The last article learned the user and file related permissions, this article continues to learn firewall technology.
As a protective barrier between public network and Intranet, firewall is very important to the system. Firewall is divided into hardware firewall and software firewall, the main function is to filter the traffic through the firewall according to the set strategy. This article mainly explains the software firewall of centos7 system.
Because in the beginning stage, in order to avoid interference, we often close the firewall directly, but it is not safe to do so in the production environment, so we need to master the relevant configuration method of firewall.
1、 Overview of Linux Firewall
Linux system includes two layers of firewall, one is based on TCP / IP traffic filtering tools, the other is TCP wrappers service. The former includes iptables, firewalld and other firewalls, while the latter is a firewall that can allow or prohibit the Linux system to provide services, so as to protect the security of the system at a higher level.
In rhel7 system, firewalld replaces the previous version of iptables firewall and becomes the default firewall. There is a big difference between the two. The firewall strategy of iptables is handled by the Netfilter network filter at the kernel level, while firewalld is handled by the nftables packet filtering framework at the kernel level.
Strictly speaking, iptables and firewalld are not real firewalls, but just firewall management tools used to define firewall policies. They are both services.
Firewall management tools are mainly used to facilitate the operation and maintenance management personnel to configure and manage the firewall policies. The ideas of these tools are similar. As long as you master one, this paper mainly introduces firewalld, a firewall management tool.
2、 Firewalld firewall management tool
Centos7 integrates a number of firewall tools, the default is firewalld, full name: Dynamic Firewall manager of Linux systems, dynamic firewall manager of Linux system. It is used for two management modes of command line interface (CLI) or graphical user interface (GUI), which will be introduced respectively in the following.
Compared with the traditional firewall management and configuration tool, firewalld supports dynamic update technology and adds the concept of zone. In short, it is to define several sets of firewall policy templates in advance, and users can select them according to the actual scene, so as to realize the fast switch between policies. For example, after setting the home and work area policies, you can choose the home area at home and the work strategy in the company, which greatly improves the application efficiency of the firewall strategy.
The region name and strategy rules of cicada pupa in firewalld are as follows:
|region||Default policy rule|
|trusted||Run all packets|
|home||Reject incoming traffic, unless associated with outgoing flow. If traffic is related to SSH, mDNS, IPP client, AMBA client, DHCPv6 client services, traffic is allowed|
|internal||Same as home|
|work||Refuse to flow in unless it is related to the number of outgoing flows. If traffic is related to SSH, IPP client and DHCPv6 client services, traffic is allowed|
|public||Reject incoming traffic, unless associated with outgoing flow. If the traffic is related to SSH, DHCPv6 client services, traffic is allowed|
|external||Deny incoming traffic unless it is related to outgoing traffic, and allow traffic if traffic is related to SSH service|
|dmz||Deny incoming traffic unless it is related to outgoing traffic, and allow traffic if traffic is related to SSH service|
|block||Refuse to flow in unless related to outflow|
|drop||Same as block|
Firewall CMD is the CLI (command line interface) version of firewalld firewall configuration management tool. Its parameters are generally provided in “long format”. It has many parameters, but since centos7 already supports the completion of the parameters of this command, you need to use the tab key more. The following table lists the commonly used parameters and functions, and more parameters can be viewed by man command.
|–get-default-zone||Query the default area name|
|–Set default zone = zone name >||Set the default zone to make it permanent|
|–get-zones||Show available areas|
|–get-active-zones||Displays the name of the area and network card currently in use|
|–get-services||Show predefined services|
|–add-source=||Direct traffic from this IP or subnet to a specified area|
|–remove-source=||Traffic from this IP or subnet is no longer directed to a specified area|
|–Add interface = network card name >||All traffic from the network card is directed to a specified area|
|–Change interface = network card name >||Associate a network card with a region|
|–list-all||Display the network card configuration parameters, resources, ports and services of the current area|
|–list-all-zones||Display the network card configuration parameters, resources, ports and services of all areas|
|–Add service = service name >||Set the default zone to allow traffic for the service|
|–Add port = port number >||Set the default zone to allow traffic for this port|
|–Remove service = service name >||Set the default zone to no longer allow traffic for this service|
|–Remove port = port number >||Set the default zone to no longer allow traffic on this port|
|–reload||Make the “permanent” configuration rules take effect immediately and override the current configuration rules|
|–panic-on||Turn on emergency mode|
|–panic-off||Turn off emergency mode|
There are two modes to configure policies with firewall: runtime and permanent. Runtime mode is also known as the current effective mode, and it will be invalid as the system is restarted. It is the default mode. If you need to configure it to take effect permanently, you need to add the — permanent parameter.
The main thing to note is that the policy configured in permanent mode can only take effect automatically after restart. If you want the configured policy to take effect immediately, you need to execute the firewall CMD — reload command manually.
2.1.1 firewall state management
If you install this series of tutorials step by step, the system and the firewalld service are installed by default. If you use other systems or do not install firewalld service, you can install it by yourself through the command. Installation command: Yum install firewalld firewall config
- View firewall status
[[email protected] ~]# firewall-cmd --state running [[email protected] ~]# systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Sat 2019-12-21 21:26:53 CST; 1h 31min ago Main PID: 915 (firewalld) CGroup: /system.slice/firewalld.service └─915 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Dec 21 21:26:53 heimatengyun systemd: Started firewalld - dynamic firewal.... Hint: Some lines were ellipsized, use -l to show in full.
