Article directory
- foreword
- 1. Overview of firewalld
-
- 1. Concept
- 2. The relationship between firewalld and iptables
- Two, firewalld network area
-
- 1. The concept of firewalld area
- 2. firewalld predefined zone
- 3. Processing of firewalld packets
-
- 3.1 firewalld data processing flow
- 3.2 firewalld checks the rules of the source address of the packet
- 3.3 Summary
- Three, firewalld firewall configuration method
-
- 1. Use the firewall-cmd command line tool
-
- 1.1 Territory Management
- 1.2 Service Management
- 1.4 Port Management
- 1.5 Protocol Management
- 1.6 Set up address translation
- 2. Use the firewall-config graphical tool
- 3. Write the configuration file in /etc/firewalld/
Foreword
In the Internet, enterprises provide users with various network services by setting up various application systems, such as Web sites, emails, FTP servers, and so on. And most of them are built using Linux servers. Then, want to protect these servers, filter unauthorized access, and even enter the internal network maliciously. You need to use – firewall.
Firewall In addition to the hardware firewall, the firewall of the Linux system is also very powerful. Today, we mainly understand the firewall of the CentOS 7 system–firewalld.
1. firewalld overview
1. Concept
firewalld firewall is the default firewall management tool of centos7 system, which replaces the previous iptables firewall. It also works at the network layer and belongs to the packet filtering firewall.
firewalld and liptables are tools used to manage firewalls (belonging to user mode) to define various rules and functions of the firewall. The internal structure points to the netfiter network filtering subsystem (belonging to kernel mode) to realize packet filtering and firewall functions.
firewalld provides a dynamic firewall management tool that supports network connections and interface security levels defined by network zones. It supports IPv4, IPv6 firewall settings and Ethernet bridge (may be used in some advanced services, such as cloud computing), and has two configuration modes: runtime configuration and Permanent configuration.
2. The relationship between firewalld and iptables
Based on different methods
iptables is mainly based on the interface to set the rules, so as to judge the security of the network.
firewalld is based on the region, according to different regions to set different rules, so as to ensure the security of the network. Similar to hardware firewall settings.
The location of the configuration file is different
iptables stores configuration in /etc/sysconfig/iptables
,
firewalld will configure various XML files stored in /etc/firewalld/
(preferred loading) and /usr/lib/firewalld/
(default configuration file) inside.
Rule modification is different
Each single change using iptables means clearing all old rules and reading all new rules from /etc/sysconfig/iptables
. (Rule modification will take effect immediately)
Using firewalld will not create any new rules, just run the differences in the rules. So firewalld can change settings during runtime without losing current connections.
Different firewall types
iptables firewall type is static firewall. It can be understood that the rules of iptables are a table, which can be added, deleted, modified and checked.
firewalld The firewall type is dynamic firewall. It can be understood that the firewalld rule is an area, and different areas can be replaced for addition, deletion, modification and query operations.
2. firewalld network area
1. The concept of firewalld area
firewalld firewall divides all network traffic into multiple zones in order to simplify management. Then according to the source IP address of the data packet or the incoming network interface and other conditions, the traffic is sent to the corresponding area. Each zone defines its own list of ports and services that it opens or closes.
2. firewalld predefined area
- A zone is like a security door into a host. Each zone has rules with different degrees of restriction, and only traffic that meets the rules is allowed to enter.
- Depending on the size of the network, one or more zones can be used, but any active zone must at least be associated with a source address or interface.
- By default, the
public
zone is the default zone and contains all interfaces (network cards). - The final security level of a zone depends on the rules set by the administrator in this zone.
If the source address of the data packet is bound to the area, no matter which network card the data packet comes from, it will use the rules of the changed area to filter the data packet. If the source address of the data packet is not bound to the area, the network card from which the data comes in will use the area rules bound to the network card to filter the data packet.
