Firewall opens/deletes ports, etc

August 14, 2021 2481 point heat 5 people like it 2 comments

Normally

Release the port, and you can do this

#Port release (general)
firewall-cmd --zone=public --add-port=45056/tcp --permanent
firewall-cmd --zone=public --add-port=45056/udp --permanent
#Delete Port
firewall-cmd --zone=public --remove-port=45056/tcp --permanent
firewall-cmd --zone=public --remove-port=45056/udp--permanent

#Reload the firewall configuration file

firewall-cmd --reload

 

Advanced operation:

The following is reproduced from https://wangchujiang.com/linux-command/c/firewall-cmd.html

firewall-cmd

New firewall software on Linux, similar to iptables

Supplementary notes

Firewall cmd is the character interface management tool of firewalld. firewalld is a feature of centos7, which has two major advantages: it supports dynamic updates without restarting services; The second is to add the "zone" concept of firewall.

Compared with iptables, firewalld has at least two advantages:

  1. Firewalld can dynamically modify a single rule, but it does not need to be refreshed after the rule is modified, as in iptables.
  2. Firewalld is much more user-friendly than iptables in use. Even if you don't understand the "five tables and five chains" and the TCP/IP protocol, you can achieve most functions.

Firewalld does not have the function of firewall itself, but, like iptables, needs to be implemented through the netfilter of the kernel. That is to say, like iptables, firewalld is used to maintain rules. The real use of rules is the netfilter of the kernel, but the structure and usage of firewalld and iptables are different.

Command format

 firewall-cmd [ option .. . ]

option

General options

 -h, --help #Display help information; -V, --version #Display version information (This option cannot be combined with other options); -q, --quiet #Do not print status messages;

Status Options

 --state #Display firewalld status; --reload #Reload without interrupting services; --complete-reload #Reload after disconnecting all connections; --runtime-to-permanent #Permanently save the rules of the current firewall; --check-config #Check the correctness of the configuration;

log option

 --get-log-denied #Get the log of record rejection; --set-log-denied = < value >  #Set the log to record rejected logs, which can only be one of 'all', 'unicast', 'broadcast', 'multicast', and 'off';

example

 #Install firewalld yum install firewalld firewall-config systemctl start  firewalld #Start systemctl stop firewalld #Stop systemctl enable firewalld #Enable Autostart systemctl disable firewalld #Disable Autostart systemctl status firewalld #Or firewall cmd -- state to view the status

 #How to close the service
 #You can also close the currently unfamiliar FirewallD firewall and use iptables. The command is as follows: systemctl stop firewalld systemctl disable firewalld yum install iptables-services systemctl start iptables systemctl enable iptables

Configure firewalld

 firewall-cmd --version #View version firewall-cmd --help #View Help

 #View settings: firewall-cmd --state #Display Status firewall-cmd --get-active-zones #View area information firewall-cmd --get-zone-of-interface = eth0 #View the region of the specified interface firewall-cmd --panic-on #Reject All Packages firewall-cmd --panic-off #Cancel Reject Status firewall-cmd --query-panic #Check whether to reject firewall-cmd --reload #Update firewall rules firewall-cmd --complete-reload #The difference between the two is that the first is that there is no need to disconnect. It is one of the firewalld features that dynamically adds rules. The second is that the connection needs to be disconnected, similar to restarting the service


 #Add interfaces to the region. The default interfaces are all in public firewall-cmd --zone = public --add-interface = eth0 #Permanently effective plus permanent and reload firewall
 
 #Set the default interface area to take effect immediately without restarting firewall-cmd --set-default-zone = public #To view all open ports: firewall-cmd --zone = dmz --list-ports #Add a port to the zone: firewall-cmd --zone = dmz --add-port = eight thousand and eighty /tcp #The method for permanent effectiveness is the same as above
 
