Centos7-Firewall firewall basic explanation

0 x00 Firewall Quick Start##

(1) Introduction to firewalld:
It is a new firewall software on Linux. It is similar to the iptables firewall, but it is better to use and set up;

firewalld is a major feature of centos7. The biggest benefits have two: support for dynamic updates without restarting the service; the second is the addition of the "zone" concept of firewall.
, It also provides dynamic firewall management tools that support network/firewall zone (zone) definition of network links and interface security levels;
In CentOS7.0, firewall is used by default instead of iptables service, which makes the operation of soft firewall more convenient and user-friendly. Firewalld has a graphical interface and a character command interface;

Features of firewalld:

• The D-BUS interface provides information about the status of the firewall, making it possible to enable, disable or query the settings of the firewall.
• It supports IPv4, IPv6 firewall settings and Ethernet bridging, and has runtime configuration and permanent configuration options
• Zone: The network or firewall zone defines the credibility of the connection (the concept of "zone" zone of the firewall is added)
• Service: The service can be a series of reading ports, purpose and additional information, or it can be a firewall assistant module that is automatically added when the service starts;
• ICMP type: Internet Control Message Protocol (ICMP) is used to exchange messages and Internet Protocol (IP) error messages
• Direct interface: Mainly used to add specific firewall rules to services or applications, that is, to support interfaces that allow services or applications to directly add firewall rules (All are temporarily effective)
• Run-time configuration: Run-time configuration is not permanently effective, it supports dynamic update, restart service, and reload rules directly.
• Permanent configuration: The permanent configuration is stored in the configuration file, and will be automatically restored every time the machine restarts or the service restarts or reloads.

• Compared with iptables, firewalld has at least two major advantages:*

• firewalld can dynamically modify a single rule, instead of needing to refresh all the rules to take effect like iptables.
• Firewalld is much more humane in use than iptables. Even if you don't understand the "Five tables and five chains" and don't understand the TCP/IP protocol, you can achieve most of the functions.

Tips: firewalld itself does not have the function of a firewall, but needs to be implemented through the netfilter of the kernel like iptables, that is, firewalld and iptables are both used to maintain rules, and the netfilter of the kernel is really used for rules. It's just that the structure and usage of firewalld and iptables are different.

• Q: What is a region? *
  The network area defines the trustworthiness level of the network connection. This is a one-to-many relationship means that a connection can be only part of a region, and a region can be used for many connections.

• Q: Which area is available?*
  The zones provided by firewalld are sorted from untrusted to trusted.

• Drop: Any packet that flows into the network is dropped without any response. Only allow outgoing network connections.
• Block: Any incoming network connection is rejected, and IPv4 icmp-host-prohibited packet or IPv6 icmp6-adm-prohibited packet is returned. Only network connections initiated by the system are allowed.
• Public: Used for parts that can be made public. You think that other computers on the network are untrustworthy and may harm your computer. Only the selected connection is allowed to access.
• External (externel): Used in routers and other external networks that enable masquerading. You think that other computers on the network are untrustworthy and may harm your computer. Only the selected connection is allowed to access.
• Demilitarized zone (DMZ): Used to allow computers in the demilitarized zone (dmz) to have limited access to the external network. Only accept selected connections.
• Work: Used in work networks. You trust that most computers on the network will not affect your computer. Only accept selected connections.
• Home (home): used in the home network. You trust that most computers on the network will not affect your computer. Only accept selected connections.
• Internal: Used in the internal network. You trust that most computers on the network will not affect your computer. Only accept selected connections.
• Trusted: Allow all network connections.

Network connection controlled by NetworkManager
Description: The firewall cannot configure the network connection through the name displayed by NetworkManager, only the network interface can be configured;
If there is no area configured in the configuration file, the interface will be configured to the default area of firewalld. If the network connection uses more than one interface, all interfaces will be applied to fiwewalld. The interface name change will also be controlled by NetworkManager and applied to firewalld.

In order to simplify this network connection will be used as a relationship with the region.