Area name | Meaning |
---|---|
trusted (Trusted Zone) |
Allow all incoming traffic. |
public (public area) |
By default, incoming traffic matching ssh or dhcpv6-client predefined services is allowed, The rest were rejected. is the default zone for newly added network interfaces. |
external (external zone) |
By default, incoming traffic matching the ssh predefined service is allowed, and the rest are denied. By default, IPv4 outgoing traffic that will be forwarded through this zone will be masqueraded (MASQUERADE), which can be used for external networks that have masquerading enabled for the router. |
home (home area) |
By default, pre-defined services with ssh, mdns, samba-client or dhcpv6-client are allowed matching incoming traffic, the rest are denied. |
internal (internal area) |
The default value is the same as the home area. |
work (work area) |
Allow incoming traffic matching ssh, dhcpv6-client predefined services, the rest Both refused. |
dmz (isolated area also known as demilitarized area) |
Allow incoming traffic matching ssh predefined services by default, deny the rest. |
block (restricted area) |
Deny all incoming traffic. |
drop (drop zone) |
Drop all incoming traffic without generating ICMP error responses. |
Note: The default area is public (by default, it is bound to all network cards). To activate a certain area, you need to bind the area to the source address network card.
3. Processing of firewalld packets
3.1 firewalld data processing flow
firewalld For the data packets entering the system, according to the source I address of the data packets or the incoming network interface and other conditions, the data traffic will be transferred to the fire protection rules of the corresponding area. For data packets entering the system, the first thing to check is its source address.
3.2 firewalld checks the rules of the source address of the packet
If the source address is associated with a specific area (that is, there is a conflict between the source address or the area bound to the interface), the rules specified in this area will be implemented.
If the source address is not associated with a specific zone (ie, the source address or the zone bound to the interface does not conflict), then the zone of the incoming network interface is used and the rules made by the zone are enforced.
If the network interface is not associated with a specific area (that is, neither the source address nor the interface is bound to a specific area), use the default area and execute the rules made in this area.
3.3 Summary
First check the source address of the incoming data packet. If the source address is bound to a specific area, use the rules of this area to filter the data packet. If the source address is not bound to a specific area, and the incoming network card of the data packet is bound to a specific area, the rules of the area bound to the network card are used to filter the data packet. If there is no network card bound to the zone, the rules of the default zone are used to filter the data packets.
3. How to configure firewalld firewall
1. Use the firewall-cmd command line tool
--get-default-zone : Display the current default zone --set-default-zone=<zone> : set default zone --get-active-zones : Display the zone currently in use and its corresponding NIC interface --get-zones : show all available zones --get-zone-of-interface=<interface> : Display the zone bound to the specified interface --zone=<zone> --add-interface=<interface> : bind zone for specified interface --zone=<zone> --change-interface=<interface> : Change the bound network interface for the specified zone --zone=<zone> --remove-interface=<interface> : Remove the bound network interface for the specified zone --list-all-zones : show all zones and their rules [--zone=<zone>] --list-all : Display all rules in all specified zones, omitting --zone=<zone> means only operating on the default zone [--zone=<zone>] --list-services : Display all services allowed in the specified zone [--zone=<zone>] --add-service=<service> : Set a service that is allowed to be accessed for the specified zone [--zone=<zone>] --remove-service=<service> : Remove a service that has been set to allow access in the specified zone [--zone=<zone>] --list-ports : Display all port numbers allowed in the specified zone [--zone=<zone>] --add-port=<portid>[-<portid>]/<protocol> : Set a certain/segment port number (including the protocol name) that is allowed to access for the specified zone [--zone=<zone>] --remove-port=<portid>[-<portid>]/<protocol> : Remove the port number (including the protocol name) that has been set to allow access in the specified zone [--zone=<zone>] --list-icmp-blocks : display all ICMP types that deny access in the specified zone [--zone=<zone>] --add-icmp-block=<icmptype> : set an ICMP type that denies access for the specified zone [--zone=<zone>] --remove-icmp-block=<icmptype> : Remove an ICMP type that has been set to deny access in the specified area firewall-cmd --get-icmptypes : show all ICMP types
1.1 Territory Management
NIC interface display operation
