Table of Contents
- firewalld overview
-
- The difference between firewalld and iptables:
- The concept of a firewalld zone
-
- The firewalld firewall predefines 9 zones:
- The flow of firewalld data processing
- How to configure firewalld firewall:
- Permanently save configuration
firewalld overview
The firewalld firewall is the default firewall management tool of the Centos7 system. It replaces the previous iptables firewall. It also works at the network layer and belongs to the packet filtering firewall.
firewalld and iptables are tools used to manage the firewall (belonging to user mode) to define various rules and functions of the firewall, and the internal structure points to the netfilter network filtering subsystem (belonging to kernel mode) to realize the packet filtering firewall function.
firewalld provides a dynamic firewall management tool that supports network links and interface security levels defined by network zones. It supports IPv4, IPv6 firewall settings and Ethernet bridges (may be used in some advanced services, such as cloud computing), and has two configuration modes: runtime configuration and permanent configuration.
The difference between firewalld and iptables:
-
iptables is mainly based on the interface to set the rules, so as to judge the security of the network.
firewalld is based on the area, and different rules are set according to different areas, so as to ensure the security of the network. Similar to hardware firewall settings. -
iptables stores configuration in /etc/sysconfig/iptables,
firewalld stores configuration in various XML files in /etc/firewalld/ (preferred loading) and /usr/lib/firewalld/ (default configuration file). -
Each single change using iptables means clearing all old rules and reading all new rules from /etc/sysconfig/iptables(rule modification takes effect immediately)
Using firewalld does not create any new rules, it just runs the differences in the rules. Therefore firewalld can change settings during runtime without losing current connections. -
iptables firewall type is static firewall
firewalld firewall type is dynamic firewall
Concept of firewalld zone
In order to simplify management, firewalld divides all network traffic into multiple zones. Then according to the source IP address of the data packet or the incoming network interface and other conditions, the traffic is sent to the corresponding area. Each zone defines its own list of ports and services that it opens or closes.
The firewalld firewall has predefined 9 areas:
| Option | Action |
|---|---|
| trusted (trust zone) | Allow all incoming traffic. |
public (public area) |
Allow predefined services with ssh or dhcpv6-client matching incoming traffic, the rest are denied. is the default zone for newly added network interfaces. |
| external (external zone) | Allow incoming matching ssh predefined services traffic, the rest are rejected. IPv4 outgoing traffic that will be forwarded through this zone by default will be address masqueraded and can be used on external networks that have masquerading enabled for the router. |
| home (home zone) | Allow connections with ssh, ipp-client, mdns, The incoming traffic matched by the samba-client or dhcpv6-client predefined service, and the rest are rejected. |
| internal (internal area) | The default value is the same as the home area. |
| work (work area) | Allow pre-defined services with ssh, ipp-client, dhcpv6-client matching incoming traffic, the rest are denied. |
| dmz (Demilitarized Zone also known as Demilitarized Zone) | Allow pre-connected with ssh Defines incoming traffic that the service matches and rejects the rest. |
| block (restricted area) | Deny all incoming traffic. |
| drop (drop zone) | Drops all incoming traffic and does not generate ICMP error response. |
Ultimately a zone is only as secure as the rules set by the administrator in that zone.
A zone is like a security door into a host. Each zone has rules with different degrees of restriction, and only traffic that meets the rules is allowed to enter.
Depending on the size of the network, one or more zones can be used, but any active zone must at least be associated with a source address or interface.
By default, the public area is the default area, including all interfaces (network cards)
The process of firewalld data processing
firewalld data processing flow:
For data packets entering the system, firewalld will transfer the data traffic to the firewall rules in the corresponding area according to the source IP address of the data packet or the incoming network interface and other conditions. For a packet entering the system, the first thing checked is its source address.
firewalld checks the rules for the source address of the packet:
1. If the source address is associated with a specific area (that is, there is a conflict between the source address or the area bound to the interface), the rules formulated in this area will be implemented.
2. If the source address is not associated with a specific zone (that is, there is no conflict between the source address or the zone bound to the interface), then use the zone of the incoming network interface and enforce the rules specified in that zone.
3. If the network interface is not associated with a specific area (that is, neither the source address nor the interface is bound to a specific area), use the default area and execute the rules formulated in this area.
How to configure firewalld firewall:
1. Use the firewall-cmd command line tool.
2. Use the firewall-config graphical tool.
3. Write the configuration file in /etc/firewalld/.
Method 1: Use the firewall-config graphical tool to manage
Method 2: Write the configuration file in /etc/firewalld
Method 3: firewall-cmd command line operation
Common firewall-cmd command options
--get-default-zone : Display the current default zone --set-default-zone=<zone> : set default zone --get-active-zones : Display the zone currently in use and its corresponding NIC interface --get-zones : show all available zones --get-zone-of-interface=<interface> : Display the zone bound to the specified interface --zone=<zone> --add-interface=<interface> : bind zone for specified interface --zone=<zone> --change-interface=<interface> : Change the bound network interface for the specified zone --zone=<zone> --remove-interface=<interface> : Remove the bound network interface for the specified zone
A region can be associated with multiple network cards or source addresses
A network card can only be associated with one area or source address
–list-all-zones : Show all zones and their rules
[--zone=<zone>] --list-all : Display all rules in all specified zones, omitting --zone=<zone> means only operating in the default zone [--zone=<zone>] --list-services : Display all services allowed in the specified zone [--zone=<zone>] --add-service=<service> : Set a service that is allowed to be accessed for the specified zone [--zone=<zone>] --remove-service=<service> : Remove a service that has been set to allow access in the specified zone [--zone=<zone>] --list-ports : Display all port numbers allowed in the specified zone [--zone=<zone>] --add-port=<portid>[-<portid>]/<protocol> : Set a certain/segment port number (including the protocol name) that is allowed to access for the specified zone [--zone=<zone>] --remove-port=<portid>[-<portid>]/<protocol> : Remove the port number (including the protocol name) that has been set to allow access in the specified zone
[--zone=<zone>] --list-icmp-blocks : display all ICMP types that deny access in the specified zone [--zone=<zone>] --add-icmp-block=<icmptype> : set an ICMP type that denies access for the specified zone [--zone=<zone>] --remove-icmp-block=<icmptype> : Remove an ICMP type that has been set to deny access in the specified area firewall-cmd --get-icmptypes : show all ICMP types
Permanently save configuration
The above operations are all runtime configurations that take effect temporarily, and restarting the service will disappear, so to make it take effect permanently, you need to add –permanent to achieve permanent effect
Method One:
Method 2
If you forget to add –permanent later, we can also add a command at the end to convert the runtime configuration into a permanent configuration
Set Address Translation
(1) Set SNAT
firewall-cmd –zone=public –direct –passthrough ipv4 -t nat -A POSTROUTING -s 192.168.80.0/24 -j SNAT –to-source 12.0.0.1
(2) Set DNAT
firewall-cmd –zone=public –direct –passthrough ipv4 -t nat -A PREROUTING -d 12.0.0.1 -p tcp –dport 80 -j DNAT –to-destination 192.168.80.11