system of is mainly used in the network layerTCP/IPPacket filtering and restriction is a typical packet filtering firewall.

LinuxThe firewall system of the system is based on kernel coding, which has very stable performance and high efficiency.

Three kinds of firewalls

netfilter

  • fingerlinuxThe internal structure of packet filter firewall in kernel
  • belong toKernel stateFirewall function system of

iptables

  • Management by referencelinuxCommand program of firewall
  • belong toUser stateFirewall management system of

Firewalld

  • CentOS 7The default firewall management tool, replacing the previousiptablesfirewall
  • belong toUser state
  • firewalldandiptablesInternal structures all point tonetfilterThis powerful network filtering subsystem realizes the function of packet filtering firewall
  • Support dynamic update and join firewallzoneconcept
  • SupportIPv4andIPv6address
  • Character management toolsfirewall-cmdAnd graphical management toolsfirewall-config

Difference

Name Firewalld iptables
configuration file /Usr / lib / firewalld / and / etc / firewalld/ /etc/sysconfig/iptables
Modification of rules Do not need to refresh all policies, do not lose the current connection All refresh policies required, lost connection
Firewall type Dynamic firewall Static firewall

Network area

Regional introduction

region describe
Drop (drop) Any received network packets are discarded without any reply. Only outgoing network connections are allowed
Block (limit) Any received network connection isIPv4Oficmp-host-prohibitedInformation andIPv6Oficmp6-adm-prohibitedRejected by message
Public Use in a public area, can’t believe that other computers in the network will not cause harm to your computer, only the selected connection can be received
External In particular, the router is enabled for the camouflage function of the external network. You can’t trust other calculations from the network. You can’t believe that they won’t harm your computer. You can only receive selected connections
DMZ (demilitarized zone) For computers in your DMZ, which is publicly accessible, has limited access to your internal network and receives only selected connections
Work For the workspace. You can basically believe that other computers in the network will not harm your computer. Receive only selected connections
Home (home) For home networking. You can basically trust that other computers in the network will not harm your computer. Receive only selected connections
Internal For internal networks. You can basically trust that other computers on your network will not threaten your computer. Accept only selected connections
Trusted (trust) Accept all network connections
  • Each region has rules with different restrictions
  • One or more regions can be used, but at least any active region needs to be associated with a source address or interface
  • By default, the public area is the default area, including all interfaces (network cards)

Data processing flow

Check the source address of the data source

  • If the source address is associated with a specific region, the rules specified by that region are executed
  • If the source address is not associated with a specific zone, the zone passed in to the network interface is used and the rules specified for that zone are enforced
  • If the network interface is not associated with a specific zone, the default zone is used and the rules specified for that zone are enforced

Configuration method

Runtime configuration

  • Take effect in real time and continue toFirewalldRestart or reload configuration
  • Do not disconnect existing connections
  • Cannot modify service configuration

Permanent configuration

  • Not immediately effective unlessFirewalldRestart or reload configuration
  • Break existing connection
  • Service configuration can be modified

configuration file

FirewalldWill be used first/etc/firewalld/If no profile exists, use the/usr/ib/firewalld/Configuration in

  • /etc/firewalld/: a user-defined profile, which can be accessed from the/usr/ib/firewalld/Medium copy

  • /usr/ib/firewalld/: the default configuration file is not recommended to be modified. If it is restored to the default configuration, it can be deleted directly/etc/firewalld/Configuration in

Graphic tools

[[email protected] ~]# firewall-config

Command line tools

[root @ localhost ~] (firewall CMD command)
  • Here are some commands to organize
--get-default-zone
Displays the default area for a network connection or interface

--set-default-zone=
Set the default zone for a network connection or interface

--get-active-zones
Show all active areas

--get-zone-of-interface=
Show the area of the specified interface binding

--zone= --add-interface=
Bind region for specified interface

--zone= --change-interface=
Change the bound network interface for the specified zone

--zone= --remove-interface=
Remove the bound network interface for the specified zone

