Detail the use of Firewalld advanced configuration in Linux

  • 2021-07-06 12:21:38
  • OfStack

IP Camouflage and Port Forwarding

Firewalld supports two types of network address translation

IP Address Camouflage (masquerade)

It can realize the sharing of multiple addresses in LAN and the access to the Internet with single 1 public network address IP address masquerade only supports IPv4, not IPv6 Address camouflage is enabled for the default external zone

Port Forwarding (Forward-port)

Also known as destination address translation or port mapping Through port forwarding, traffic that specifies an IP address and port is forwarded to a different port on the same computer or to a port on a different computer

Address camouflage configuration

Add address camouflage function to designated area


firewall-cmd [--permanent] [--zone= zone] --add-masquerade [--timeout seconds]
 //--timeout=seconds: In 1 Automatically delete this function after a period of time 

Delete address camouflage function for specified area


firewall-cmd [--permanent] [--zone= zone] --remove-masquerade

Query whether the address camouflage function is turned on in the specified area


firewall-cmd [--permanent] [--zone=zone] --query-masquerade

Port forwarding configuration

List Port Forwarding Configurations


firewall-cmd [--permanent] [--zone=zone] --list-forward-ports

Add a Port Forwarding Rule


firewall-cmd [--permanent] [--zone=zone] --add-forward-port=port=portid[-portid]:proto=protocol[:toport-portid[-portid]][:toaddr-address[/mask]][--timeout=seconds]

Delete port forwarding rules


firewall-cmd [--permanent] [--zone=zone] --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]

Query port forwarding rules


firewall-cmd [--permanent] [--zone=zone] --query-forward-port-port-portid[-portid]:proto=protocol[:toport-portid[-portid]][:toaddr=address[/mask]]

Firewalld direct rule

Direct rule (direct interface)

Allows iptables, ip6tables, and ebtables rules written manually by administrators to be inserted into areas managed by Firewalld Through the--direct option in the firewall-cmd command In addition to displaying insertion mode, direct rules are matched first

Custom rule chain

Firewalld automatically creates custom rule chains for areas where rules are configured

IN zone name deny: Refuse statement is stored, which takes precedence over the rule of "IN zone name _ allow" IN zone name allow: holds allow statements

Allow inbound traffic on TCP/9000 port


irewall-cmd --direct --add-rule ipv4 filter IN work_ allow 0 -p tcp --dport 9000 j ACCEPT
IN work_ allow: Rule chain matching work region 0: Represents that the rule has the highest priority and is placed at the front of the rule Can be added--permanent option indicates permanent configuration

Query all direct rules


firewall-cmd --direct --get-all-rules
ipv4 filter IN_ work _allow 0 -p tcp --dport 9000 -j ACCEPT

You can add--permanent option to view permanent configuration

Firewalld Rich Language Rules

Rich Language (rich language)

Expressive configuration language, no need to know iptables syntax

Used to express basic allow/deny rules, configuration records (for syslog and auditd), port forwarding, masquerading, and rate limits


rule [family="<rule family>"]
 [ source address="<address>" [invert "True"] ]
 [ destination address="<address>" [invert="True"] ]
 [ <element> ]
 [ log [prefix="<prefix text>"] [level="<log level>"] [limit value="rate/duration"] ]
 [ audit ]
 [ acceptlrejectldrop ]

Understanding rich language rule commands

firewall-cmd Common Options for Handling Rich Language Rules

选项 说明
-add-rich-rule= 'RULE' 向指定区域中添加RULE,如果没有指定区域,则为默认区域
--remove-rich-rule= 'RULE' 从指定区域中删除RULE,如果没有指定区域,则为默认区域
--query-rich-rule= 'RULE' 查询RULE是否已添加到指定区域,如果未指定区域,则为默认区域。<br/>规则存在,则返回0,否则返回1
--list-rich-rules 输出指定区域的所有富规则,如果未指定区域,则为默认区域

Rich Language Rule Display Configured


firewall-cmd [--permanent] [--zone= zone] --remove-masquerade
0

Rich language rule concrete grammar

source, destination, element, service, port, protocol, icmp-block, masquerade, forward-port, log, audit, acceptlrejectdrop

Deny all traffic from 192.168. 8.101


firewall-cmd [--permanent] [--zone= zone] --remove-masquerade
1

When ddress option uses source or destination, family = ipv4 ipv6 must be used

Accept TCP traffic on 192.168. 1.0/24 subnet ports 8000-9000


firewall-cmd [--permanent] [--zone= zone] --remove-masquerade
2

Discard all icmp packets


firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop'

Accept and log http traffic from 192.168. 8.1


firewall-cmd [--permanent] [--zone= zone] --remove-masquerade
4

Visit http at 192.168. 8.1 and observe/var/log/messages


firewall-cmd [--permanent] [--zone= zone] --remove-masquerade
5

Related articles: