iptables+firewalld firewall strategy optimization

1. Introduction to fire wall

  • 1.netfilter
    netfilter component, also known as kernel space, is a part of the kernel. It is composed of some packet filtering tables, which contain the rule set used by the kernel to control packet filtering processing.
  • 2.iptables
    IPTABLES is an IP packet filtering system integrated with the latest version 3.5 Linux kernel. If the Linux system is connected to the Internet or LAN, server or proxy server connecting LAN and Internet, the system is conducive to better control IP packet filtering and firewall configuration on the Linux system.
    When making packet filtering decisions, the firewall has a set of rules to follow and form. These rules are stored in special packet filtering tables, which are integrated in the Linux kernel. In the packet filtering table, rules are grouped into what we call chain s. netfilter/iptables IP packet filtering system is a powerful tool that can be used to add, edit and remove rules.
    Although netfilter/iptables IP packet filtering system is called a single entity, it is actually composed of two components, netfilter and iptables.
    netfilter component, also known as kernel space, is a part of the kernel. It is composed of some packet filtering tables, which contain the rule set used by the kernel to control packet filtering processing.
    iptables component is a tool, also known as user space, which makes it easy to insert, modify and remove rules in packet filtering table.
  • 3.iptables|firewalld
    Iptables firewall policy is handled by netfilter network filter at the kernel level, while firewalld is handled by nftables packet filtering framework at the kernel level. Compared with iptables firewall, firewalld supports dynamic update technology and adds the concept of region, that is, different firewall policy sets, and users can choose the appropriate rate set according to different production scenarios, So as to realize the fast switching between firewall policies.

2. Switching of fire wall management tools

stay rhel8 The default is firewalld

firewalld----->iptables
dnf install iptables-services -y
systemctl stop firewalld
systemctl disable firewalld 
systemctl mask firewalld 
systemctl enable --now iptables

iptales -------> fiewalld 
dnf install firewalld -y
systemctl stop iptables
systemctl disable iptables
systemctl mask iptables
systemctl enable --now firewalld

3. Use of iptables

#Permanent preservation of fire wall strategy#
/etc/sysconfig/iptables ##iptables policy record file

Persistent save policy
iptales-save > /etc/sysconfig/iptables
service iptables save

4. Fire wall default policy

  • 5 chains in default policy
    Input ## input
    Output ## output
    forward ## forwarding
    After postrouting ## routing
    prerouting ## before routing

  • Default 3 tables
    filter ## through the data of the native kernel (input output forward)
    nat ## non kernel data (postrouting, prerouting,input,output)
    mangle ## is used when the filter and nat tables are not enough (input, output forward, postrouting,)

iptables command
iptables
	-t		##Specify table name
	-n		##No parsing
	-L		##see
	-A		##Add policy
	-p		##agreement
	--dport		##Destination port
	-s		##source
	-j		##action
		ACCEPT	##allow
		DROP	##discard
		REJECT	##refuse
		SNAT	##Source address translation
		DNAT	##Destination address translation
	-N		##New chain
	-E		##Change chain name
	-X		##Delete chain
	-D		##Delete rule
	-I		##Insert rule
	-R		##Change rule
	-P		##Change default rule

Packet status
RELATED ## connected
ESTABLISHED ## connecting
New ## NEW

[root@node1 named]# iptables  -nL  ##The default is the filter table. n means no parsing
[root@node1 named]# iptables -t nat -nL
[root@node1 named]# iptables -t mangle -nL
[root@node1 named]# iptables -t filter -L
[root@node1 named]# vim /etc/sysconfig/iptables
[root@node1 named]# service iptables save
[root@node1 named]# iptables -F    ##clear 
[root@node1 named]# service iptables save  ##Permanent cleaning
[root@node1 named]# systemctl restart iptables.service 
[root@node1 named]# iptables -nL

[root@node1 network-scripts]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
[root@node1 network-scripts]# iptables -A INPUT -j REJECT
[root@node1 network-scripts]# iptables -nL
[root@node1 network-scripts]# iptables -D  INPUT 2 ##Delete Article 2
[root@node1 network-scripts]# iptables -I  INPUT 2 -p tcp --dport 22 -j ACCEPT  ##ping fails, but ssh can connect

[root@node1 network-scripts]# iptables -R INPUT 2 ! -s 172.25.254.250 -p  tcp --dport 22 -j ACCEPT  ##250 access not allowed
[root@node1 network-scripts]# iptables -N westos  ##Create a new chain
[root@node1 network-scripts]# iptables -E westos REDHAT  ##Change chain name
[root@node1 network-scripts]# iptables -E REDHAT westos
[root@node1 network-scripts]# iptables -X westos   ##delete
[root@node1 network-scripts]# iptables -P INPUT  DROP
[root@node1 network-scripts]# iptables -P INPUT ACCEPT  ##Change default rule
[root@node1 named]# iptables -nL
[root@node1 named]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@node1 named]# iptables -A INPUT -i lo -m state --state NEW  -j ACCEPT
[root@node1 named]# iptables -A INPUT -p tcp --dport 22 -m state --state NEW  -j ACCEPT  ##dns53  httpd 80 sshd 22 
[root@node1 named]# iptables -A INPUT -p tcp --dport 80 -m state --state NEW  -j ACCEPT  ##
[root@node1 named]# iptables -A INPUT -m state --state NEW  -j ACCEPT
[root@node1 named]# iptables -nL
[root@node1 named]# iptables -D INPUT 5
[root@node1 named]# iptables -A INPUT -m state --state NEW  -j REJECT
[root@node1 named]# iptables -nL
1.Set the firewall policy of established and connecting packets to allow
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
2.Set the loopback interface of the machine to allow new packets
iptables -A INPUT -m state --state NEW -i lo -j ACCEPT
3.For the specified service, set the policy to allow adding new packets
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
4.Add a firewall policy. Set division assignment ip Services available to all hosts
iptables -A INPUT -m state --state NEW ! -s 192.168.0.10 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state NEW -j REJECT
service iptables  save  %Fire wall strategy is permanently saved
 be careful: iptables When adding a policy with the command, the priority is from top to bottom

