[LinuxShell] firewalld firewall of linux firewall

Article directory

foreword
1. Overview of firewalld
- 1. Concept
- 2. The relationship between firewalld and iptables
Two, firewalld network area
- 1. The concept of firewalld area
- 2. firewalld predefined zone
- 3. Processing of firewalld packets
- - 3.1 firewalld data processing flow
  - 3.2 firewalld checks the rules of the source address of the packet
  - 3.3 Summary
Three, firewalld firewall configuration method
- 1. Use the firewall-cmd command line tool
- - 1.1 Territory Management
  - 1.2 Service Management
  - 1.4 Port Management
  - 1.5 Protocol Management
  - 1.6 Set up address translation
- 2. Use the firewall-config graphical tool
- 3. Write the configuration file in /etc/firewalld/

Foreword

In the Internet, enterprises provide users with various network services by setting up various application systems, such as Web sites, emails, FTP servers, and so on. And most of them are built using Linux servers. Then, want to protect these servers, filter unauthorized access, and even enter the internal network maliciously. You need to use – firewall.

Firewall In addition to the hardware firewall, the firewall of the Linux system is also very powerful. Today, we mainly understand the firewall of the CentOS 7 system–firewalld.

1. firewalld overview

1. Concept

firewalld firewall is the default firewall management tool of centos7 system, which replaces the previous iptables firewall. It also works at the network layer and belongs to the packet filtering firewall.

firewalld and liptables are tools used to manage firewalls (belonging to user mode) to define various rules and functions of the firewall. The internal structure points to the netfiter network filtering subsystem (belonging to kernel mode) to realize packet filtering and firewall functions.

firewalld provides a dynamic firewall management tool that supports network connections and interface security levels defined by network zones. It supports IPv4, IPv6 firewall settings and Ethernet bridge (may be used in some advanced services, such as cloud computing), and has two configuration modes: runtime configuration and Permanent configuration.

2. The relationship between firewalld and iptables

$[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture Download directly (img-PnGeovV6-1684743754440)(C:\Users\86138\AppData\Roaming\Typora\typora-user-images\image-20230522143951227.png)]$

Based on different methods

iptables is mainly based on the interface to set the rules, so as to judge the security of the network.

firewalld is based on the region, according to different regions to set different rules, so as to ensure the security of the network. Similar to hardware firewall settings.

The location of the configuration file is different

iptables stores configuration in /etc/sysconfig/iptables,

firewalld will configure various XML files stored in /etc/firewalld/ (preferred loading) and /usr/lib/firewalld/ (default configuration file) inside.

Rule modification is different

Each single change using iptables means clearing all old rules and reading all new rules from /etc/sysconfig/iptables. (Rule modification will take effect immediately)

Using firewalld will not create any new rules, just run the differences in the rules. So firewalld can change settings during runtime without losing current connections.

Different firewall types

iptables firewall type is static firewall. It can be understood that the rules of iptables are a table, which can be added, deleted, modified and checked.

firewalld The firewall type is dynamic firewall. It can be understood that the firewalld rule is an area, and different areas can be replaced for addition, deletion, modification and query operations.

2. firewalld network area

1. The concept of firewalld area

firewalld firewall divides all network traffic into multiple zones in order to simplify management. Then according to the source IP address of the data packet or the incoming network interface and other conditions, the traffic is sent to the corresponding area. Each zone defines its own list of ports and services that it opens or closes.

2. firewalld predefined area

A zone is like a security door into a host. Each zone has rules with different degrees of restriction, and only traffic that meets the rules is allowed to enter.
Depending on the size of the network, one or more zones can be used, but any active zone must at least be associated with a source address or interface.
By default, the public zone is the default zone and contains all interfaces (network cards).
The final security level of a zone depends on the rules set by the administrator in this zone.

If the source address of the data packet is bound to the area, no matter which network card the data packet comes from, it will use the rules of the changed area to filter the data packet. If the source address of the data packet is not bound to the area, the network card from which the data comes in will use the area rules bound to the network card to filter the data packet.