###Display all available regions [root@localhost ~]# firewall-cmd --get-zones block dmz drop external home internal public trusted work ###Display the current default region [root@localhost ~]# firewall-cmd --get-default-zone public ###Display the area currently in use and its corresponding NIC interface [root@localhost ~]# firewall-cmd --get-active-zones public interfaces: ens32 ens33 ###Display the area bound to the specified ens33 interface [root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33 public ###Display the area bound to the specified ens32 interface [root@localhost ~]# firewall-cmd --get-zone-of-interface=ens32 public
NIC interface addition and removal operations
###Delete the bound network interface for the specified area [root@localhost ~]# firewall-cmd --remove-interface=ens33 success ###Display the area bound to the specified interface [root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33 no zone ###Bind zone for the specified interface [root@localhost ~]# firewall-cmd --add-interface=ens33 --zone=work success ###Display the area bound to the specified interface [root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33 work ###Display the area currently in use and its corresponding NIC interface [root@localhost ~]# firewall-cmd --get-active-zones work interfaces: ens33 public interfaces: ens32
NIC interface modification operation
###Change the bound network interface for the specified area [root@localhost ~]# firewall-cmd --change-interface=ens33 --zone=home success [root@localhost ~]# firewall-cmd --get-active-zones home interfaces: ens33 public interfaces: ens32
source address manipulation
### Bind the area for the specified source address [root@localhost ~]# firewall-cmd --add-source=2.2.2.2 --zone=work success ###Display the area currently in use and its corresponding NIC interface or source address [root@localhost ~]# firewall-cmd --get-active-zones home interfaces: ens33 work sources: 2.2.2.2 public interfaces: ens32 ### Change the source address of the binding for the specified area [root@localhost ~]# firewall-cmd --change-source=2.2.2.2 --zone=internal success ###Display the area currently in use and its corresponding NIC interface or source address [root@localhost ~]# firewall-cmd --get-active-zones home interfaces: ens33 internal sources: 2.2.2.2 public interfaces: ens32 ###Remove the bound source address for the specified area [root@localhost ~]# firewall-cmd --remove-source=2.2.2.2 --zone=internal success ###Display the area currently in use and its corresponding NIC interface or source address [root@localhost ~]# firewall-cmd --get-active-zones home interfaces: ens33 public interfaces: ens32
Show all zones and their rules
[root@localhost ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens32 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: \t [root@localhost ~]# firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: \t dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: \t drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: \t external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: \t home (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: \t internal target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: \t public (active) target: default icmp-block-inversion: no interfaces: ens32 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: \t trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: \t work (active) target: default icmp-block-inversion: no interfaces: sources: 1.1.1.1 services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Show all rules for all specified zones
[root@localhost ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens32 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: \t [root@localhost ~]# firewall-cmd --list-all --zone=work work (active) target: default icmp-block-inversion: no interfaces: sources: 1.1.1.1 services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
When --zone=
is omitted, it means only operate on the default zone.
1.2 Service Management
###Display all services allowed in the default area (public) [root@localhost ~]# firewall-cmd --list-services dhcpv6-client ssh ###Set a service that is allowed to be accessed for the default area (public) [root@localhost ~]# firewall-cmd --add-service=http success ###Display all services allowed in the default area (public) [root@localhost ~]# firewall-cmd --list-services dhcpv6-client http ssh ###Display all services allowed in the specified area (home) [root@localhost ~]# firewall-cmd --list-services --zone=home dhcpv6-client mdns samba-client ssh ###Set a certain service that is allowed to be accessed for the specified area (home) [root@localhost ~]# firewall-cmd --add-service=http --zone=home success ###Display all services allowed in the specified area (home) [root@localhost ~]# firewall-cmd --list-services --zone=home dhcpv6-client http mdns samba-client ssh ###Delete a service that has been set to allow access in the specified area (home) [root@localhost ~]# firewall-cmd --remove-service=http --zone=home success ###Display all services allowed in the specified area (home) [root@localhost ~]# firewall-cmd --list-services --zone=home dhcpv6-client mdns samba-client ssh
Note: One area can be bound to multiple network cards or multiple source addresses, and one network card or one source address can only be bound to one area.