• When the interface is disconnected, NM also tells Firewall to delete the interface from the zone;
• When firewalld starts, it will notify NM to add network connections to the area

• Precautions:*

• Although Centos7 continues to retain the iptables command, it cannot be used. Unless the firewall is manually deleted and iptables is installed, the previous iptables configuration method cannot be used.
• firewall daemon cannot parse firewall rules added by iptables and ebtables command line tools
• Static firewall (system-config-firewall/lokkit) and "daemon" cannot be used at the same time

Reference document: https://fedoraproject.org/wiki/FirewallD/zh-cn
Official document: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Introduction_to_firewalld

(2) firewall installation and startup
Default environment: CentOS Linux release 7.6.1810 (Core)
Character interface management tool: firewall-cmd
Graphical interface management tool: firewall-config

yum install firewalld firewall-config bash-completion -y # bash-Use the tab key to complete the command prompt
systemctl start firewalld.service       #Start firewall
systemctl stop firewalld.service        #Stop firewall
systemctl enable firewalld.service      #Allow firewall to boot up
systemctl disable firewalld.service     #Prohibit firewall startup

# Command format
firewall-cmd [Options...]

General options
- h,--help    #Display help information;
- V,--version #Display version information.(This option cannot be combined with other options);
- q,--quiet   #Do not print status messages;

Status options
- - state                #Display the status of firewalld;
- - reload               #Reload without interruption of service;
- - complete-reload      #Reload all connections interrupted;
- - runtime-to-permanent #Permanently save the current firewall rules;
- - check-config         #Check the correctness of the configuration;

Log options
- - get-log-denied         #Get the log of rejected records;
- - set-log-denied=<value> #Set to log rejected, only for'all','unicast','broadcast','multicast','off'one of them;

# Installation verification
firewall-cmd --version  #View version, help
firewall-cmd --help     
firewall-cmd --state    #Check status
running

• Firewall configuration files and directories:*

/usr/lib/firewalld/ #System Configuration,Try not to modify
cd /usr/lib/firewalld/services  
# Stored in this directory are the defined network service and port parameters, which are only for reference and cannot be modified. Only a part of general network services are defined in this directory.
# For network services that are not defined in this directory, there is no need to add related xml definitions, and they can be added directly through management commands.

/etc/firewalld/ #User configuration address
/etc/firewalld/zones/ #Here is the configuration file saved after the configuration takes effect. Generally, it is recommended to back up before modification.

# The system or user configuration files stored here can be customized by the system administrator through the configuration interface, or manually customized. These files will override the default configuration files.
# From/usr/bin/Copy the xml file of the service you need to use from the directory above firewalld to this directory. If the port changes, you can modify the value in the file.
$cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/<?xml version="1.0" encoding="utf-8"?><service><short>SSH</short><description>Secure Shell(SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed forthis option to be useful.</description><port protocol="tcp" port="22"/></service>

(3) firewall-cmd command

# Because firewalld dynamically manages the rule set, it will not break existing connections and sessions.
firewall-cmd --reload   #Reload the firewall without changing the state
# If using--complete-reload, the state information will be lost. This option should only be used when dealing with firewall issues, for example, the state information and firewall rules are normal, but no connection can be established.

# Get a list of supported regions
$firewall-cmd --get-zones
block dmz drop external home internal public trusted work

# Get all supported services
$firewall-cmd --get-services
# List the services enabled in the area
firewall-cmd [--zone=<zone>]--list-services
firewall-cmd --list-service
ssh dhcpv6-client

# Get all supported ICMP types
$firewall-cmd --get-icmptypes

# Show public area by default
firewall-cmd [--zone=<zone>]--list-all  #Used to not specify zone by default and default to public
firewall-cmd --list-all-zones  #List the features of all enabled areas
# New access requests flowing into the interface configured in the default zone will be placed in the new default zone. Currently active connections will not be affected.
# View and set the default zone
firewall-cmd --get-default-zone  #Get the default area name
firewall-cmd --set-default-zone=<zone>  #Set default area

# Get the active area(zone and interface)
firewall-cmd --get-active-zones
firewall-cmd --get-zone-of-interface=<interface>  #Obtain the area according to the interface
firewall-cmd --get-zone-of-interface=ens192
public
# Query whether an interface is included in the area
firewall-cmd [--zone=<zone>]--query-interface=<interface>  #Returns whether the interface exists in the area. No output.
firewall-cmd --query-interface=ens192
yes

# Add interface to area
# If the interface does not belong to the zone, the interface will be added to the zone.
# If the zone is omitted, the default zone interface will be used and will be re-applied after reloading.
firewall-cmd [--zone=<zone>]--add-interface=<interface>

# Modify the area where the interface belongs
firewall-cmd [--zone=<zone>]--change-interface=<interface>
# This option is the same as--add-The interface option is similar, but when the interface already exists in another area, the interface will be added to the new area.