Area name	Meaning
`trusted`(Trusted Zone)	Allow all incoming traffic.
`public` (public area)	By default, incoming traffic matching ssh or dhcpv6-client predefined services is allowed, The rest were rejected. is the default zone for newly added network interfaces.
`external` (external zone)	By default, incoming traffic matching the ssh predefined service is allowed, and the rest are denied. By default, IPv4 outgoing traffic that will be forwarded through this zone will be masqueraded (MASQUERADE), which can be used for external networks that have masquerading enabled for the router.
`home` (home area)	By default, pre-defined services with ssh, mdns, samba-client or dhcpv6-client are allowed matching incoming traffic, the rest are denied.
`internal` (internal area)	The default value is the same as the home area.
`work` (work area)	Allow incoming traffic matching ssh, dhcpv6-client predefined services, the rest Both refused.
`dmz` (isolated area also known as demilitarized area)	Allow incoming traffic matching ssh predefined services by default, deny the rest.
`block` (restricted area)	Deny all incoming traffic.
`drop` (drop zone)	Drop all incoming traffic without generating ICMP error responses.

Note: The default area is public (by default, it is bound to all network cards). To activate a certain area, you need to bind the area to the source address network card.

3. Processing of firewalld packets

3.1 firewalld data processing flow

firewalld For the data packets entering the system, according to the source I address of the data packets or the incoming network interface and other conditions, the data traffic will be transferred to the fire protection rules of the corresponding area. For data packets entering the system, the first thing to check is its source address.

3.2 firewalld checks the rules of the source address of the packet

If the source address is associated with a specific area (that is, there is a conflict between the source address or the area bound to the interface), the rules specified in this area will be implemented.

If the source address is not associated with a specific zone (ie, the source address or the zone bound to the interface does not conflict), then the zone of the incoming network interface is used and the rules made by the zone are enforced.

If the network interface is not associated with a specific area (that is, neither the source address nor the interface is bound to a specific area), use the default area and execute the rules made in this area.

3.3 Summary

First check the source address of the incoming data packet. If the source address is bound to a specific area, use the rules of this area to filter the data packet. If the source address is not bound to a specific area, and the incoming network card of the data packet is bound to a specific area, the rules of the area bound to the network card are used to filter the data packet. If there is no network card bound to the zone, the rules of the default zone are used to filter the data packets.

3. How to configure firewalld firewall

1. Use the firewall-cmd command line tool

--get-default-zone : Display the current default zone
--set-default-zone=<zone> : set default zone

--get-active-zones : Display the zone currently in use and its corresponding NIC interface
--get-zones : show all available zones

--get-zone-of-interface=<interface> : Display the zone bound to the specified interface
--zone=<zone> --add-interface=<interface> : bind zone for specified interface
--zone=<zone> --change-interface=<interface> : Change the bound network interface for the specified zone
--zone=<zone> --remove-interface=<interface> : Remove the bound network interface for the specified zone

--list-all-zones : show all zones and their rules
[--zone=<zone>] --list-all : Display all rules in all specified zones, omitting --zone=<zone> means only operating on the default zone

[--zone=<zone>] --list-services : Display all services allowed in the specified zone
[--zone=<zone>] --add-service=<service> : Set a service that is allowed to be accessed for the specified zone
[--zone=<zone>] --remove-service=<service> : Remove a service that has been set to allow access in the specified zone

[--zone=<zone>] --list-ports : Display all port numbers allowed in the specified zone
[--zone=<zone>] --add-port=<portid>[-<portid>]/<protocol> : Set a certain/segment port number (including the protocol name) that is allowed to access for the specified zone
[--zone=<zone>] --remove-port=<portid>[-<portid>]/<protocol> : Remove the port number (including the protocol name) that has been set to allow access in the specified zone

[--zone=<zone>] --list-icmp-blocks : display all ICMP types that deny access in the specified zone
[--zone=<zone>] --add-icmp-block=<icmptype> : set an ICMP type that denies access for the specified zone
[--zone=<zone>] --remove-icmp-block=<icmptype> : Remove an ICMP type that has been set to deny access in the specified area
firewall-cmd --get-icmptypes : show all ICMP types

1.1 Territory Management

NIC interface display operation

###Display all available regions
[root@localhost ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
###Display the current default region
[root@localhost ~]# firewall-cmd --get-default-zone
public
###Display the area currently in use and its corresponding NIC interface
[root@localhost ~]# firewall-cmd --get-active-zones
public
  interfaces: ens32 ens33
###Display the area bound to the specified ens33 interface
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
public
###Display the area bound to the specified ens32 interface
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens32
public

