Linux - firewall, SELinux rules

1, Firewall firewall rules

Function of firewall: release or block some services and ports

1. Simple operation of firewall

# 1. View firewall status
systemctl status firewalld

# 2. Turn off firewall
systemctl stop firewalld

# 3. Turn on the firewall
systemctl start firewalld

2. Direct rules for firewall

# 1. View firewall released services
firewall-cmd --list-all

# 2. Release a service in the firewall and make it permanent
firewall-cmd --permanent --add-service=&Protocol name

# 3. Release a port in the firewall and make it permanent
firewall-cmd --permanent --add-port=8088/tcp

# 4. Refresh (reload) firewall configuration
firewall-cmd --reload

Correspondence between network service and protocol name:

service name Protocol name
vsftpd ftp
NFS nfs
SAMBA windows: cifs
linux: smb,nmb
APACHE http/https

3. Rich rules for firewall

# 1. Add a rich rule (take 172.25.1.0/24 network segment and ftp service as an example)
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.1.0/24 service name=ftp accept'

# 2. Delete a rich rule
firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=172.25.1.0/24 service name=ftp accept'

# 3. Set a general attack domain
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.1.0/24 reject'

# 4. Set an attack domain for a specific service
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.1.0/24 service name=ssh reject'

# 5. Add port to firewall:
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.1.0/24 port port=80 protocol=tcp accept'

# 6. Add port forwarding: (you must add a port before port forwarding)
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.1.0/24 forward-port port=8080 protocol=tcp to-port=80'

tcp: go and go, similar to making a phone call
udp: there is no return, which is similar to sending a fax

2, SElinux security access rules

SElinux is also a secure access rule of Linux operating system. A set of security rules that determine which process can access which files, directories, and ports. The protected objects are the service (process), the file (directory) corresponding to the service, and the port corresponding to the service.

SELinux can be regarded as a permission system parallel to the standard permission system. If SELinux is turned on and the process runs as root, the access to the file is not only limited by the user's access to the file, but also limited by the process's context type of the file SELinux. Otherwise, it is a process run by the root user and may not be able to access a file.

1. Three modes (States) of selinux

name pattern effect
enforcing Forced mode Refuse illegal access and enter the log
permissive License mode (warning mode) Temporarily allow illegal access and log in
disabled Disable mode Allow illegal access without logging

How to switch selinux status:

#Get selinux status
[root@localhost ~]# getenforce

# Temporary switching:
[root@localhost ~]# setenforce 0	#Temporarily close selinux policy enforcing - > permission
[root@localhost ~]# setenforce 1	#Temporarily enable selinux policy permission - > enforcing

# Permanent switching:
[root@localhost ~]# vim /etc/selinux/config
SELINUX=enforcing/permissive/disabled
[root@localhost ~]# reboot

2. SELinux context

In linux system, each file, process and port has SELinux context. It is a security policy and a tool used to judge whether a process can access files, directories or ports.

1.SELinux context type

[root@localhost /]# ll -Z
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       bin -> usr/bin
dr-xr-xr-x. root root system_u:object_r:boot_t:s0      boot
drwxr-xr-x. root root system_u:object_r:device_t:s0    dev
drwxr-xr-x. root root system_u:object_r:etc_t:s0       etc
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 home
...

Column 4 (user: role: Type: sensitivity)

User - > system user (system_); Unspecified user composed of root and ordinary users (unconfined_)
Role - > system role (system_r); No role specified (unconfined_r); Object role (object_r)
Type - > by_ At the end of t, the three types of each service should correspond one by one, that is, the file and port corresponding to the service should be consistent with the SELinux context type of the service itself
Sensitivity - > S0 refers to the security level, including 0, 1 and 2. The higher the value, the higher the sensitivity

2. How to view context types

# View the context of the file
# Method 1: ll -Z filename
[root@localhost etc]# ll -Z samba/

# Method 2: semanage fcontext -l | grep filename
# filename must write the absolute path, and not all files can be viewed
[root@localhost etc]# semanage fcontext -l | grep /etc/ssh

# View the context of the process
# ps -auxZ | grep process
[root@localhost ~]# ps -auxZ | grep sshd

# View all port contexts
# Semamage port - L | grep port number
[root@localhost ~]# semanage port -l | grep 22

# View open port context
[root@localhost ~]# netstat -pantZ

3. How to modify a context type

Modify the context type of the file

# Temporary modification:
# chcon -t context type filename
# Set selinux to disabled reboot, and then set selinux to enforced reboot. The modification will be invalid and will be restored to the original default type - > not recommended
[root@localhost ~]# chcon -t httpd_sys_content_t /opt/testfile
[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@localhost ~]# reboot
[root@localhost ~]# sed -i 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/selinux/config
[root@localhost ~]# reboot
[root@localhost ~]# ll -dZ /opt/testfile

# Permanent modification:
# semanage fcontext -a -t Context type '/filename(/.*)?'	#Note: the filename here needs to write the absolute path
# restorecon -RFv /filename	        #Forces a recursive refresh of the context type and displays the refresh process
[root@localhost ~]# semanage fcontext -a -t httpd_sys_content_t '/opt/test(/.*)?'
[root@localhost ~]# restorecon -RFv /opt/test/

Modify the context type of the port (add selinux context type)

# semanage port -a -t port context type - p tcp/udp port number
[root@localhost ~]# semanage port -a -t ssh_port_t -p tcp 22022
[root@localhost ~]# semanage port -l | grep ssh

3. selinux Boolean

When selinux is turned on, the system will set many service function switches by default, and they are turned off by default. sebool is the switch

getsebool -a(| grep Boolean)	#see
setsebool bool name on/off	     #Set on or off
semanage boolean -l(| grep Boolean)	#Check whether the Boolean is permanently on (the value to the right in parentheses) and display a short description of the Boolean status

be careful:
1. The file will inherit the selinux type of the parent folder by default;
2. When a file is cp to a new folder, it will automatically inherit the selinux context type of the new folder, but mv will not, and the original context type will still be retained;
3. If the configuration file location of a service is modified, the selinux context type of the file must be modified to re match the service, otherwise the service cannot access the configuration file.

Tags: Linux

Posted on Wed, 01 Dec 2021 08:31:03 -0500 by shana