Otu esi ahazi FirewallD na RHEL, Rocky & AlmaLinux

Net-filter dị ka anyị niile maara na ọ bụ firewall na Linux. Firewalld bụ daemon siri ike iji jikwaa firewalls na nkwado mpaghara netwọkụ. Na ụdị nke mbụ, RHEL & CentOS anyị na-eji iptables dị ka daemon maka nhazi nzacha ngwugwu.

Na nsụgharị ọhụrụ nke nkesa RHEL dị ka Fedora, Rocky Linux, CentOS Stream, AlmaLinux, na openSUSE - a na-eji firewalld dochie interface iptables.

[Ị nwekwara ike ịmasị: 10 Firewalls Nchebe isi mmalite maka Linux Systems]

A na-atụ aro ka ịmalite iji Firewalld kama iptables n'ihi na nke a nwere ike ịkwụsị n'ọdịnihu. Agbanyeghị, iptables ka na-akwado ma enwere ike itinye ya na iwu yum. Anyị enweghị ike idowe Firewalld na iptables ha abụọ n'otu sistemu nke nwere ike ibute esemokwu.

Na iptables, anyị na-ahazi dị ka INPUT, OUTPUT & FORWARD CHAINS mana ebe a na Firewalld, echiche a na-eji Mpaghara. Site na ndabara, enwere mpaghara dị iche iche dị na firewalld, nke a ga-atụle n'isiokwu a.

Mpaghara bụ isi nke dị ka mpaghara ọha na mpaghara nzuzo. Iji mee ka ihe na-arụ ọrụ na mpaghara ndị a, anyị kwesịrị ịgbakwunye interface na nkwado mpaghara a kapịrị ọnụ wee nwee ike ịgbakwunye ọrụ na firewalld.

Site na ndabara, enwere ọtụtụ ọrụ dị, otu n'ime njirimara kachasị mma nke firewalld bụ, ọ na-abịa na ọrụ akọwapụtara nke ọma na anyị nwere ike were ọrụ ndị a dịka ọmụmaatụ ịgbakwunye ọrụ anyị site na iṅomi ha.

Firewalld na-arụkwa ọrụ nke ọma na IPv4, IPv6 na àkwà mmiri Ethernet kwa. Anyị nwere ike ịnwe oge ịgba ọsọ dị iche na nhazi na-adịgide adịgide na firewalld.

Ka anyị bido otu esi arụ ọrụ na mpaghara wee mepụta ọrụ nke anyị yana ojiji ọkụ ọkụ na-atọ ụtọ karịa na Linux.

Operating System :	Red Hat Enterprise Linux release 9.0 (Plow)
IP Address       :	192.168.0.159
Host-name	:	tecmint-rhel9

Kwụpụ 1: Wụnye Firewalld na Sistemụ dabere na RHEL

1. A na-etinye ngwugwu Firewalld na ndabara na RHEL, Fedora, Rocky Linux, CentOS Stream, AlmaLinux, na openSUSE. Ọ bụrụ na ọ bụghị, ịnwere ike ịwụnye ya site na iji iwu yum a.

# yum install firewalld -y

2. Mgbe etinyere ngwugwu firewalld, ọ bụ oge iji nyochaa ma ọrụ iptables na-arụ ọrụ ma ọ bụ na ọ bụghị, ọ bụrụ na ọ na-agba ọsọ, ịkwesịrị ịkwụsị ma kpuchie (ejighi ọzọ) ọrụ iptables na iwu ndị dị n'okpuru.

# systemctl status iptables
# systemctl stop iptables
# systemctl mask iptables

Kwụpụ 2: Ịghọta Ngwa Firewalld (Mpaghara na Iwu)

3. Tupu ịmalite maka nhazi nke firewalld, ọ ga-amasị m ikwurịta mpaghara ọ bụla. Site na ndabara, enwere mpaghara ụfọdụ dị. Anyị kwesịrị ekenye interface na mpaghara ahụ. Mpaghara na-akọwa mpaghara ntụkwasị obi ma ọ bụ agọnarị ọkwa na interface ahụ iji nweta njikọ. Mpaghara nwere ike ịnwe ọrụ & ọdụ ụgbọ mmiri.

N'ebe a, anyị ga-akọwa mpaghara ọ bụla dị na Firewalld.