NIC interface addition and removal operations

###Delete the bound network interface for the specified area
[root@localhost ~]# firewall-cmd --remove-interface=ens33
success
###Display the area bound to the specified interface
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
no zone
###Bind zone for the specified interface
[root@localhost ~]# firewall-cmd --add-interface=ens33 --zone=work
success
###Display the area bound to the specified interface
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
work
###Display the area currently in use and its corresponding NIC interface
[root@localhost ~]# firewall-cmd --get-active-zones
work
  interfaces: ens33
public
  interfaces: ens32

NIC interface modification operation

###Change the bound network interface for the specified area
[root@localhost ~]# firewall-cmd --change-interface=ens33 --zone=home
success
[root@localhost ~]# firewall-cmd --get-active-zones
home
  interfaces: ens33
public
  interfaces: ens32

source address manipulation

### Bind the area for the specified source address
[root@localhost ~]# firewall-cmd --add-source=2.2.2.2 --zone=work
success
###Display the area currently in use and its corresponding NIC interface or source address
[root@localhost ~]# firewall-cmd --get-active-zones
home
  interfaces: ens33
work
  sources: 2.2.2.2
public
  interfaces: ens32
### Change the source address of the binding for the specified area
[root@localhost ~]# firewall-cmd --change-source=2.2.2.2 --zone=internal
success
###Display the area currently in use and its corresponding NIC interface or source address
[root@localhost ~]# firewall-cmd --get-active-zones
home
  interfaces: ens33
internal
  sources: 2.2.2.2
public
  interfaces: ens32
 ###Remove the bound source address for the specified area
[root@localhost ~]# firewall-cmd --remove-source=2.2.2.2 --zone=internal
success
###Display the area currently in use and its corresponding NIC interface or source address
[root@localhost ~]# firewall-cmd --get-active-zones
home
  interfaces: ens33
public
  interfaces: ens32

Show all zones and their rules

[root@localhost ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
\t
[root@localhost ~]# firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
\t

dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
\t

drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
\t

external
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
\t

home (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
\t

internal
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
\t

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
\t

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
\t

work (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 1.1.1.1
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Show all rules for all specified zones

[root@localhost ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
\t
[root@localhost ~]# firewall-cmd --list-all --zone=work
work (active)
  target: default
  icmp-block-inversion: no
  interfaces:
  sources: 1.1.1.1
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

When --zone= is omitted, it means only operate on the default zone.

1.2 Service Management

###Display all services allowed in the default area (public)
[root@localhost ~]# firewall-cmd --list-services
dhcpv6-client ssh
###Set a service that is allowed to be accessed for the default area (public)
[root@localhost ~]# firewall-cmd --add-service=http
success
###Display all services allowed in the default area (public)
[root@localhost ~]# firewall-cmd --list-services
dhcpv6-client http ssh
###Display all services allowed in the specified area (home)
[root@localhost ~]# firewall-cmd --list-services --zone=home
dhcpv6-client mdns samba-client ssh
###Set a certain service that is allowed to be accessed for the specified area (home)
[root@localhost ~]# firewall-cmd --add-service=http --zone=home
success
###Display all services allowed in the specified area (home)
[root@localhost ~]# firewall-cmd --list-services --zone=home
dhcpv6-client http mdns samba-client ssh
###Delete a service that has been set to allow access in the specified area (home)
[root@localhost ~]# firewall-cmd --remove-service=http --zone=home
success
###Display all services allowed in the specified area (home)
[root@localhost ~]# firewall-cmd --list-services --zone=home
dhcpv6-client mdns samba-client ssh

Note: One area can be bound to multiple network cards or multiple source addresses, and one network card or one source address can only be bound to one area.