# Remove an interface from the zone
firewall-cmd [--zone=<zone>]--remove-interface=<interface>

# Enable emergency mode to block all network connections to prevent emergencies
firewall-cmd --panic-on #At 0.3.0 previous versions of FirewallD,The panic option is--enable-panic and--disable-panic.
firewall-cmd --panic-off #Disable panic mode
firewall-cmd --query-panic #Query emergency mode

firewall-cmd --permanent [Runtime area] #Will be permanent

(4) Process runtime area
Note: Modifications to the area in runtime mode are not permanent, and the modifications will be invalid after reloading or restarting.

# Enable a service in the area
# If no area is specified, the default area will be used.
# If a timeout period is set, the service will only be enabled for a specific number of seconds.
# If the service is already active, there will be no warning message.
firewall-cmd [--zone=<zone>]--add-service=<service>[--timeout=<seconds>]
firewall-cmd --zone=home --add-service=ipp-client --timeout=60 #Make the ipp in the zone-The client service takes effect for 60 seconds:

# Disable a certain service in the area
firewall-cmd [--zone=<zone>]--remove-service=<service>
firewall-cmd --zone=home --remove-service=http

# Query whether a specific service is enabled in the area
firewall-cmd [--zone=<zone>]--query-service=<service>

# Enable regional port and protocol combination
# This will enable the combination of ports and protocols. The port can be a separate port<port>Or a port range<port>-<port>. The protocol can be tcp or udp.
firewall-cmd [--zone=<zone>]--add-port=<port>[-<port>]/<protocol>[--timeout=<seconds>]
# Disable port and protocol combination
firewall-cmd [--zone=<zone>]--remove-port=<port>[-<port>]/<protocol>
# Query whether the port and protocol combination is enabled in the area
firewall-cmd [--zone=<zone>]--query-port=<port>[-<port>]/<protocol>

# Enable IP masquerading in the zone
# The address of the private network will be hidden and mapped to a public IP is a form of address translation, often used for routing. Due to the limitation of the kernel, the camouflage function can only be used for IPv4
firewall-cmd [--zone=<zone>]--add-masquerade
firewall-cmd [--zone=<zone>]--remove-masquerade #Disable IP masquerading in the zone
firewall-cmd [--zone=<zone>]--query-masquerade #Query the camouflage status of the area

# Enable the ICMP blocking function of the area
# This will enable the selected Internet Control Message Protocol (ICMP) messages to be blocked. ICMP messages can be request information or created response messages, as well as error responses.
firewall-cmd [--zone=<zone>]--add-icmp-block=<icmptype> #[echo-request and echo-reply]
firewall-cmd [--zone=<zone>]--remove-icmp-block=<icmptype> #ICMP blocking function for prohibited areas
firewall-cmd [--zone=<zone>]--query-icmp-block=<icmptype>  #ICMP blocking function of query area

# Enable port forwarding or mapping in the zone
# The port can be mapped to the same port of another host, or it can be a different port of the same host or another host. The port number can be a separate port<port>Or port range<port>-<port>. The protocol can be tcp or udp. The destination port can be a port number<port>Or port range<port>-<port>. The destination address can be an IPv4 address. Limited by the kernel, the port forwarding function can only be used for IPv4.
firewall-cmd [--zone=<zone>]--add-forward-port=port=<port>[-<port>]:proto=<protocol>{:toport=<port>[-<port>]|:toaddr=<address>|:toport=<port>[-<port>]:toaddr=<address>}

# Port forwarding or port mapping for prohibited areas
firewall-cmd [--zone=<zone>]--remove-forward-port=port=<port>[-<port>]:proto=<protocol>{:toport=<port>[-<port>]|:toaddr=<address>|:toport=<port>[-<port>]:toaddr=<address>}

# Query the port forwarding or port mapping of the area
firewall-cmd [--zone=<zone>]--query-forward-port=port=<port>[-<port>]:proto=<protocol>{:toport=<port>[-<port>]|:toaddr=<address>|:toport=<port>[-<port>]:toaddr=<address>}

# example:Forward the ssh of area home to 127.0.0.2 Make it connect
firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2

(5) Direct option
The direct option is mainly used to enable services and applications to add rules. The rules will not be saved after reloading or restarting and must be submitted again.
The passed parameters <args> are consistent with iptables, ip6tables and ebtables.