  • Mpaghara dobe: A na-atụba ngwugwu ọ bụla na-abata ma ọ bụrụ na anyị ejiri mpaghara nkwụsị. Nke a bụ otu ihe anyị na-eji tinye iptables -j drop. Ọ bụrụ na anyị ejiri usoro nkwụsịtụ, pụtara na enweghị azịza, naanị njikọ netwọk na-apụ apụ ga-adị.
  • Mpaghara Gbochie: Mpaghara ngọngọ ga-agọnarị njikọ netwọkụ na-abata site na icmp-host-amachibidoro. Naanị njikọ eguzobere n'ime ihe nkesa ka a ga-ahapụ.
  • Mpaghara Ọhaneze: Iji nabata njikọ ndị ahọpụtara anyị nwere ike ịkọwa iwu na mpaghara ọha. Nke a ga-ekwe ka naanị ọdụ ụgbọ mmiri mepere emepe na sava anyị, a ga-ahapụ njikọ ndị ọzọ.
  • Mpaghara Mpụga: Mpaghara a ga-arụ ọrụ dị ka nhọrọ rawụta na-enyere aka ịmegharị ihe njikọ ndị ọzọ agaghị anabata, naanị njikọ akọwapụtara ka a ga-ahapụ.
  • Mpaghara DMZ: Ọ bụrụ na anyị kwesịrị ikwe ka ịnweta ụfọdụ ọrụ maka ọha, ị nwere ike ịkọwa ya na mpaghara DMZ. Nke a nwekwara njirimara nke naanị njikọ mbata ahọpụtara anabatara.
  • Mpaghara ọrụ: Na mpaghara a, anyị nwere ike ịkọwapụta naanị netwọkụ dị n'ime ya bụ, a na-anabata okporo ụzọ netwọkụ nkeonwe.
  • Mpaghara Ụlọ: A na-eji mpaghara a eme ihe n'ụlọ, anyị nwere ike iji mpaghara a tụkwasị obi na kọmputa ndị ọzọ na netwọk ka ha ghara imerụ kọmputa gị ahụ dị ka ọ dị na mpaghara ọ bụla. Nke a na-enye ohere naanị njikọ mbata ahọpụtara.
  • mpaghara ime: Nke a yiri mpaghara ọrụ nwere njikọ ahọpụtara anabatara.
  • mpaghara ntụkwasị obi: Ọ bụrụ na anyị edobere mpaghara ntụkwasị obi, a na-anabata okporo ụzọ niile.

Ugbu a ị nwetala echiche ka mma gbasara mpaghara, ugbu a, ka anyị chọpụta mpaghara dịnụ, na mpaghara ndabara, wee depụta mpaghara niile site na iji iwu ndị a.

# firewall-cmd --get-zones

# firewall-cmd --get-default-zone

# firewall-cmd --list-all-zones

Rịba ama: Mpụta nke iwu a dị n'elu agaghị adaba na otu ibe n'ihi na nke a ga-edepụta mpaghara ọ bụla dị ka ngọngọ, dmz, dobe, mpụga, ụlọ, ime, ọha, ntụkwasị obi, na ọrụ. Ọ bụrụ na mpaghara ahụ nwere iwu bara ụba ọ bụla, a ga-edepụtakwa ọrụ ma ọ bụ ọdụ ụgbọ mmiri yana ozi mpaghara ndị ahụ.

Kwụpụ 3: Tọọ Mpaghara Firewalld an-kpọ

4. Ọ bụrụ na ịchọrọ ịtọ mpaghara ndabara dị ka ime, mpụga, dobe, ọrụ, ma ọ bụ mpaghara ọ bụla ọzọ, ịnwere ike iji iwu dị n'okpuru ka ịtọọ mpaghara ndabara. N'ebe a, anyị na-eji mpaghara ime dị ka ndabere.

# firewall-cmd --set-default-zone=internal

5. Mgbe ịtọchara mpaghara ahụ, nyochaa mpaghara ndabara site na iji iwu dị n'okpuru.

# firewall-cmd --get-default-zone

6. N'ebe a, Interface anyị bụ enp0s3, Ọ bụrụ na anyị kwesịrị ịlele mpaghara nke interface ahụ nwere ike iji iwu dị n'okpuru ebe a.

# firewall-cmd --get-zone-of-interface=enp0s3

7. Ihe ọzọ na-adọrọ mmasị nke firewalld bụ 'icmptype' bụ otu n'ime ụdị icmp na-akwado firewalld. Iji nweta ndepụta nke ụdị icmp akwadoro anyị nwere ike iji iwu dị n'okpuru.

# firewall-cmd --get-icmptypes

Kwụpụ 4: Mepụta Ọrụ nkeonwe na Firewalld

8. Ọrụ bụ usoro iwu nwere ọdụ ụgbọ mmiri na nhọrọ nke Firewalld na-eji. Ọrụ ndị enyere, ga-ebunye na-akpaghị aka mgbe ọrụ Firewalld na-arụ ọrụ.

Site na ndabara, ọtụtụ ọrụ dị, iji nweta ndepụta ọrụ niile dị, jiri iwu a.

# firewall-cmd --get-services

9. Iji nweta ndepụta nke ọrụ ndabara niile dị, gaa na ndekọ na-esonụ, ebe a ị ga-enweta ndepụta ọrụ.

# cd /usr/lib/firewalld/services/

10. Iji mepụta ọrụ nke gị, ịkwesịrị ịkọwa ya na ebe a. Dịka ọmụmaatụ, ebe a, achọrọ m itinye ọrụ maka ọdụ ụgbọ mmiri RTMP 1935, buru ụzọ mee otu ọrụ ọ bụla.

# cd /etc/firewalld/services/
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/

Na mgbe ahụ, gaa na ebe ebe e depụtaghachiri faịlụ ọrụ anyị, ọzọ nyegharịa faịlụ ahụ 'ssh.xml' ka 'rtmp.xml' dị ka egosiri na foto dị n'okpuru.