nat In table dnat snat

snat
iptable -t nat -A POSTROUTING -o ens160 -j SNAT --to-source 192.168.0.20 ##Extranet

dnat
iptables -t nat -A PREROUTING -i ens160 -j DNAT --to-dest 172.25.254.30 ## Intranet

firewalld

1. Startup of firewalld

systemctl stop iptables 
systemctl disable iptables
systemctl mask iptables 

systemctl unmask firewalld
systemctl enable --now firewalld 

2. About firewalld domain

[root@node1 ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1

trusted		##Accept all network connections
home		##For home network, allow to accept SSH mDNS IPP client Samba client DHCP client
work		##Working network ssh IPP client DHCP client
public		##Public network ssh DHCP client
dmz		    ##Military network ssh
block		##Reject all
drop		##discard 	 All data is discarded without any reply
internal	##Intranet SSH mDNS IPP client Samba client DHCP client
external	##ipv4 network address masquerading forwarding sshd

3. Setting principle and data storage of firewalld

/etc/firewalld ## firewall configuration directory
/lib/firewalld ## firewall module directory

4. Management command of firewalld

firewall-cmd --state		##View fire wall status 
firewall-cmd --get-active-zones ##View the effective fields in the current fire wall
firewall-cmd --get-default-zone ##View default domain
firewall-cmd --list-all		##View the firewall policy in the default domain
firewall-cmd --list-all --zone=work ##View the firewall policy for the specified domain
firewall-cmd --set-default-zone=trusted  ##Set default domain

firewall-cmd --get-services 	##View all services that can be set
firewall-cmd --permanent --remove-service=cockpit	##Remove service
firewall-cmd --reload 

firewall-cmd --permanent --add-source=172.25.254.0/24 --zone=block ##Specify the data source to access the specified domain
firewall-cmd --reload 
firewall-cmd --permanent --remove-source=172.25.254.0/24 --zone=block ##Delete data source in self localization

firewall-cmd --permanent --remove-interface=ens224 --zone=public ##Deletes the network interface for the specified domain 
firewall-cmd --permanent --add-interface=ens224 --zone=block 	##Adds a network interface for the specified domain
firewall-cmd --permanent --change-interface=ens224 --zone=public ##Change the network interface to the specified domain

5. Advanced rules of firewalld

firewall-cmd --direct --get-all-rules	##View advanced rules 
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 ! -s 172.25.254.250 -p tcp --dport 22  -j REJECT 
##It is set that only 172.25.254.250 host can be connected to this host.

6. NAT in firewalld

SNAT
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload 

DNAT
firewall-cmd --permanent --add-forward-port=port=22:proto=tcp:toaddr=172.25.254.30
firewall-cmd --reload
[root@node1 firewalld]# firewall-cmd --permanent  --direct  --get-all-rules 
[root@node1 firewalld]# firewall-cmd --permanent  --direct  --add-rule ipv4 filter INPUT 1 -s 172.25.254.250 -p tcp --dport 22 -j REJECT   ##250 ssh no  
[root@node1 firewalld]# firewall-cmd --reload
[root@node1 firewalld]# firewall-cmd --direct  --get-all-rules
[root@node1 firewalld]# firewall-cmd --list-all
[root@node1 firewalld]# firewall-cmd --permanent  --direct  --remove-rule ipv4 filter INPUT 1 -s 172.25.254.250 -p tcp --dport 22 -j REJECT
[root@node1 firewalld]# firewall-cmd --reload
[root@node1 firewalld]# firewall-cmd  --direct  --get-all-rules

[root@node1 firewalld]# firewall-cmd --permanent  --add-forward-port=port=22:proto=tcp:toaddr=1.1.1.212:toport=22 ##Destination address translation   
[root@node1 firewalld]# firewall-cmd --reload
[root@node1 firewalld]# firewall-cmd  --list-all
[root@node1 firewalld]# firewall-cmd --permanent --add-masquerade  ##Original address translation 
[root@node1 firewalld]# firewall-cmd --reload
[root@node1 firewalld]# firewall-cmd  --list-all

supplement

Cockpit It is a web-based image service management tool developed by red hat. Its advantage is that it does not need an intermediate layer and can manage a variety of services.

According to the description of its project master station, Cockpit It has the following characteristics:
    Considering the ease of use, the design is convenient for managers to use, rather than just the terminal command button.
    The configuration of existing terminals or script services will not be disrupted. Through Cockpit The enabled service can be stopped at the terminal, and the error of script running will be corrected Cockpit Capture.
    Support one-time management of multiple services to achieve automation and batch processing.



Posted by Johan Beijar on Sun, 01 May 2022 21:59:23 +0300