You can use firewall CMD — state or systemctl status firewalld to view the firewall status.
- Restart the firewall service
[[email protected] ~]# systemctl restart firewalld.service
Note that it is equivalent to systemctl restart firewalld, and the service suffix can be omitted.
- Stop firewall service
[[email protected] ~]# systemctl stop firewalld [[email protected] ~]# firewall-cmd --state not running
- Start firewall service
[[email protected] ~]# systemctl start firewalld [[email protected] ~]# firewall-cmd --state running
2.1.2 firewall profile
Configuration file description: firewalld stores the configuration file in two directories, / usr / lib / firewalld / and / etc / firewalld /. The former stores some default files, while the latter mainly stores user-defined data, so the services or rules we add are all carried out under the latter.
[[email protected] ~]# ls /usr/lib/firewalld/ icmptypes services zones [[email protected] ~]# ls /etc/firewalld/ firewalld.conf icmptypes lockdown-whitelist.xml services zones
Server: storing service data is a set of well-defined rules.
Zones: storage area rules.
firewalld.conf : default configuration file. You can set the default zone. The default zone is public, which corresponds to the public.xml 。
2.1.3 common configuration commands and cases
- View currently used area
[[email protected] ~]# firewall-cmd --get-default-zone public
- Check whether the currently used area allows traffic to request SSH and HTTPS protocols
[[email protected] ~]# firewall-cmd --zone=public --query-service=ssh yes [[email protected] ~]# firewall-cmd --zone=public --query-service=https no
- Set the HTTPS protocol traffic to permanent permission and take effect immediately
[[email protected] ~]# firewall-cmd --zone=public --add-service=https success [[email protected] ~]# firewall-cmd --zone=public --query-service=https yes [[email protected] ~]# firewall-cmd --permanent --zone=public --add-service=https success [[email protected] ~]# firewall-cmd --reload success
- Allow 8080 and 8081 port traffic, only in effect currently
[[email protected] ~]# firewall-cmd --zone=public --list-ports [[email protected] ~]# firewall-cmd --zone=public --add-port=8080-8081/tcp success [[email protected] ~]# firewall-cmd --zone=public --list-ports 8080-8081/tcp
Firewall config is the GUI (graphical user interface) version of firewalld firewall configuration management tool, which can implement almost all operations performed by command line. Even if there is no solid Linux command foundation, it can be used to properly configure the firewall policy in RHEL 7.
2.2.1 main interface
After entering the command, the main interface will be opened
[[email protected] ~]# firewall-config
The configuration at the top corresponds to whether it is running mode or permanent mode.
The zones tab on the left corresponds to different areas.
2.2.2 configuration case
After configuring the firewall policy with firewall config tool, there is no need to confirm it again, because as long as there are changes, it will be saved automatically.
- The configuration allows HTTP service traffic in the current zone and is only valid for the current zone
- Try to add a firewall policy rule to allow the traffic to access ports 8080-8088 (TCP protocol) and set it to take effect permanently
After adding rules, you also need to reload the configured policies to take effect immediately.
3、 TCP wrappers service
TCP wrappers is a traffic monitoring program that is enabled by default in rhel7 system. It can allow or reject operations according to the address of the visiting host and the target service program of this machine.
As mentioned above, firewalld is a traffic filtering tool based on TCP / IP protocol, while TCP wrappers service is a firewall that can allow or prohibit Linux system to provide services, thus protecting the safe operation of Linux system at a higher level.
The firewall policy of TCP wrappers service is controlled by two control list files. Users can edit the allow control list file to release the request traffic to the service, or edit the deny control list file to block the request traffic to the service.
After the control list file is modified, the system will check the allowed control list file (/ etc) first/ hosts.allow ）If it matches the corresponding permission policy, the traffic will be released; if there is no match, it will be further matched with the rejection control list file (/ etc)/ hosts.deny ）, if a match is found, the traffic is rejected. If none of these two files match, the default release flow is.
3.1 configuration principle
When writing a rejection policy rule, fill in the service name instead of the protocol name;
It is recommended to write a denial policy rule before an allow policy rule.
3.2 common configuration parameters
The common parameters in the control list file of the TCP wrappers service are as follows:
|Client type||Examples||List of clients meeting the criteria|
|Single host||192.168.1.1||Host with IP address 192.168.1.1|
|Specify network segment||192.168.1.||Host with IP segment 192.168.1.0/24|
|Specify network segment||192.168.10.0/255.255.255.0||Host with IP segment 192.168.10.0/24|
|Specify DNS suffix||.heimatengyun.com||All suffixes are heimatengyun.com Host for|
|Specify the host name||www.heimatengyun.com||The host name is www.heimatengyun.com Host for|
|Specify all clients||All or*||All hosts are included|
- Configure the specified IP to log in to the server remotely
edit hosts.deny file
[[email protected] ~]# vi /etc/hosts.deny
Add: sshd: * save and exit.
At this time, exit the remote connection tool and connect remotely again. You will not be able to connect.
Log in to the virtual machine directly and edit / etc/ hosts.allow File, allowing the IP of the local computer to connect to the server remotely.
[[email protected] ~]# vi /etc/hosts.allow
add to: sshd:192.168.78. Save and exit
Pay attention to 192.168.78. For the IP address you will access Linux, set it according to the actual situation. In the environment demonstrated in this paper, the IP address of VMnet8 is taken instead of the IP address of the host.
Then use the remote connection tool again and find that it can be connected.