Firewall Advanced Application
First, management Firewalld
Composition 1.Linux firewall
Composition: netfilter (kernel module) + firewalld / iptables (application layer)
+---------+
/---------| drop | sip:172.16.0.0/16
+------------+ +---------+
| | + --------- + eth0
| localhost |---------- | public |
| | +---------+ eth1
+------------+ +---------+
\---------| trusted | sip: 192.168.1.0/24
+---------+
Predefined zone
trusted
Xu any incoming packets and outgoing packets
home
Any packet flows are rejected, but allow the packet to the outgoing and predefined service (ssh, mdns, ipp-client, sbmclient, dhcpv6-client) data packets can flow
internal
Ditto
work
Any packet flows are rejected, but allow the packet to the outgoing and predefined service (ssh, ipp-client, dhcpv6-client) data packets can flow
public
Any inflow of packets are rejected, but allows data packets and out of predefined services (ssh, dhcpv6-client) data packets can flow in. The newly added card default binding to the area
external
Any packet flows are rejected, but allow the packet to a predefined service flows (ssh) data packets can flow all outgoing packets from this region are mapped
IP zone is bound to the network card.
dmz
Any packet flows are rejected, but allow the packet to a predefined service flows (ssh) data packets can flow.
block
Any packet flows are rejected, but allow the packet flow out
drop
Any flowing into the network packets are dropped, do not make any response. And allow only packets out.
2. Use firewalld
To be able to use firwalld services and related tools to manage the firewall, you must start firwalld services, but only before the old firewall-related services
# systemctl mask iptables
# systemctl mask ip6tables
# systemctl enable firewalld
# systemctl status firewalld
If you see the current service is not running, then to systemctl start firewalld
Only firewalld service started to use tools: firewall-config (GUI), firewall-cmd
firewalld rules of two states: running and persistent configuration
Runtime: modify the rule to take effect immediately, but temporarily take effect
Persistence Configuration: Overload need not take effect until modified
All the above operations are not stored permanently, only temporarily into effect, if you want to permanently save, you need:
# firewall-cmd ..... --permanent
# firewall-cmd --reload 重载配置 --complete-reload
View the current default zone
# firewall-cmd --get-default-zone
public
The current default time zone modified to work
# firewall-cmd --set-default-zone=work
Add the http service work area, to allow others to access http services
# firewall-cmd --add-service=http --zone=work
In the public area of binding the address range, only the range of IP packets will be routed to the district, the area is matched by the rules decide whether to release
# firewall-cmd --add-source=172.25.0.10/32 --zone=public
View active area
# firewall-cmd --get-active-zones
work <--- use set-default-zone defines which zone is currently used by default
interfaces: eth0 eth0 interfaces bound the area, all traffic this interface should have the area defining area to filter
ROL <--- Red Hat Training environment dedicated to a zone
sources: 172.25.0.252/32
District public <--- there are currently active public, because the public area in front of us to bind a --add-source
sources: 172.25.0.10/32 "--- as long as the packet's source IP is 172.25.0.10, treatment will be given to public area
To bind the interface to the public area
# firewall-cmd --change-interface=eth0 --zone=public
View details specified area
# firewall-cmd --list-all --zone=work
work (default)
interfaces:
sources:
services: dhcpv6-client http ipp-client ssh <--- open http
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
# firewall-cmd --list-all --zone=public
public (active)
interfaces: eth0 <--- the public is bound to eth0
sources: 172.25.0.10/32
services: ssh vnc-server <- not open http
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
Exercise:
1. Install httpd on the server, mod_ssl achieve http and https services
# yum install httpd mod_ssl -y
# systemctl enable httpd
# systemctl start httpd
2. Set the firewall to allow the user to access the machine's http and https services
# systemctl mask iptables
# systemctl mask ip6tables
# ststemctl status firewalld 如果没有启动必须保证开机启动和马上启动
GUI add a rule:
# firewall-config
Second, the rich management rules
In addition to grammar zone area use and service to achieve service limit communication connection, there are two ways to add two outside the firewall rule: direct rule direct rules and the rules of the rich rich rules
1. Direct Rule (not rhce7 of this syllabus)
Use iptables syntax similar to the traditional rule is inserted into an existing firewalld management area
Examples: All 192.168.0.0/24 from the IP network, maximum concurrent connections to a single IP 1 per minute, over concurrent connections are dropped
# firewall-cmd --direct --permanent --add-chain ipv4 raw blacklist
# firewall-cmd --direct --permanent --add-rule ipv4 raw PREROUTING 0 -s 192.168.0.0/24 -j blacklist
# firewall-cmd --direct --permanent --add-rule ipv4 raw blacklist 0 -m limit --limit 1/min -j LOG --log-prefix "blacklisted"
# firewall-cmd --direct --permanent --add-rule ipv4 raw blacklist 1 -j DROP
# firewall-cmd --reload
# firewall-cmd --direct --get-all-rules
ipv4 raw PREROUTING 0 -s 192.168.0.0/24 -j blacklist
ipv4 raw blacklist 0 -m limit --limit 1/min -j LOG --log-prefix blacklisted
ipv4 raw blacklist 1 -j DROP
Experiment is completed, delete rules
# firewall-cmd --permanent --direct --remove-rules ipv4 raw blacklist
# firewall-cmd --permanent --direct --remove-rules ipv4 raw PREROUTING
# firewall-cmd --direct --remove-rules ipv4 raw blacklist
# firewall-cmd --direct --remove-rules ipv4 raw PREROUTING
# firewall-cmd --direct --remove-chain ipv4 raw blacklist
# firewall-cmd --reload
2. The rich rules (compulsory examinations)
man firewall-cmd
man firewalld.richlanguage
rule
[source]
[destination]
service|port|protocol|icmp-block|masquerade|forward-port
[log]
[audit]
[accept|reject|drop]
rule [family="ipv4|ipv6"]
source address="address[/mask]" [invert="True"]
destination address="address[/mask]" invert="True"
service name="service name"
port port="port value" protocol="tcp|udp"
protocol value="protocol value"
forward-port port="port value" protocol="tcp|udp" to-port="port value
" to-addr="address"
log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]
accept | reject [type="reject type"] | drop
District rich in chronological order matching rules, to take effect by the first match to the rule.
