1. Introduction to fire wall
- 1.netfilter
netfilter component, also known as kernel space, is a part of the kernel. It is composed of some packet filtering tables, which contain the rule set used by the kernel to control packet filtering processing. - 2.iptables
IPTABLES is an IP packet filtering system integrated with the latest version 3.5 Linux kernel. If the Linux system is connected to the Internet or LAN, server or proxy server connecting LAN and Internet, the system is conducive to better control IP packet filtering and firewall configuration on the Linux system.
When making packet filtering decisions, the firewall has a set of rules to follow and form. These rules are stored in special packet filtering tables, which are integrated in the Linux kernel. In the packet filtering table, rules are grouped into what we call chain s. netfilter/iptables IP packet filtering system is a powerful tool that can be used to add, edit and remove rules.
Although netfilter/iptables IP packet filtering system is called a single entity, it is actually composed of two components, netfilter and iptables.
netfilter component, also known as kernel space, is a part of the kernel. It is composed of some packet filtering tables, which contain the rule set used by the kernel to control packet filtering processing.
iptables component is a tool, also known as user space, which makes it easy to insert, modify and remove rules in packet filtering table. - 3.iptables|firewalld
Iptables firewall policy is handled by netfilter network filter at the kernel level, while firewalld is handled by nftables packet filtering framework at the kernel level. Compared with iptables firewall, firewalld supports dynamic update technology and adds the concept of region, that is, different firewall policy sets, and users can choose the appropriate rate set according to different production scenarios, So as to realize the fast switching between firewall policies.
2. Switching of fire wall management tools
stay rhel8 The default is firewalld firewalld----->iptables dnf install iptables-services -y systemctl stop firewalld systemctl disable firewalld systemctl mask firewalld systemctl enable --now iptables iptales -------> fiewalld dnf install firewalld -y systemctl stop iptables systemctl disable iptables systemctl mask iptables systemctl enable --now firewalld
3. Use of iptables
#Permanent preservation of fire wall strategy#
/etc/sysconfig/iptables ##iptables policy record file
Persistent save policy
iptales-save > /etc/sysconfig/iptables
service iptables save
4. Fire wall default policy
-
5 chains in default policy
Input ## input
Output ## output
forward ## forwarding
After postrouting ## routing
prerouting ## before routing -
Default 3 tables
filter ## through the data of the native kernel (input output forward)
nat ## non kernel data (postrouting, prerouting,input,output)
mangle ## is used when the filter and nat tables are not enough (input, output forward, postrouting,)
iptables command iptables -t ##Specify table name -n ##No parsing -L ##see -A ##Add policy -p ##agreement --dport ##Destination port -s ##source -j ##action ACCEPT ##allow DROP ##discard REJECT ##refuse SNAT ##Source address translation DNAT ##Destination address translation -N ##New chain -E ##Change chain name -X ##Delete chain -D ##Delete rule -I ##Insert rule -R ##Change rule -P ##Change default rule
Packet status
RELATED ## connected
ESTABLISHED ## connecting
New ## NEW
[root@node1 named]# iptables -nL ##The default is the filter table. n means no parsing [root@node1 named]# iptables -t nat -nL [root@node1 named]# iptables -t mangle -nL [root@node1 named]# iptables -t filter -L [root@node1 named]# vim /etc/sysconfig/iptables [root@node1 named]# service iptables save [root@node1 named]# iptables -F ##clear [root@node1 named]# service iptables save ##Permanent cleaning [root@node1 named]# systemctl restart iptables.service [root@node1 named]# iptables -nL [root@node1 network-scripts]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT [root@node1 network-scripts]# iptables -A INPUT -j REJECT [root@node1 network-scripts]# iptables -nL [root@node1 network-scripts]# iptables -D INPUT 2 ##Delete Article 2 [root@node1 network-scripts]# iptables -I INPUT 2 -p tcp --dport 22 -j ACCEPT ##ping fails, but ssh can connect
[root@node1 network-scripts]# iptables -R INPUT 2 ! -s 172.25.254.250 -p tcp --dport 22 -j ACCEPT ##250 access not allowed [root@node1 network-scripts]# iptables -N westos ##Create a new chain [root@node1 network-scripts]# iptables -E westos REDHAT ##Change chain name [root@node1 network-scripts]# iptables -E REDHAT westos [root@node1 network-scripts]# iptables -X westos ##delete [root@node1 network-scripts]# iptables -P INPUT DROP [root@node1 network-scripts]# iptables -P INPUT ACCEPT ##Change default rule
[root@node1 named]# iptables -nL [root@node1 named]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT [root@node1 named]# iptables -A INPUT -i lo -m state --state NEW -j ACCEPT [root@node1 named]# iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ##dns53 httpd 80 sshd 22 [root@node1 named]# iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT ## [root@node1 named]# iptables -A INPUT -m state --state NEW -j ACCEPT [root@node1 named]# iptables -nL [root@node1 named]# iptables -D INPUT 5 [root@node1 named]# iptables -A INPUT -m state --state NEW -j REJECT [root@node1 named]# iptables -nL
