Detail the use of Firewalld advanced configuration in Linux
- 2021-07-06 12:21:38
- OfStack
IP Camouflage and Port Forwarding
Firewalld supports two types of network address translation
IP Address Camouflage (masquerade)
It can realize the sharing of multiple addresses in LAN and the access to the Internet with single 1 public network address IP address masquerade only supports IPv4, not IPv6 Address camouflage is enabled for the default external zonePort Forwarding (Forward-port)
Also known as destination address translation or port mapping Through port forwarding, traffic that specifies an IP address and port is forwarded to a different port on the same computer or to a port on a different computer
Address camouflage configuration
Add address camouflage function to designated area
firewall-cmd [--permanent] [--zone= zone] --add-masquerade [--timeout seconds]
//--timeout=seconds: In 1 Automatically delete this function after a period of time
Delete address camouflage function for specified area
firewall-cmd [--permanent] [--zone= zone] --remove-masquerade
Query whether the address camouflage function is turned on in the specified area
firewall-cmd [--permanent] [--zone=zone] --query-masquerade
Port forwarding configuration
List Port Forwarding Configurations
firewall-cmd [--permanent] [--zone=zone] --list-forward-ports
Add a Port Forwarding Rule
firewall-cmd [--permanent] [--zone=zone] --add-forward-port=port=portid[-portid]:proto=protocol[:toport-portid[-portid]][:toaddr-address[/mask]][--timeout=seconds]
Delete port forwarding rules
firewall-cmd [--permanent] [--zone=zone] --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
Query port forwarding rules
firewall-cmd [--permanent] [--zone=zone] --query-forward-port-port-portid[-portid]:proto=protocol[:toport-portid[-portid]][:toaddr=address[/mask]]
Firewalld direct rule
Direct rule (direct interface)
Custom rule chain
Firewalld automatically creates custom rule chains for areas where rules are configured
IN zone name deny: Refuse statement is stored, which takes precedence over the rule of "IN zone name _ allow" IN zone name allow: holds allow statements
Allow inbound traffic on TCP/9000 port
irewall-cmd --direct --add-rule ipv4 filter IN work_ allow 0 -p tcp --dport 9000 j ACCEPT
IN work_ allow: Rule chain matching work region
0: Represents that the rule has the highest priority and is placed at the front of the rule
Can be added--permanent option indicates permanent configuration
Query all direct rules
firewall-cmd --direct --get-all-rules
ipv4 filter IN_ work _allow 0 -p tcp --dport 9000 -j ACCEPT
You can add--permanent option to view permanent configuration
Firewalld Rich Language Rules
Rich Language (rich language)
Expressive configuration language, no need to know iptables syntax
Used to express basic allow/deny rules, configuration records (for syslog and auditd), port forwarding, masquerading, and rate limits
rule [family="<rule family>"]
[ source address="<address>" [invert "True"] ]
[ destination address="<address>" [invert="True"] ]
[ <element> ]
[ log [prefix="<prefix text>"] [level="<log level>"] [limit value="rate/duration"] ]
[ audit ]
[ acceptlrejectldrop ]
Understanding rich language rule commands
firewall-cmd Common Options for Handling Rich Language Rules
选项 | 说明 |
---|---|
-add-rich-rule= 'RULE' | 向指定区域中添加RULE,如果没有指定区域,则为默认区域 |
--remove-rich-rule= 'RULE' | 从指定区域中删除RULE,如果没有指定区域,则为默认区域 |
--query-rich-rule= 'RULE' | 查询RULE是否已添加到指定区域,如果未指定区域,则为默认区域。<br/>规则存在,则返回0,否则返回1 |
--list-rich-rules | 输出指定区域的所有富规则,如果未指定区域,则为默认区域 |
Rich Language Rule Display Configured
firewall-cmd [--permanent] [--zone= zone] --remove-masquerade
0
Rich language rule concrete grammar
source, destination, element, service, port, protocol, icmp-block, masquerade, forward-port, log, audit, acceptlrejectdrop
Deny all traffic from 192.168. 8.101
firewall-cmd [--permanent] [--zone= zone] --remove-masquerade
1
When ddress option uses source or destination, family = ipv4 ipv6 must be used
Accept TCP traffic on 192.168. 1.0/24 subnet ports 8000-9000
firewall-cmd [--permanent] [--zone= zone] --remove-masquerade
2
Discard all icmp packets
firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop'
Accept and log http traffic from 192.168. 8.1
firewall-cmd [--permanent] [--zone= zone] --remove-masquerade
4
Visit http at 192.168. 8.1 and observe/var/log/messages
firewall-cmd [--permanent] [--zone= zone] --remove-masquerade
5