--query-interface=
Whether an interface is included in the query area

--list-all-zones
Show all areas and their rules

[--zone=] --list-all
Show all rules for all specified areas
[--zone=] --list-services
Show all services allowed in the specified area

[--zone=] --add-service=
A service allowed for the specified locale

[--zone=] --remove-service=
Delete a service that the specified region has set to allow access

[--zone=] --query-service=
Query whether a service is enabled in the specified region
[--zone=] --list-ports
Display all port numbers allowed to access in the specified area

[--zone=] --add-port=[-]/ [--timeout=]
Enable the combination of regional port and protocol, and optionally configure the timeout

[--zone=] --remove-port=[-]/
Disable zone port and protocol combination

[--zone=] --query-port=[-]/
Whether port and protocol combination is enabled in the query area
[--zone=] --list-icmp-blocks
Displays all ICMP types blocked in the specified area

[--zone=] --add-icmp-block=
Set a blocked ICMP type for the specified locale

[--zone=] --remove-icmp-block=
Delete an ICMP type blocked in the specified area

[--zone=] --query-icmp-block=
Query ICMP blocking function of specified area

firewall-cmd

State operation

  • Stop, start
[[email protected] ~]# systemctl stop firewalld
[[email protected] ~]# systemctl start firewalld
  • Disable / allow startup
[[email protected] ~]# systemctl disable firewalld
[[email protected] ~]# systemctl enable firewalld
  • View state
[[email protected] ~]# systemctl status firewalld
[[email protected] ~]# firewall-cmd --state
running

Get predefined information

Predefined information mainly includes three types: available areas, available services and availableICMPBlocking type

  • Show predefined areas
[[email protected] ~]# firewall-cmd --get-zones 
block dmz drop external home internal public trusted work
  • Show predefined services
[[email protected] ~]# firewall-cmd --get-services 
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
  • Show predefinedicmpBlocking type
[[email protected] ~]# firewall-cmd --get-icmptypes 
address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
  • The meanings of various blocking types are as follows:

destination-unreachable: destination address is not reachable.
echo-reply: response.
parameter-problem: parameter problem.
redirect: redirection.
router-advertisement: router advertisement.
router-solicitation: router search.
source-quench: source side suppression.
time-exceededTimeout.
timestamp-reply: timestamp response.
timestamp-request: timestamp request.

Regional management

Usefirewall-cmdThe command can acquire and manage the region, bind the network interface to the specified region and other functions.

--get-default-zone
Displays the default area for a network connection or interface

--set-default-zone=
Set the default zone for a network connection or interface

--get-active-zones
Show all active areas

--get-zone-of-interface=
Show the area of the specified interface binding

--zone= --add-interface=
Bind region for specified interface

--zone= --change-interface=
Change the bound network interface for the specified zone

--zone= --remove-interface=
Remove the bound network interface for the specified zone

--list-all-zones
Show all areas and their rules

[--zone=] --list-all
Show all rules for all specified areas, omitting -- zone = means only the default area is operated
  • Display the default area in the current system
[[email protected] ~]# firewall-cmd --get-default-zone 
public
  • Show all rules for default area
[[email protected] ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
  • Show network interfaceens33Corresponding area
[[email protected] ~]# firewall-cmd --get-zone-of-interface=ens33 
public
  • Connect network interfaceens33Change the corresponding area tointernalregion
[[email protected] ~]# firewall-cmd --zone=internal --change-interface=ens33 
The interface is under control of NetworkManager, setting zone to 'internal'.
success
[[email protected] ~]# firewall-cmd --get-zone-of-interface=ens33 
internal
  • displayinternalWhat are the network interfaces under the area
[[email protected] ~]# firewall-cmd --zone=internal --list-interfaces 
ens33
  • Show all active areas
[[email protected] ~]# firewall-cmd --get-active-zones 
internal
  interfaces: ens33

Service management

To facilitate management,firewalldMany services are predefined and stored in/usr/lib/firewalld/services/In the directory, the service uses a singleXMLConfiguration file.