1.Set the firewall policy of established and connecting packets to allow iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 2.Set the loopback interface of the machine to allow new packets iptables -A INPUT -m state --state NEW -i lo -j ACCEPT 3.For the specified service, set the policy to allow adding new packets iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT 4.Add a firewall policy. Set division assignment ip Services available to all hosts iptables -A INPUT -m state --state NEW ! -s 192.168.0.10 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -m state --state NEW -j REJECT service iptables save %Fire wall strategy is permanently saved be careful: iptables When adding a policy with the command, the priority is from top to bottom nat In table dnat snat snat iptable -t nat -A POSTROUTING -o ens160 -j SNAT --to-source 192.168.0.20 ##Extranet dnat iptables -t nat -A PREROUTING -i ens160 -j DNAT --to-dest 172.25.254.30 ## Intranet
firewalld
1. Startup of firewalld
systemctl stop iptables systemctl disable iptables systemctl mask iptables systemctl unmask firewalld systemctl enable --now firewalld
2. About firewalld domain
[root@node1 ~]# sysctl -a | grep ip_forward net.ipv4.ip_forward = 1 trusted ##Accept all network connections home ##For home network, allow to accept SSH mDNS IPP client Samba client DHCP client work ##Working network ssh IPP client DHCP client public ##Public network ssh DHCP client dmz ##Military network ssh block ##Reject all drop ##discard All data is discarded without any reply internal ##Intranet SSH mDNS IPP client Samba client DHCP client external ##ipv4 network address masquerading forwarding sshd
3. Setting principle and data storage of firewalld
/etc/firewalld ## firewall configuration directory
/lib/firewalld ## firewall module directory
4. Management command of firewalld
firewall-cmd --state ##View fire wall status firewall-cmd --get-active-zones ##View the effective fields in the current fire wall firewall-cmd --get-default-zone ##View default domain firewall-cmd --list-all ##View the firewall policy in the default domain firewall-cmd --list-all --zone=work ##View the firewall policy for the specified domain firewall-cmd --set-default-zone=trusted ##Set default domain firewall-cmd --get-services ##View all services that can be set firewall-cmd --permanent --remove-service=cockpit ##Remove service firewall-cmd --reload firewall-cmd --permanent --add-source=172.25.254.0/24 --zone=block ##Specify the data source to access the specified domain firewall-cmd --reload firewall-cmd --permanent --remove-source=172.25.254.0/24 --zone=block ##Delete data source in self localization firewall-cmd --permanent --remove-interface=ens224 --zone=public ##Deletes the network interface for the specified domain firewall-cmd --permanent --add-interface=ens224 --zone=block ##Adds a network interface for the specified domain firewall-cmd --permanent --change-interface=ens224 --zone=public ##Change the network interface to the specified domain
5. Advanced rules of firewalld
firewall-cmd --direct --get-all-rules ##View advanced rules firewall-cmd --direct --add-rule ipv4 filter INPUT 0 ! -s 172.25.254.250 -p tcp --dport 22 -j REJECT ##It is set that only 172.25.254.250 host can be connected to this host.
6. NAT in firewalld
SNAT firewall-cmd --permanent --add-masquerade firewall-cmd --reload DNAT firewall-cmd --permanent --add-forward-port=port=22:proto=tcp:toaddr=172.25.254.30 firewall-cmd --reload
[root@node1 firewalld]# firewall-cmd --permanent --direct --get-all-rules [root@node1 firewalld]# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -s 172.25.254.250 -p tcp --dport 22 -j REJECT ##250 ssh no [root@node1 firewalld]# firewall-cmd --reload [root@node1 firewalld]# firewall-cmd --direct --get-all-rules [root@node1 firewalld]# firewall-cmd --list-all [root@node1 firewalld]# firewall-cmd --permanent --direct --remove-rule ipv4 filter INPUT 1 -s 172.25.254.250 -p tcp --dport 22 -j REJECT [root@node1 firewalld]# firewall-cmd --reload [root@node1 firewalld]# firewall-cmd --direct --get-all-rules [root@node1 firewalld]# firewall-cmd --permanent --add-forward-port=port=22:proto=tcp:toaddr=1.1.1.212:toport=22 ##Destination address translation [root@node1 firewalld]# firewall-cmd --reload [root@node1 firewalld]# firewall-cmd --list-all [root@node1 firewalld]# firewall-cmd --permanent --add-masquerade ##Original address translation [root@node1 firewalld]# firewall-cmd --reload [root@node1 firewalld]# firewall-cmd --list-all
supplement
Cockpit It is a web-based image service management tool developed by red hat. Its advantage is that it does not need an intermediate layer and can manage a variety of services.
According to the description of its project master station, Cockpit It has the following characteristics:
Considering the ease of use, the design is convenient for managers to use, rather than just the terminal command button.
The configuration of existing terminals or script services will not be disrupted. Through Cockpit The enabled service can be stopped at the terminal, and the error of script running will be corrected Cockpit Capture.
Support one-time management of multiple services to achieve automation and batch processing.
