The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering.
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions.
This post summarizes how to configure a basic usage for Firewall and SElinux on two most popular linux distribution : CentOS and Ubuntu.
- FirewallD uses zones and services instead of chain and rules.
- It manages rulesets dynamically, allowing updates without breaking existing sessions and connections.
Note
FirewallD is a wrapper for iptables to allow easier management of iptables rules–it is not an iptables replacement. While iptables commands are still available to FirewallD, it’s recommended to use only FirewallD commands with FirewallD.
FirewallD
Iptables (CentOS 7 not installed it by default)
- yum install policycoreutils iptables-services -y
- systemctl stop firewalld.service
- systemctl disable firewalld.service
- service iptables restart
- systemctl stop firewalld //Turn off the firewall
- systemctl start firewalld //Turn on the firewall
- systemctl status firewalld //Check firewall status
- systemctl stop firewalld.service #停止firewall
- systemctl disable firewalld.service #禁止firewall开机启动
- firewall-cmd –state #查看默认防火墙状态(关闭后显示notrunning,开启后显示running)
sudo systemctl mask --now firewalld
Disable Firewalld
systemctl disable firewalldStop Firewalld
systemctl stop firewalldCheck the Status of Firewalld
systemctl status firewalldOpen XRDP tcp 3389 port.
$ sudo firewall-cmd --add-port=3389/tcp --permanent $ sudo firewall-cmd --reload
SELinux
sestatus command:sestatusSELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31Disable SELinux
targeted to permissive with the following command:sudo setenforce 0# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted – Targeted processes are protected,
# minimum – Modification of targeted policy. Only selected processes are protected.
# mls – Multi Level Security protection.12 SELINUXTYPE=targeted
#CentOS 6
iptables -I INPUT -p tcp –dport 3000 -j ACCEPT
service iptables save
service iptables restart
#CentOS 7
firewall-cmd –zone=public –add-port=3000/tcp —permanent
firewall-cmd –reload
2. Ubuntu 18.04
Firewall
Ubuntu includes its own firewall, known as ufw – short for “uncomplicated firewall.” Ufw is an easier-to-use frontend for the standard Linux iptables commands. You can even control ufw from a graphical interface.
Ubuntu’s firewall is designed as an easy way to perform basic firewall tasks without learning iptables. It doesn’t offer all the power of the standard iptables commands, but it’s less complex.
sudo ufw enable
sudo ufw allow 22 (Allows both TCP and UDP traffic – not ideal if UDP isn’t necessary.)sudo ufw allow 22/tcp (Allows only TCP traffic on this port.)sudo ufw allow ssh (Checks the /etc/services file on your system for the port that SSH requires and allows it. Many common services are listed in this file.)
sudo ufw reject out ssh
sudo ufw status
sudo ufw delete reject out ssh
sudo ufw deny proto tcp from 12.34.56.78 to any port 22
sudo ufw reset
SELinux
3. References
- RHEL 7 Security Guide: Introduction to FirewallD
- Fedora Wiki: FirewallD
- Introduction to FirewallD on CentOS
- How to Configure Ubuntu’s Built-In Firewall