This is the fourth day of my participation in the August Text Challenge.More challenges in August
A tip: Like Iptables, Firewalld is implemented by kernel NetFilter. In other words, like Iptables, Firewalld is used to maintain rules, while kernel Netfilter is used to work with rules. It’s just that firewalld and Iptables are structured differently and used differently.
The resources
==Firewalld structure == : Important, understand the Firewall structure, configuration file, principle, etc. Here’s what Linux should learn about Iptables and Firewalld.
configuration
Firewalld structure
- Two directories:
1. /etc/firewalld/ 2. /usr/lib/firewalld/ Copy the code
- Rules for use: When a file is needed, Firewalld will first look in the first directory, if it can be found, then use it, otherwise continue to look in the second directory.
- Service configuration file naming rules is < name > service. The XML, such as SSH is SSH configuration file. The XML, HTTP profile is HTTP. XML, such as their default stored in the/usr/lib/firewalld/services/” directory, common service which can be found. If we want to change the configuration of a service, we can copy it to the /etc/firewalld-services/ directory and change it. To restore the default configuration, we can delete our own configuration file.
– ssh.xml
- Firewalld. Conf, DefaultZone=public, so zone=public can be omitted. Public Only services configured in this zone are allowed
The status command
-
Yum install Firewalld Install firewalld firewall
-
Systemctl start firewalld.service Starts the service
-
Systemctl stop firewald. service Disables the firewall
-
Systemctl enable Firewald. service Automatically starts the firewall upon startup
-
Systemctl disable firewalld.service Disables the automatic startup of the Firewall upon startup
-
Systemctl status firewalld, firewall-cmd –state Displays the firewall status
-
Firewall-cmd –get-active-zones Retrieves active zones. The default value is public
-
Firewall-cmd –get-service Obtains all supported services
Rules of the command
- = = default
zone=public
Can be omitted from the command--zone=public
= = - = =
--permanent
Use this parameter permanently to executefirewall-cmd --reload
To come into force; If this parameter is not used, it takes effect immediately. = =- Materials: said will save the revised rules, if not add this parameter, so the changes will take effect immediately at the time, but after firewalld restart is lost, and combined with the parameters after the changes made will be permanently preserved, but the changes will not take effect immediately but can only take effect after need to reload. If –permanent is not added, Firewalld will actually modify the runtime rules. Firewalld is actually modifying the XML configuration file, just like editing the XML file directly, so it needs to be reload to take effect.
- = =
firewall-cmd --reload
Reload the firewall without changing the state so that the configuration takes effect immediately (each configuration change is performed) == - The basic format for add, remove, list, and query is use
Add, remove, list, query
1. The rules of the port
-
Firewall-cmd –permanent –add-port=80/ TCP Permanently open port 80
- Batch opening:
port=3000-5000
- Batch opening:
-
Firewall-cmd –permanent –remove-port=80/ TCP Permanently disables port 80
-
Firewall-cmd –list-ports Lists open ports. If you add –permanent, only the ports that are permanent are displayed. The returned format is separated by Spaces. For example, 8080-8081/ TCP 8388/ TCP 80/ TCP
-
Firewall-cmd –query-port=80/ TCP Queries the status of a specified port. If –permanent is added, only the permanent status is displayed. Returns yes | no.
2. The service rules
Service rule is a key concept of firewall. Compared with port, service rule has the following advantages: First, the semantics of service name configuration are clear and it is not prone to errors; Secondly, when modifying the port number of a service, you only need to modify the corresponding service file, and do not need to modify the firewall scheme – zone. It’s the same way THAT DNS connects IP addresses to domain names
-
Firewall-cmd –get-service == Obtain all supported services ==
-
Firewall-cmd –permanent –add-service= Permanently enable the SSH service (enabled by default)
-
Firewall-cmd –permanent –remove-service= SSH Permanently disables the SSH service
-
Firewall-cmd –list-services lists open services. If you add –permanent, only the services that are permanent are displayed. The return format is separated by Spaces. For example, dhcpv6-client SSH HTTPS
-
Firewall-cmd –query-service SSH Queries the status of a specified service. If –permanent is added, only the status that is permanent is displayed. Returns yes | no.
3. The rich – rule rule
- You can configure an IP address or IP address segment.
- IP address segment description eg: 10.0.0.0/24 indicates that the IP address starts from 10.0.0.0. 24 indicates that the subnet mask is 255.255.255.0, which contains 256 IP addresses. In other words, there are 256 IP addresses ranging from 10.0.0.0 to 10.0.0.255. For specific setting rules, please refer to the following table:
1) ip-port
A. accept B. reject C. accept D. reject
-
Firewall-cmd –permanent –add-rich-rule=”rule family=”ipv4″ source address=”192.168.1.103″ port protocol=” TCP” Port =”3306-5200″ Accept “Permanently allows an IP address to access certain ports
-
Firewall-cmd –permanent –remove-rich-rule=”rule family=”ipv4″ source address=”192.168.1.103″ port protocol=” TCP” Port =”3306″ Accept “Permanently removes an IP address from accessing a port
-
Firewall-cmd –query-rich-rule=”rule family=”ipv4″ source address=”192.168.1.103″ port protocol=” TCP “port=”3306″ firewall-cmd –query-rich-rule=”rule family=”ipv4″ source address=”192.168.1.103″ port protocol=” TCP” port=”3306″ Accept “Queries the access status of a certain IP address to a certain port. If –permanent is added, only the entries that are permanent are displayed. Returns yes | no.
2) ip-service
A. accept B. reject C. accept D. reject
-
Firewall-cmd –permanent –add-rich-rule=”rule family=”ipv4″ source address=”192.168.1.1/24″ service name=” SSH “accept Permanently allow an IP address segment to access a service.
-
Firewall-cmd –permanent –remove-rich-rule=”rule family=”ipv4″ source address=”192.168.1.1/24″ service name=” SSH” Accept permanently removes an IP address segment from accessing a service.
-
Firewall-cmd –query-rich-rule=”rule family=”ipv4″ source address=”192.168.1.1/24″ service name=” SSH “accept To query the access status of an IP address segment to a service, add –permanent to the command. Returns yes | no.
4. IP address spoofing & port forwarding
Use the Firewall command to forward the access to port 3306 on the host to port 3306 on 192.168.1.1
-
Firewall-cmd –permanent –add-masquerade You need to enable IP address disguise first
-
` firewall – CMD – permanent – add – forward – port port of = = 3306: proto = TCP: toaddr = 192.168.1.2 instead: toport = 13306
‘Configure port forwarding
5. all
firewall-cmd --list-all
List all the rules, plus--permanent
Only permanently valid values are displayed
[root@localhost zones]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: dhcpv6-client ssh ports: 22/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: Accept rule family="ipv4" source address="192.168.0.4/24" service name=" HTTP "accept rule family="ipv4" source Address ="192.168.1.103" port Port ="3306" protocol=" TCP "Accept rule family="ipv4" source address="192.168.1.103" port port="3308" protocol="tcp" acceptCopy the code
cat /etc/firewalld/zones/public.xml
View all rules in XML mode: View rules in the XML file of the zone
iptables -L -n
By viewing the iptables rules, you can check whether the configured ports take effect> iptables -L -n | grep 22ACCEPT TCP -- 0.0.0.0/0 0.0.0.0/0 TCP DPT :22 CTState NEW,UNTRACKEDCopy the code