--add-rich-rule = '<RULE>' add a rule in the specified region rich
--remove-rich-rule = '<RULE>' rule to delete a specified region rich
--query-rich-rule = '<RULE>' finds a rule return 0 return 1 not found
--list-rich-rules list all the rules specified area where the rich
--list-all and --list-all-zones can be listed rich rule exists
example:
# firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.0.11/32 reject'
# firewall-cmd --permanent --zone=public --add-rich-rule='rule service name=ftp limit value=1/m accept'
# firewall-cmd --permanent --zone=public --add-rich-rule='rule protocol value=esp drop'
# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.17.10.0/24 service name=ssh reject'
# firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.0.0/24 port port=7900-7905 protocol=tcp accept'
# firewall-cmd --permanent --zone=work --add-rich-rule='rule service name=ssh log prefix="ssh " level=notice limit value="3/m" accept'
# firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.0.11/32 service name=ssh reject' --timeout=300
用于调试,规则在300秒后失效,防止规则设定错误导致网络连接断开
Experiment: httpd service deployed on server0, by adding rich rules, allowing only 172.25.0.10/32 access, and logging, log level for the notice, the log prefix "NEW HTTP", up to three concurrent limit per second, requires persistence the entry into force of
1. On server0 execution:
# yum install httpd
# systemctl start httpd
# systemctl enable httpd
# firewall-cmd --list-all-zones 查看当前防火墙的zones和规则
# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.0.10/32 service name=http log level=notice prefix="NEW HTTP " limit value="3/s" accept'
# firewall-cmd --reload
# tailf /var/log/messages
2. Use the desktop to access the test
# curl http://server0.example.com
Third, configure address mapping and port forwarding
1. Source IP Address Mapping
Generally used to make machine within the network can access the external network through a firewall
# firewall-cmd --permanent --zone=public --add-masquerade
All customers from public area transmitting side to the firewall a data packet, destination IP packet is not IP firewall itself, are mapped to the IP firewall
or
# firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 masquerade'
2. Port Forwarding
In fact, here it refers to the traditional target address mapping to achieve external network access to internal network resources
# firewall-cmd --permanent --zone=public --add-forward-port=port513:proto=tcp:toport:132:toaddr=192.168.0.254
# firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.0.0/24 forward-port port=80 protocol=tcp to-port=8080'
Example: Add a port forwarding rules on server0, and the access port from the 172.25.0.10/32 tcp packets to port 443 of port forwarding, tcp port 22 to the machine
On server0 define rules:
# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source 172.25.0.10/32 forward-port port=443 protocol=tcp to-port=22'
# firewall-cmd --reload
在desktop0上测试:
# ssh -p 443 server0.example.com
Fourth, the management port labeled SELinux
Selinux in addition can mark files and processes, but also marks the network connection, including port network connections are marked. For example, in the targeted policy, the port 22 is flag ssh_port_t.
At any time, a process to listen on a port, SELinux will detect this type of process is allowed to listen to the port.
Check the policy marked a common port
# semanage port -l
SELinux port type protocol port
...
afs3_callback_port_t tcp 7001
afs3_callback_port_t udp 7001
afs_bos_port_t udp 7007
...
Adding a port tag definitions
# semanage port -a -t http_port_t -p tcp 8080
To delete a port tag definitions
# semanage port -d -t http_port_t -p tcp 8080
Modify the definition of a port marker
# semanage port -m -t gopher_port_t -p tcp 8080