 #Open a service, which is similar to visualizing the port. The service needs to be added in the configuration file. There is a services folder in the/etc/firewalld directory, which is not detailed. For details, refer to the documentation firewall-cmd --zone = work --add-service = smtp #Remove Service firewall-cmd --zone = work --remove-service = smtp #Displays a list of supported regions firewall-cmd --get-zones #Set as Home Area firewall-cmd --set-default-zone = home #View Current Area firewall-cmd --get-active-zones #Set the interface of the current region firewall-cmd --get-zone-of-interface = enp03s #Show all public areas (public) firewall-cmd --zone = public --list-all #Temporarily modify the network interface (enp0s3) to internal firewall-cmd --zone = internal --change-interface = enp03s #Permanently modify the network interface enp03s as an internal area firewall-cmd --permanent --zone = internal --change-interface = enp03s

Service management

 #Show service list The most important services such as Amanda, FTP, Samba and TFTP have been provided by FirewallD. You can use the following command to view them: firewall-cmd --get-services #Allow SSH services to pass through firewall-cmd --new-service = ssh #Prohibit SSH services from passing firewall-cmd --delete-service = ssh #Open TCP port 8080 firewall-cmd --enable ports = eight thousand and eighty /tcp #Allow Samba service to pass 600 seconds temporarily firewall-cmd --enable service = samba --timeout = six hundred

 #Show current service firewall-cmd --list-services #Add HTTP service to internal area firewall-cmd --permanent --zone = internal --add-service = http firewall-cmd --reload #Reload the firewall without changing the state

Port management

 #Open 443/TCP port firewall-cmd --add-port = four hundred and forty-three /tcp #Permanently open the 3690/TCP port firewall-cmd --permanent --add-port = three thousand six hundred and ninety /tcp #It seems that the port needs to be reloaded for permanent opening, but not for temporary opening. If reload is used, the port temporarily opened will become invalid
 #Other services may also be like this. This is not tested firewall-cmd --reload #View the firewall. You can also see the added ports firewall-cmd --list-all

Direct mode

 #FirewallD includes a direct mode, which can be used to complete some tasks, such as opening port 9999 of TCP protocol firewall-cmd --direct -add-rule ipv4 filter INPUT zero -p tcp --dport nine thousand -j ACCEPT firewall-cmd --reload

Custom Service Management

option

 (with [ P only ] It means that this option cannot be used with other options except (-- permanent)!) --new-service = < service name > Create a new custom service [ P only ] --new-service-from-file = < file name >  [ --name = < service name > ] Read the configuration from the file to create a new custom service [ P only ] --delete-service = < service name > Delete an existing service [ P only ] --load-service-defaults = < service name > Load icmptype default settings [ P only ] --info-service = < service name > Display information about the service --path-service = < service name > Display the relevant path of the service's file [ P only ] --service = < service name > --set-description = < describe > Set description information for the service [ P only ] --service = < service name > --get-description Display the description of the service [ P only ] --service = < service name > --set-short = < describe > Set a short description for the service [ P only ] --service = < service name > --get-short Displays a short description of the service [ P only ] --service = < service name > --add-port = < Port number > [ - < Port number > ] / < protocol > Add a new port to the service ( Port segment )  [ P only ] --service = < service name > --remove-port = < Port number > [ - < Port number > ] / < protocol > Remove a port from the service ( Port segment )  [ P only ] --service = < service name > --query-port = < Port number > [ - < Port number > ] / < protocol > Query whether the service has added a port ( Port segment )  [ P only ] --service = < service name > --get-ports Display all ports added by the service [ P only ] --service = < service name > --add-protocol = < protocol > Add a protocol for the service [ P only ] --service = < service name > --remove-protocol = < protocol > Remove a protocol from the service [ P only ] --service = < service name > --query-protocol = < protocol > Query whether the service has added a protocol [ P only ] --service = < service name > --get-protocols Show all protocols added by this service [ P only ] --service = < service name > --add-source-port = < Port number > [ - < Port number > ] / < protocol > Add a new source port ( Port segment ) To this service [ P only ] --service = < service name > --remove-source-port = < Port number > [ - < Port number > ] / < protocol > Remove the source port from the service ( Port segment )  [ P only ] --service = < service name > --query-source-port = < Port number > [ - < Port number > ] / < protocol > Query whether the service has added a source port ( Port segment )  [ P only ] --service = < service name > --get-source-ports Display all source ports of the service [ P only ] --service = < service name > --add-module = < module > Add a module for the service [ P only ] --service = < service name > --remove-module = < module > Remove a module for the service [ P only ] --service = < service name > --query-module = < module > Query whether the service has added a module [ P only ] --service = < service name > --get-modules Display all modules added by the service [ P only ] --service = < service name > --set-destination = < ipv > : < address > [ / < mask > ] Set destination for ipv to address in  service  [ P only ] --service = < service name > --remove-destination = < ipv > Disable destination for ipv i service  [ P only ] --service = < service name > --query-destination = < ipv > : < address > [ / < mask > ] Return whether destination ipv is set  for  service  [ P only ] --service = < service name > --get-destinations List destinations in  service  [ P only ]