These profiles are named in the following format:service-name.xmlEach file corresponds to a specific network service, such assshServices, etc.

The corresponding configuration file records the services usedtcp/udpPort. In the latest version offirewalldHas been defined by default in70A variety of services are available for us to use. For each network area, you can configure the services that are allowed to be accessed.

When the default service is not applicable or the port of a service needs to be customized, we need toserviceProfile placed in/etc/firewalld/services/Directory.

serviceConfiguration has the following advantages.

  • Manage rules more user-friendly through service name.
  • The mode of organizing port grouping through services is more efficient. If a service uses several network ports, the service configuration file is equivalent to providing batch operation shortcuts for rule management to these ports.
[--zone=] --list-services
Show all services allowed in the specified area

[--zone=] --add-service=
A service allowed for the specified locale

[--zone=] --remove-service=
Delete a service that the specified region has set to allow access

[--zone=] --list-ports
Display all port numbers allowed to access in the specified area

[--zone=] --add-port=[-]/
A port number (including protocol name) that is allowed to be accessed for the specified locale

[--zone=] --remove-port=[-]/
Delete the port number (including protocol name) that the specified region has set to allow access

[--zone=] --list-icmp-blocks
Displays all ICMP types that are denied access in the specified area

[--zone=] --add-icmp-block=
An ICMP type denied access for the specified locale

[--zone=] --remove-icmp-block=
Delete an ICMP type of access denied that has been set for the specified region. Omitting -- zone = indicates the default region operation
  • Show all services that the default zone allows access to
[[email protected] ~]# firewall-cmd --list-services 
ssh dhcpv6-client
  • Set the default area to allow accesshttpservice
[[email protected] ~]# firewall-cmd --add-service=http 
success
  • Set the default area to allow accesshttpsservice
[[email protected] ~]# firewall-cmd --add-service=https 
success
  • Show all services that the default zone allows access to
[[email protected] ~]# firewall-cmd --list-services 
ssh dhcpv6-client http https
  • displayinternalAll services allowed in the region
[[email protected] ~]# firewall-cmd --zone=internal --list-services 
ssh mdns samba-client dhcpv6-client
  • Set upinternalZone access allowedmysqlservice
[[email protected] ~]# firewall-cmd --zone=internal --add-service=mysql 
success
  • Set upinternalZone not allowedsamba-clientservice
[[email protected] ~]# firewall-cmd --zone=internal --remove-service=samba-client 
success
  • displayinternalAll services allowed in the region
[[email protected] ~]# firewall-cmd --zone=internal --list-services 
ssh mdns dhcpv6-client mysql

Port management

During service configuration, predefined network services can be configured with service name, and the ports involved in the service will be opened automatically.

However, for non predefined services, you can only manually add ports for the specified area.

  • stayinternalArea open443/TCPport
[[email protected] ~]# firewall-cmd --zone=internal --add-port=443/tcp
success
  • stayinternalRegional prohibition443/TCPPort access
[[email protected] ~]# firewall-cmd --zone=internal --remove-port=443/tcp
success

Two configuration modes

Mentioned earlierfirewall-cmdThe command tool has two configuration modes:

  • Runtime modeRuntime modeRepresents the firewall configuration running in the current memory, in the system orfirewalldThe configuration will fail when the service is restarted or stopped.
  • Permanent modePermanent modeIndicates the rule configuration when the firewall is restarted or reloaded, which is permanently stored in the configuration file.

firewall-cmdThe command tool has three options related to configuration mode.

  • --reload: reload the firewall rules and keep the status information, that is, apply the permanent configuration to the runtime configuration.

  • --permanent: commands with this option are used to set persistent rules that are only available on rebootfirewalldOr reload firewall rules; without this option, it is used to set runtime rules.

  • --runtime-to-permanent: writes the current runtime configuration to the rule configuration file, making it permanent.

[[email protected] ~]# firewall-cmd --runtime-to-permanent
success