The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering.
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions.
This post summarizes how to configure a basic usage for Firewall and SElinux on two most popular linux distribution : CentOS and Ubuntu.
Iptables (CentOS 7 not installed it by default)
- yum install policycoreutils iptables-services -y
- systemctl stop firewalld.service
- systemctl disable firewalld.service
- service iptables restart
- systemctl stop firewalld //Turn off the firewall
- systemctl start firewalld //Turn on the firewall
- systemctl status firewalld //Check firewall status
- systemctl stop firewalld.service #停止firewall
- systemctl disable firewalld.service #禁止firewall开机启动
- firewall-cmd –state #查看默认防火墙状态(关闭后显示notrunning，开启后显示running)
Check the Status of Firewalld
Open XRDP tcp 3389 port.
$ sudo firewall-cmd --add-port=3389/tcp --permanent $ sudo firewall-cmd --reload
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31
sudo setenforce 0
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
# SELINUXTYPE= can take one of three values:
# targeted – Targeted processes are protected,
# minimum – Modification of targeted policy. Only selected processes are protected.
# mls – Multi Level Security protection.12 SELINUXTYPE=targeted
-I INPUT -p tcp –dport -j ACCEPT
service iptables save
service iptables restart
firewall-cmd –zone=public –add-port=/tcp —
2. Ubuntu 18.04
Ubuntu includes its own firewall, known as ufw – short for “uncomplicated firewall.” Ufw is an easier-to-use frontend for the standard Linux iptables commands. You can even control ufw from a graphical interface.
Ubuntu’s firewall is designed as an easy way to perform basic firewall tasks without learning iptables. It doesn’t offer all the power of the standard iptables commands, but it’s less complex.
sudo ufw enable
sudo ufw allow 22 (Allows both TCP and UDP traffic – not ideal if UDP isn’t necessary.)sudo ufw allow 22/tcp (Allows only TCP traffic on this port.)sudo ufw allow ssh (Checks the /etc/services file on your system for the port that SSH requires and allows it. Many common services are listed in this file.)
sudo ufw reject out ssh
sudo ufw status
sudo ufw delete reject out ssh
sudo ufw deny proto tcp from 18.104.22.168 to any port 22
sudo ufw reset