# Pass the command to the firewall.
firewall-cmd --direct --passthrough { ipv4 | ipv6 | eb }<args>

# For table<table>Add a new chain<chain> 。
firewall-cmd --direct --add-chain { ipv4 | ipv6 | eb }<table><chain>--remove-chain  #Table<table>Delete chain<chain>. Same as above
- - query-chain   #Inquire<chain>Does the chain exist with the table<table>.If yes, return 0,Otherwise return 1.Same as above
# Get a table separated by spaces<table>List of medium chains.
firewall-cmd --direct --get-chains { ipv4 | ipv6 | eb }<table>

# For table<table>Add a parameter as<args>The chain<chain>, Priority is set to<priority>。
firewall-cmd --direct --add-rule { ipv4 | ipv6 | eb }<table><chain><priority><args>
# Table<table>With parameters<args>The chain<chain>。
firewall-cmd --direct --remove-rule { ipv4 | ipv6 | eb }<table><chain><args>
firewall-cmd --direct --query-rule { ipv4 | ipv6 | eb }<table><chain><args> #Query with parameters<args>The chain<chain>Whether table exists<table>in
# Get the table<table>All add to the chain<chain>The rules are separated by newlines.
firewall-cmd --direct --get-rules { ipv4 | ipv6 | eb }<table><chain>

(6) Command line configuration rich rules

# View rich rules
firewall-cmd --list-rich-rules

# Create rich rules
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=Source address service name=Service name log prefix="fpt" level=info  accept'--permannet

0 x01 Firewall instance##

1. ICMP prohibits Ping machine and starts ping communication:

# Ban ping method rule
firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop'

# Check if there is this rule
firewall-cmd --query-rich-rule='rule protocol value='icmp' drop'

# Turn on pin(Temporarily effective)-Delete method
firewall-cmd --remove-rich-rule='rule protocol value=icmp drop'

2. For service development and stop, the service name in FirewallD will temporarily open ftp or ssh service

firewall-cmd --zone=public--add-service=ftp --permanent     #Open ftp service permanently
firewall-cmd --remove-service=ftp --permanent  #Permanently shut down service
firewall-cmd --zone=public--remove-service=ssh --permanent  #Remove service from public zone
firewall-cmd --zone=public--add-service=ssh --permanent
firewall-cmd --reload     #The last effective configuration (must be executed):
firewall-cmd --query-service ftp #Query service activation status
no 
firewall-cmd --zone=public--query-service=ssh #Is the query successful?:
yes
# Remove ssh service to allow through firewalld firewall(Since I am using remote ssh, the passage of ssh traffic is not closed)
firewall-cmd --zone=public--remove-service=ssh --permanent

3. View all open port service configuration information (default public area), view all open ports in the public area:

$firewall-cmd --zone=public--list-all
$firewall-cmd --zone=public--list-ports

4. Add interface to zone and set interface to change zone

$firewall-cmd --get-active-zones View zone information(Public interface): 
$firewall-cmd --get-zone-of-interface=eth0  #View the area of the specified interface:
$firewall-cmd --zone=public--add-interface=eth0 #Permanent effect plus--permanent and then reload firewall
$firewall-cmd --zone=internal --change-zone=p3p1 #The zone belongs to the internal zone,Temporarily modify the interface to p3p1

5. Query package rejection status and update firewall rules (and reload the configuration without restarting the service:)

# If a remote machine executes the above rules, it will immediately disconnect from the network,It must be remembered that it cannot be executed casually. If you just log in to a virtual machine or a physical machine, you can execute it to debug.
firewall-cmd --query-panic
# Reject all packages:
firewall-cmd --panic-on
# Cancel rejection status:
firewall-cmd --panic-off

# The difference between the following update firewall parameters is that the first one does not need to be disconnected is one of the firewalld features to dynamically add rules, and the second one needs to be disconnected, similar to restarting the service.
firewall-cmd --reload #Dynamically add rules
firewall-cmd --complete-reload  #Will restart the service
service firewalld restart

6. Specify open ports and protocols and close

firewall-cmd --zone=public--add-port=80/tcp --permanent #Permanently effective without permanent parameters and invalid after restart
firewall-cmd --reload #Reload the configuration to take effect