Control port/service

You can control the opening of ports in two ways, one is to specify the port number and the other is to specify the service name. Although opening http service means opening port 80, it cannot be closed through the port number, that is, if it is opened by specifying the service name, it must be closed through specifying the service name; If it is opened by specifying the port number, it will be closed by specifying the port number. Another thing to note is that when specifying the port, you must specify the protocol, tcp or udp. After you know this, you don't need to turn off the firewall every time, so that the firewall can really take effect.

 firewall-cmd --add-service = mysql #Open MySQL port firewall-cmd --remove-service = http #Block http port firewall-cmd --list-services #View open services firewall-cmd --add-port = three thousand three hundred and six /tcp #Open access to 3306 via tcp firewall-cmd --remove-port = 80tcp #Prevent access to 3306 via tcp firewall-cmd --add-port = two hundred and thirty-three /udp #Open access via udp 233 firewall-cmd --list-ports #View open ports

Masquerade IP

 firewall-cmd --query-masquerade #Check whether IP masquerade is allowed firewall-cmd --add-masquerade #Allow firewall to masquerade IP firewall-cmd --remove-masquerade #Forbid firewall from masquerading IP

Port forwarding

Port forwarding can forward traffic to the specified port of the specified address when the specified address accesses the specified port. If the IP address is not specified, the forwarding destination will be the local machine by default. If the IP address is specified but the port is not specified, the source port will be used by default. If the port forwarding cannot be used after configuration, you can check the following two problems:

  1. For example, if I forward port 80 to port 8080, first check whether the local port 80 and the target port 8080 are open for listening
  2. Secondly, check whether the masquerade IP is allowed. If not, enable the masquerade IP
 firewall-cmd --add-forward-port = port = eighty :proto = tcp:toport = eight thousand and eighty    #Forward the traffic of port 80 to 8080 firewall-cmd --add-forward-port = port = eighty :proto = tcp:toaddr = one hundred and ninety-two point one six eight .0.1 #Forward the traffic on port 80 to 192.168.0.1 firewall-cmd --add-forward-port = port = eighty :proto = tcp:toaddr = one hundred and ninety-two point one six eight .0.1:toport = eight thousand and eighty  #Forward the traffic of port 80 to port 8080 of 192.168.0.1
  1. When we want to hide a port, we can block the access to that port on the firewall, and then open an irregular port, and then configure the port forwarding of the firewall to forward the traffic.
  2. Port forwarding can also be used to distribute traffic. A firewall drags many machines running different services, and then uses the firewall to forward traffic from different ports to different machines.

 

Gcod

If life is just like the first sight, what is the sad autumn wind painting fan

Article comments

  • Yang Jingwen

    I hated the trouble of configuring Firewall. I silently changed to using the pagoda. I clicked the mouse to fix it :lol:

    August 22, 2021
  • one hundred and twenty-one

    Well written

    August 20, 2021