If you want to add multiple services at the same time, you can use the following methods

[root@localhost ~]# firewall-cmd --add-service=ftp --add-service=http
success
[root@localhost ~]# firewall-cmd --list-services
dhcpv6-client ftp http ssh

The above method is only applicable to multiple additions of less services, which is more troublesome. If the number of added services is large, you can use {} to separate them with commas:

[root@localhost ~]# firewall-cmd --list-services --zone=work
dhcpv6-client ssh
[root@localhost ~]# firewall-cmd --add-service={ftp,http} --zone=work
success
[root@localhost ~]# firewall-cmd --list-services --zone=work
dhcpv6-client ftp http ssh

The configuration will take effect immediately when the above operation is running, but this method is temporarily effective, and it will become invalid after restarting the firewalld service. You can add the --permanent option after the firiewall-cmd command (this option flag is set to be permanent), convert the previous configuration into a permanent configuration, and reload the firewall rules will take effect.

firewall-cmd --add-service={ftp,http} --zone=work -permanent
### Restart firewall
firewall-cmd --reload or systemctl restart firewalld

If there is no -permanent option, it means that it is used to set runtime rules, but these rules will be invalid when the system or firewalld service is restarted or stopped. So the current runtime configuration can be written into the rule configuration file, making it a permanent configuration.

firewall-cmd --add-service={ftp,http} --zone=work --runtime-to-permanent

1.4 Port Management

###Display all port numbers allowed to access in the specified area
[root@localhost ~]# firewall-cmd --list-ports --zone=home

###Set port 80 of the tcp protocol that is allowed to access for the specified area
[root@localhost ~]# firewall-cmd --add-port=80/tcp --zone=home
success
###Display all port numbers allowed to access in the specified area
[root@localhost ~]# firewall-cmd --list-ports --zone=home
80/tcp
### Delete the port number (including the protocol name) that has been set to allow access in the specified area
[root@localhost ~]# firewall-cmd --remove-port=80/tcp --zone=home
success
###Display all port numbers allowed to access in the specified area
[root@localhost ~]# firewall-cmd --list-ports --zone=home

1.5 Protocol Management

###Show all ICMP types
[root@localhost ~]# firewall-cmd --get-icmptypes
address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbor-advertisement neighbor-so invitation network -prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route- failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown -options
###Set an ICMP type that denies access for the specified locale
[root@localhost ~]# firewall-cmd --add-icmp-block=echo-request
success
###Display all ICMP types that deny access in the specified area
[root@localhost ~]# firewall-cmd --list-icmp-blocks
echo-request
###Set an ICMP type that denies access for the specified locale
[root@localhost ~]# firewall-cmd --add-icmp-block=destination-unreachable
success
###Display all ICMP types that deny access in the specified area
[root@localhost ~]# firewall-cmd --list-icmp-blocks
echo-request destination-unreachable
Delete an ICMP type that has been set to deny access in the specified area
[root@localhost ~]# firewall-cmd --remove-icmp-block=destination-unreachable
success
###Display all ICMP types that deny access in the specified area
[root@localhost ~]# firewall-cmd --list-icmp-blocks
echo-request

ICMP type protocol allows all by default, and rejects some.

1.6 Set address translation

set SNAT

[root@localhost ~]# firewall-cmd --zone=public --direct --passthrough ipv4 -t nat -A POSTROUTING -s 192.168.145.0/24 -j SNAT --to-source 12.0.0.1
success
[root@localhost ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.145.0/24 0.0.0.0/0 to:12.0.0.1

Set DNAT

[root@localhost ~]# firewall-cmd --zone=public --direct --passthrough ipv4 -t nat -A PREROUTING -d 12.0.0.1 -p tcp --dport 80 -j DNAT --to- destination 192.168.145.15
success
[root@localhost ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 12.0.0.1 tcp dpt:80 to:192.168.145.15

2. Use the firewall-config graphical tool

firewall-config graphical configuration tool supports all features of the firewall, through which system administrators can change system or user policies. Through the firewall-config graphical configuration tool, you can configure services, ports, masquerading, port forwarding, ICMP filters and other functions allowed by the firewall.

Method 1:
[root@localhost ~]# firewall-config

Method 2:
In the CnetOS7 system, click "Applications --> Miscellaneous --> Firewall" to open

In the graphical interface, you can select the service type according to your needs. If you want to configure permanent settings, you can select the configuration item above to change it.

3. Write the configuration file in /etc/firewalld/

[root@localhost ~]# cd /etc/firewalld/
[root@localhost firewalld]# ls
firewalld.conf icmptypes lockdown-whitelist.xml zones
helpers ipsets services
[root@localhost firewalld]# cd zones/
[root@localhost zones]# ls
public.xml public.xml.old
[root@localhost zones]# vim public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
</zone>

This method is cumbersome and is not recommended.