# Check whether the addition is successful
firewall-cmd --zone=public--query-port=80/tcp  #Check the open status of the specified port
$firewall-cmd --zone=public--list-ports         #View all open ports
80 /tcp
firewall-cmd --zone=public--remove-port=80/tcp --permanent #Remove allowed ports,Delete 80 port TCP traffic passing permission

# Can also add a range of ports
firewall-cmd --zone=public--add-port=4990-4999/udp   #Add 4990-4999 udp port

7. Traffic forwarding: Port forwarding can forward traffic to the specified port of the specified address when the specified address is accessed on the specified port. If the forwarding purpose is not specified, it will default to this machine; If ip is specified but no port is specified, then The source port is used by default.

# vi/etc/sysctl.conf put net.ipv4.ip_forward=0 changed to net.ipv4.ip_forward=1
sed -i '/net.ipv4.ip_forward/ s/\(.*= \).*/\11/'/etc/sysctl.conf

# (1) Forward traffic on port 80 on the same server to 8080
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080
# If you want to forward the port to another server,Activate masquerade in the required area
firewall-cmd --zone=public--add-masquerade

# (2) In the example, the local 80 port traffic is forwarded to the IP address:10.0.10.15 port 8080 on the remote server.
firewall-cmd --zone=public--add-forward-port=port=80:proto=tcp:toport=8080:toaddr=10.0.10.15

# (3) 
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080   #Forward traffic on port 80 to 8080
firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1 #Forward traffic on port 80 to 192.168.0.1
firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1:toport=8080 #Forward traffic on port 80 to 192.168.0.1 port 8080
 

If port forwarding cannot be used after configuration, you can check the following two issues:

• For example, if I forward port 80 to port 8080, first check whether the local port 80 and the target port 8080 are open for listening
• Secondly, check whether IP spoofing is allowed, if not allowed, enable spoofing IP

Supplementary note:

• When we want to hide a certain port, we can block that port access on the firewall, and then open an irregular port, and then configure the firewall's port forwarding to forward the traffic.
• Port forwarding can also be used for traffic distribution. A firewall drags many machines running different services, and then uses the firewall to forward the traffic of different ports to different machines.

8. Disguise IP
   The firewall can realize the function of masquerading IP, and the following port forwarding will use this function.

firewall-cmd --query-masquerade    #Check if IP spoofing is allowed
firewall-cmd --add-masquerade      #Allow firewall to spoof IP
firewall-cmd --remove-masquerade   #Prohibit firewall spoofing IP

9. Definition of rich-rule rules

# Add to deny a certain IP access to the ssh port.
firewall-cmd --add-rich-rule "rule family=ipv4 source address=10.0.10.1 service name='ssh' reject"
# rule :rule
# family:ipv4 specifies the address of ipv4
# source address=10.0.10.1 The IP to be rejected can be an IP or an IP segment
# service name='ssh' specifies the ssh service
# drop :Is that the execution method of this rule is to discard

# I prefer to drop directly:
firewall-cmd --add-rich-rule "rule family=ipv4 source address=10.0.10.1 service name='ssh' drop"
firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.10.1 port port=22 protocol=tcp reject'

# Indicates that this IP is allowed to pass through the firewall
firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.0.10.1" accept'

# Allow one IP(10.0.10.1)Only through designated ports(8080-8090)Access to target(10.0.10.13)： 
firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.0.10.1" destination address="10.0.10.13/32" port port="8080-8090" protocol="tcp" accept'

# The removal rule is relatively troublesome
firewall-cmd --remove-rich-rule='rule family="ipv4" source address="10.0.10.1" destination address="10.0.10.13/32" port port="80" protocol="tcp" accept'

# Allow admin to 172.31.1.2The host remotely manages the 192 of the intranet through ssh.168.31.83 host (the port used is 23456)
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=172.31.1.2 forward-port port=23456 protocol=tcp  to-port=10211  to-addr=192.168.31.83'--permanent  --zone=external

10. Direct mode

# FirewallD includes a direct mode, you can use it to complete some work, such as opening the TCP protocol port 9999
firewall-cmd --direct --add-rule ipv4 filter INPUT 0-p tcp --dport 9000-j ACCEPT
firewall-cmd --reload