Detailed description of the use of advanced configuration of Firewalld in Linux

IP masquerading and port forwarding

Firewalld supports two types of network address translation

IP address masquerade

• It can realize that multiple addresses in the LAN share a single public network address to access the Internet
• IP address spoofing only supports IPv4, not IPv6
• By default, address masquerading is enabled in the external zone.

Port forwarding (Forward-port)

• Also called destination address translation or port mapping
• With port forwarding, traffic from a specified IP address and port will be forwarded to a different port on the same computer, or to a port on a different computer.

Address masquerade configuration

Add address masquerading function for specified areas

firewall-cmd [--permanent] [--zone= zone] --add-masquerade [--timeout seconds]
 //--timeout=seconds: Automatically delete this function after a period of time

Remove address masquerading for a specified area

firewall-cmd [--permanent] [--zone= zone] --remove-masquerade

Check whether the address masquerading function is enabled in the specified area

firewall-cmd [--permanent] [--zone=zone] --query-masquerade

Port forwarding configuration

List port forwarding configuration

firewall-cmd [--permanent] [--zone=zone] --list-forward-ports

Adding port forwarding rules

firewall-cmd [--permanent] [--zone=zone] --add-forward-port=port=portid[-portid]:proto=protocol[:toport-portid[-portid]][:toaddr-address[/mask]][--timeout=seconds]

Deleting a port forwarding rule

firewall-cmd [--permanent] [--zone=zone] --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]

Query port forwarding rules

firewall-cmd [--permanent] [--zone=zone] --query-forward-port-port-portid[-portid]:proto=protocol[:toport-portid[-portid]][:toaddr=address[/mask]]

Firewalld direct rules

Direct interface

• Allows administrators to manually write iptables, ip6tables, and ebtables rules to be inserted into the areas managed by Firewalld
• This is achieved through the --direct option in the firewall-cmd command
• In addition to the explicit insertion method, direct rules are matched first

Custom rule chains

Firewalld automatically creates custom rule chains for zones where rules are configured

• IN area name deny: stores the deny statement, which takes precedence over the rule of "IN area name_allow"
• IN area name allow: stores the allow statement

Allow inbound traffic to TCP/9000 port

irewall-cmd --direct --add-rule ipv4 filter IN work_ allow 0 -p tcp --dport 9000 j ACCEPT

• IN work_ allow: rule chain matching the work area
• 0: represents the highest priority rule, placed at the front of the rule
• You can add the --permanent option to indicate permanent configuration

Query all direct rules

firewall-cmd --direct --get-all-rules
ipv4 filter IN_ work _allow 0 -p tcp --dport 9000 -j ACCEPT

You can add the --permanent option to view the permanent configuration

Firewalld rich language rules

Rich language

Expressive configuration language, no need to understand iptables syntax

Used to express basic allow/deny rules, configure logging (for syslog and auditd), port forwarding, masquerading, and rate limiting

rule [family="<rule family>"]
 [ source address="<address>" [invert "True"] ]
 [ destination address="<address>" [invert="True"] ]
 [ <element> ]
 [ log [prefix="<prefix text>"] [level="<log level>"] [limit value="rate/duration"] ]
 [ audit ]
 [ acceptlrejectldrop ]

Understanding Rich Language Rules Commands

Common options for firewall-cmd to process rich language rules

Configured rich language rule display mode

firewall-cmd --list-all
firewall-cmd --list-all-zones
--list-rich-rules

Rich language rules concrete grammar

source, destination, element, service, port, protocol, icmp-block, masquerade, forward-port, log, audit, accept, reject, drop

Deny all traffic from 192.168.8.101

firewall-cmd --permanent --zone=work --add-rich-rule='rule family=ipv4 source address=192.168.8.101/32 reject'

When the ddress option is used with source or destination, family= ipv4 | ipv6 must be used.

Accept TCP traffic from 192.168.1.0/24 subnet ports 8000-9000

firewall-cmd --permanent --one=work --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=8000-9000 protocol=tcp accept'

Drop all icmp packets

firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop'

Accept http traffic from 192.168.8.1 and record the log

firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.8.1/32 service name="http" log level=notice prefix= "NEW HTTP" limit value "3/s" accept'

Access http at 192.168.8.1 and observe /var/log/messages

Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT=
MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131
LEN=52 TOS=0xOO PREC=0x00 TTL =64 ID=20582 DF PROTO=TCP SPT=65289 DPT=80
WINDOW=8192 RES=0x00 SYN URGP=0
Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT=
MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131
LEN=52 TOS=0x0O PREC=0x0O TTL =64 ID=20590 DF PROTO=TCP SPT=65291 DPT=80
WINDOW=8192 RES=0x00 SYN URGP=0
Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT=
MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131
LEN=52 TOS=0x0O PREC=0x0O TTL =64 ID=20602 DF PROTO=TCP SPT=65292 DPT=80
WINDOW=8192 RES=0x00 SYN URGP=0

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.