Linux - firewall, SELinux rules
1, Firewall firewall rules
Function of firewall: release or block some services and ports
1. Firewall Simple operation
# 1. View firewall status systemctl status firewalld # 2. Turn off firewall systemctl stop firewalld # 3. Turn on the firewall systemctl start firewalld
2,firewall Direct rule of
# 1. View firewall released services firewall-cmd --list-all # 2. Release a service in the firewall and make it permanent firewall-cmd --permanent --add-service=&Protocol name # 3. Release a port in the firewall and make it permanent firewall-cmd --permanent --add-port=8088/tcp # 4. Refresh (reload) firewall configuration firewall-cmd --reload
Correspondence between network service and protocol name:
| service name | Protocol name |
|---|---|
| vsftpd | ftp |
| NFS | nfs |
| SAMBA | windows: cifs |
| linux: smb,nmb | |
| APACHE | http/https |
3. Rich rules for firewall
# 1. Add a rich rule (take 172.25.1.0/24 network segment and ftp service as an example) firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.1.0/24 service name=ftp accept' # 2. Delete a rich rule firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=172.25.1.0/24 service name=ftp accept' # 3. Set a general attack domain firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.1.0/24 reject' # 4. Set an attack domain for a specific service firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.1.0/24 service name=ssh reject' # 5. Add port to firewall: firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.1.0/24 port port=80 protocol=tcp accept' # 6. Add port forwarding: (you must add a port before port forwarding) firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.1.0/24 forward-port port=8080 protocol=tcp to-port=80'
tcp: go and go, similar to making a phone call
udp: there is no return, which is similar to sending a fax
2, SElinux security access rules
SElinux Also Linux A secure access rule for an operating system. A set of security rules that determine which process can access which files, directories, and ports. The protected objects are the service (process), the file (directory) corresponding to the service, and the port corresponding to the service.
SELinux can be regarded as a permission system parallel to the standard permission system. If SELinux is turned on and the process runs as root, the access to the file is not only limited by the user's access to the file, but also limited by the process's context type of the file SELinux. Otherwise, it is a process run by the root user and may not be able to access a file.
1. Three modes (States) of selinux
| name | pattern | effect |
|---|---|---|
| enforcing | Forced mode | Refuse illegal access and enter the log |
| permissive | License mode (warning mode) | Temporarily allow illegal access and log in |
| disabled | Disable mode | Allow illegal access without logging |
How to switch selinux status:
#Get selinux status [root@localhost ~]# getenforce # Temporary switching: [root@localhost ~]# setenforce 0 #Temporarily close selinux policy enforcing - > permission [root@localhost ~]# setenforce 1 #Temporarily enable selinux policy permission - > enforcing # Permanent switching: [root@localhost ~]# vim /etc/selinux/config SELINUX=enforcing/permissive/disabled [root@localhost ~]# reboot
2. SELinux context
In linux system, each file, process and port has SELinux context. It is a security policy and a tool used to judge whether a process can access files, directories or ports.
1.SELinux context type
[root@localhost /]# ll -Z lrwxrwxrwx. root root system_u:object_r:bin_t:s0 bin -> usr/bin dr-xr-xr-x. root root system_u:object_r:boot_t:s0 boot drwxr-xr-x. root root system_u:object_r:device_t:s0 dev drwxr-xr-x. root root system_u:object_r:etc_t:s0 etc drwxr-xr-x. root root system_u:object_r:home_root_t:s0 home ...
Column 4 (user: role: Type: sensitivity)
User - > system user (system_); Unspecified user composed of root and ordinary users (unconfined_)
Role - > system role (system_r); No role specified (unconfined_r); Object role (object_r)
Type - > by_ At the end of t, the three types of each service should correspond one by one, that is, the file and port corresponding to the service should be consistent with the SELinux context type of the service itself
Sensitivity - > S0 refers to the security level, including 0, 1 and 2. The higher the value, the higher the sensitivity
2. How to view context types
# View the context of the file # Method 1: ll -Z filename [root@localhost etc]# ll -Z samba/ # Method 2: semanage fcontext -l | grep filename # filename must write the absolute path, and not all files can be viewed [root@localhost etc]# semanage fcontext -l | grep /etc/ssh # View the context of the process # ps -auxZ | grep process [root@localhost ~]# ps -auxZ | grep sshd # View all port contexts # Semamage port - L | grep port number [root@localhost ~]# semanage port -l | grep 22 # View open port context [root@localhost ~]# netstat -pantZ
3. How to modify a context type
Modify the context type of the file
# Temporary modification: # chcon -t context type filename # Set selinux to disabled reboot, and then set selinux to enforced reboot. The modification will be invalid and will be restored to the original default type - > not recommended [root@localhost ~]# chcon -t httpd_sys_content_t /opt/testfile [root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config [root@localhost ~]# reboot [root@localhost ~]# sed -i 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/selinux/config [root@localhost ~]# reboot [root@localhost ~]# ll -dZ /opt/testfile # Permanent modification: # semanage fcontext -a -t Context type '/filename(/.*)?' #Note: the filename here needs to write the absolute path # restorecon -RFv /filename #Forces a recursive refresh of the context type and displays the refresh process [root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t '/opt/test(/.*)?' [root@localhost ~]# restorecon -RFv /opt/test/
Modify the context type of the port (add selinux context type)
# semanage port -a -t port context type - p tcp/udp port number [root@localhost ~]# semanage port -a -t ssh_port_t -p tcp 22022 [root@localhost ~]# semanage port -l | grep ssh
3. selinux Boolean
When selinux is turned on, the system will set many service function switches by default, and they are turned off by default. sebool is the switch
getsebool -a(| grep Boolean) #see setsebool bool name on/off #Set on or off semanage boolean -l(| grep Boolean) #Check whether the Boolean is permanently on (the value to the right in parentheses) and display a short description of the Boolean status
be careful:
1. The file will inherit the selinux type of the parent folder by default;
2. When a file is cp to a new folder, it will automatically inherit the selinux context type of the new folder, but mv will not, and the original context type will still be retained;
3. If the configuration file location of a service is modified, the selinux context type of the file must be modified to re match the service, otherwise the service cannot access the configuration file.