If you want to add multiple services at the same time, you can use the following methods
[root@localhost ~]# firewall-cmd --add-service=ftp --add-service=http success [root@localhost ~]# firewall-cmd --list-services dhcpv6-client ftp http ssh
The above method is only applicable to multiple additions of less services, which is more troublesome. If the number of added services is large, you can use {}
to separate them with commas:
[root@localhost ~]# firewall-cmd --list-services --zone=work dhcpv6-client ssh [root@localhost ~]# firewall-cmd --add-service={ftp,http} --zone=work success [root@localhost ~]# firewall-cmd --list-services --zone=work dhcpv6-client ftp http ssh
The configuration will take effect immediately when the above operation is running, but this method is temporarily effective, and it will become invalid after restarting the firewalld service. You can add the --permanent
option after the firiewall-cmd
command (this option flag is set to be permanent), convert the previous configuration into a permanent configuration, and reload the firewall rules will take effect.
firewall-cmd --add-service={ftp,http} --zone=work -permanent ### Restart firewall firewall-cmd --reload or systemctl restart firewalld
If there is no -permanent
option, it means that it is used to set runtime rules, but these rules will be invalid when the system or firewalld service is restarted or stopped. So the current runtime configuration can be written into the rule configuration file, making it a permanent configuration.
firewall-cmd --add-service={ftp,http} --zone=work --runtime-to-permanent
1.4 Port Management
###Display all port numbers allowed to access in the specified area [root@localhost ~]# firewall-cmd --list-ports --zone=home ###Set port 80 of the tcp protocol that is allowed to access for the specified area [root@localhost ~]# firewall-cmd --add-port=80/tcp --zone=home success ###Display all port numbers allowed to access in the specified area [root@localhost ~]# firewall-cmd --list-ports --zone=home 80/tcp ### Delete the port number (including the protocol name) that has been set to allow access in the specified area [root@localhost ~]# firewall-cmd --remove-port=80/tcp --zone=home success ###Display all port numbers allowed to access in the specified area [root@localhost ~]# firewall-cmd --list-ports --zone=home
1.5 Protocol Management
###Show all ICMP types [root@localhost ~]# firewall-cmd --get-icmptypes address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbor-advertisement neighbor-so invitation network -prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route- failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown -options ###Set an ICMP type that denies access for the specified locale [root@localhost ~]# firewall-cmd --add-icmp-block=echo-request success ###Display all ICMP types that deny access in the specified area [root@localhost ~]# firewall-cmd --list-icmp-blocks echo-request ###Set an ICMP type that denies access for the specified locale [root@localhost ~]# firewall-cmd --add-icmp-block=destination-unreachable success ###Display all ICMP types that deny access in the specified area [root@localhost ~]# firewall-cmd --list-icmp-blocks echo-request destination-unreachable Delete an ICMP type that has been set to deny access in the specified area [root@localhost ~]# firewall-cmd --remove-icmp-block=destination-unreachable success ###Display all ICMP types that deny access in the specified area [root@localhost ~]# firewall-cmd --list-icmp-blocks echo-request
ICMP type protocol allows all by default, and rejects some.
1.6 Set address translation
set SNAT
[root@localhost ~]# firewall-cmd --zone=public --direct --passthrough ipv4 -t nat -A POSTROUTING -s 192.168.145.0/24 -j SNAT --to-source 12.0.0.1 success [root@localhost ~]# iptables -nL -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.145.0/24 0.0.0.0/0 to:12.0.0.1
Set DNAT
[root@localhost ~]# firewall-cmd --zone=public --direct --passthrough ipv4 -t nat -A PREROUTING -d 12.0.0.1 -p tcp --dport 80 -j DNAT --to- destination 192.168.145.15 success [root@localhost ~]# iptables -nL -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 12.0.0.1 tcp dpt:80 to:192.168.145.15
2. Use the firewall-config graphical tool
firewall-config graphical configuration tool supports all features of the firewall, through which system administrators can change system or user policies. Through the firewall-config graphical configuration tool, you can configure services, ports, masquerading, port forwarding, ICMP filters and other functions allowed by the firewall.
Method 1: [root@localhost ~]# firewall-config Method 2: In the CnetOS7 system, click "Applications --> Miscellaneous --> Firewall" to open
In the graphical interface, you can select the service type according to your needs. If you want to configure permanent settings, you can select the configuration item above to change it.
3. Write the configuration file in /etc/firewalld/
[root@localhost ~]# cd /etc/firewalld/ [root@localhost firewalld]# ls firewalld.conf icmptypes lockdown-whitelist.xml zones helpers ipsets services [root@localhost firewalld]# cd zones/ [root@localhost zones]# ls public.xml public.xml.old [root@localhost zones]# vim public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> </zone>
This method is cumbersome and is not recommended.