# cd /etc/firewalld/services/
# mv ssh.xml rtmp.xml
# ls -l rtmp.xml

11. Ọzọ mepee ma dezie faịlụ dị ka Isi, Nkọwa, Protocol, na Nọmba Port, nke anyị kwesịrị iji maka ọrụ RTMP dị ka egosiri na foto dị n'okpuru.

12. Iji mee ka mgbanwe ndị a rụọ ọrụ, malitegharịa ọrụ firewalld, ma ọ bụ bugharịa ntọala ahụ.

# firewall-cmd --reload

13. Iji gosi, ma etinyere ọrụ ma ọ bụ na etinyeghị ya, mee iwu dị n'okpuru ka ị nweta ndepụta ọrụ dị.

# firewall-cmd --get-services

Kwụpụ 5: Ekenye Ọrụ na Mpaghara Firewalld

14. N'ebe a, anyị ga-ahụ ka esi ejikwa firewall site na iji iwu firewall-cmd. Iji mara ọnọdụ firewall dị ugbu a na mpaghara niile na-arụ ọrụ, pịnye iwu a.

# firewall-cmd --state
# firewall-cmd --get-active-zones

15. Iji nweta mpaghara ọha maka interface enp0s3, nke a bụ interface ndabara, nke akọwapụtara na faịlụ /etc/firewalld/firewalld.conf dị ka DefaultZone= ọha.

Ka ịdepụta ọrụ niile dị na mpaghara interface ndabara a.

# firewall-cmd --get-service

Kwụpụ 6: Tinye Ọrụ na Mpaghara Firewalld

16. N'ihe atụ ndị a dị n'elu, anyị ahụla otu esi emepụta ọrụ nke anyị site na ịmepụta ọrụ rtmp, ebe a anyị ga-ahụ otu esi etinye ọrụ rtmp na mpaghara ahụ.

# firewall-cmd --add-service=rtmp

17. Iji wepu mpaghara agbakwunyere, pịnye.

# firewall-cmd --zone=public --remove-service=rtmp

Nzọụkwụ dị n'elu bụ naanị nwa oge. Iji mee ka ọ bụrụ nke na-adịgide adịgide anyị kwesịrị iji nhọrọ –adịgide adịgide mee iwu dị n'okpuru.

# firewall-cmd --add-service=rtmp --permanent
# firewall-cmd --reload

18. Kọwaa iwu maka oke isi iyi netwọkụ wee mepee ọdụ ụgbọ mmiri ọ bụla. Dịka ọmụmaatụ, ọ bụrụ na ịchọrọ imeghe oke netwọk, kwuo '192.168.0.0/24' na ọdụ ụgbọ mmiri '1935' jiri iwu ndị a.

# firewall-cmd --permanent --add-source=192.168.0.0/24
# firewall-cmd --permanent --add-port=1935/tcp

Gbaa mbọ hụ na ibugharị ọrụ firewalld ka ịgbakwunye ma ọ bụ wepụ ọrụ ọ bụla ma ọ bụ ọdụ ụgbọ mmiri.

# firewall-cmd --reload 
# firewall-cmd --list-all

Kwụpụ 7: Ịgbakwunye Iwu Ọgaranya Firewalld maka oke netwọkụ

19. Ọ bụrụ na achọrọ m ikwe ka ọrụ ndị dị ka http, https, vnc-server, na PostgreSQL, m na-eji iwu ndị a. Nke mbụ, gbakwunye iwu ma mee ka ọ na-adịgide adịgide ma bugharịa iwu ma lelee ọkwa ahụ.

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' 
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="vnc-server" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="vnc-server" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="postgresql" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="postgresql" accept' --permanent

Ugbu a, oke netwọk 192.168.0.0/24 nwere ike iji ọrụ dị n'elu site na ihe nkesa m. Enwere ike iji nhọrọ -na-adịgide adịgide na iwu ọ bụla, mana anyị ga-akọwapụta iwu wee lelee ohere nke ndị ahịa mgbe nke ahụ gasịrị, anyị ga-eme ka ọ bụrụ nke na-adịgide adịgide.

20. Mgbe agbakwunyere iwu ndị a dị n'elu, echefula ịbugharị iwu firewall wee depụta iwu site na iji:

# firewall-cmd --reload
# firewall-cmd --list-all

Maka ịmatakwu gbasara Firewalld.

# man firewalld

Nke ahụ bụ ya, anyị ahụla ka esi edozi ihe ntanetị site na iji Firewalld na nkesa RHEL dị ka Fedora, Rocky Linux, CentOS Stream, AlmaLinux, na openSUSE.

Net-filter bụ usoro maka firewall maka nkesa Linux ọ bụla. Laa azụ na mbipụta RHEL na CentOS ọ bụla, anyị na-eji iptables mana na ụdị ọhụrụ, ha ewebatala Firewalld. Ọ dị mfe nghọta na iji firewalld. Enwere m obi ụtọ na ịdee akwụkwọ a.