firewall-cmd
Supplementary notes
-
Firewalld can dynamically modify a single rule, but it does not need to be refreshed after the rule is modified, as in iptables. -
Firewalld is much more user-friendly than iptables in use. Even if you don't understand the "five tables and five chains" and the TCP/IP protocol, you can achieve most functions.
firewall-cmd [ option .. . ]
option
-h, --help #Display help information; -V, --version #Display version information (This option cannot be combined with other options); -q, --quiet #Do not print status messages;
--state #Display firewalld status; --reload #Reload without interrupting services; --complete-reload #Reload after disconnecting all connections; --runtime-to-permanent #Permanently save the rules of the current firewall; --check-config #Check the correctness of the configuration;
--get-log-denied #Get the log of record rejection; --set-log-denied = < value > #Set the log to record rejected logs, which can only be one of 'all', 'unicast', 'broadcast', 'multicast', and 'off';
example
#Install firewalld yum install firewalld firewall-config systemctl start firewalld #Start systemctl stop firewalld #Stop systemctl enable firewalld #Enable Autostart systemctl disable firewalld #Disable Autostart systemctl status firewalld #Or firewall cmd -- state to view the status
#How to close the service
#You can also close the currently unfamiliar FirewallD firewall and use iptables. The command is as follows: systemctl stop firewalld systemctl disable firewalld yum install iptables-services systemctl start iptables systemctl enable iptables
firewall-cmd --version #View version firewall-cmd --help #View Help
#View settings: firewall-cmd --state #Display Status firewall-cmd --get-active-zones #View area information firewall-cmd --get-zone-of-interface = eth0 #View the region of the specified interface firewall-cmd --panic-on #Reject All Packages firewall-cmd --panic-off #Cancel Reject Status firewall-cmd --query-panic #Check whether to reject firewall-cmd --reload #Update firewall rules firewall-cmd --complete-reload #The difference between the two is that the first is that there is no need to disconnect. It is one of the firewalld features that dynamically adds rules. The second is that the connection needs to be disconnected, similar to restarting the service
#Add interfaces to the region. The default interfaces are all in public firewall-cmd --zone = public --add-interface = eth0 #Permanently effective plus permanent and reload firewall
#Set the default interface area to take effect immediately without restarting firewall-cmd --set-default-zone = public #To view all open ports: firewall-cmd --zone = dmz --list-ports #Add a port to the zone: firewall-cmd --zone = dmz --add-port = eight thousand and eighty /tcp #The method for permanent effectiveness is the same as above
#Open a service, which is similar to visualizing the port. The service needs to be added in the configuration file. There is a services folder in the/etc/firewalld directory, which is not detailed. For details, refer to the documentation firewall-cmd --zone = work --add-service = smtp #Remove Service firewall-cmd --zone = work --remove-service = smtp #Displays a list of supported regions firewall-cmd --get-zones #Set as Home Area firewall-cmd --set-default-zone = home #View Current Area firewall-cmd --get-active-zones #Set the interface of the current region firewall-cmd --get-zone-of-interface = enp03s #Show all public areas (public) firewall-cmd --zone = public --list-all #Temporarily modify the network interface (enp0s3) to internal firewall-cmd --zone = internal --change-interface = enp03s #Permanently modify the network interface enp03s as an internal area firewall-cmd --permanent --zone = internal --change-interface = enp03s
#Show service list The most important services such as Amanda, FTP, Samba and TFTP have been provided by FirewallD. You can use the following command to view them: firewall-cmd --get-services #Allow SSH services to pass through firewall-cmd --new-service = ssh #Prohibit SSH services from passing firewall-cmd --delete-service = ssh #Open TCP port 8080 firewall-cmd --enable ports = eight thousand and eighty /tcp #Allow Samba service to pass 600 seconds temporarily firewall-cmd --enable service = samba --timeout = six hundred
#Show current service firewall-cmd --list-services #Add HTTP service to internal area firewall-cmd --permanent --zone = internal --add-service = http firewall-cmd --reload #Reload the firewall without changing the state
#Open 443/TCP port firewall-cmd --add-port = four hundred and forty-three /tcp #Permanently open the 3690/TCP port firewall-cmd --permanent --add-port = three thousand six hundred and ninety /tcp #It seems that the port needs to be reloaded for permanent opening, but not for temporary opening. If reload is used, the port temporarily opened will become invalid
#Other services may also be like this. This is not tested firewall-cmd --reload #View the firewall. You can also see the added ports firewall-cmd --list-all
#FirewallD includes a direct mode, which can be used to complete some tasks, such as opening port 9999 of TCP protocol firewall-cmd --direct -add-rule ipv4 filter INPUT zero -p tcp --dport nine thousand -j ACCEPT firewall-cmd --reload
(with [ P only ] It means that this option cannot be used with other options except (-- permanent)!) --new-service = < service name > Create a new custom service [ P only ] --new-service-from-file = < file name > [ --name = < service name > ] Read the configuration from the file to create a new custom service [ P only ] --delete-service = < service name > Delete an existing service [ P only ] --load-service-defaults = < service name > Load icmptype default settings [ P only ] --info-service = < service name > Display information about the service --path-service = < service name > Display the relevant path of the service's file [ P only ] --service = < service name > --set-description = < describe > Set description information for the service [ P only ] --service = < service name > --get-description Display the description of the service [ P only ] --service = < service name > --set-short = < describe > Set a short description for the service [ P only ] --service = < service name > --get-short Displays a short description of the service [ P only ] --service = < service name > --add-port = < Port number > [ - < Port number > ] / < protocol > Add a new port to the service ( Port segment ) [ P only ] --service = < service name > --remove-port = < Port number > [ - < Port number > ] / < protocol > Remove a port from the service ( Port segment ) [ P only ] --service = < service name > --query-port = < Port number > [ - < Port number > ] / < protocol > Query whether the service has added a port ( Port segment ) [ P only ] --service = < service name > --get-ports Display all ports added by the service [ P only ] --service = < service name > --add-protocol = < protocol > Add a protocol for the service [ P only ] --service = < service name > --remove-protocol = < protocol > Remove a protocol from the service [ P only ] --service = < service name > --query-protocol = < protocol > Query whether the service has added a protocol [ P only ] --service = < service name > --get-protocols Show all protocols added by this service [ P only ] --service = < service name > --add-source-port = < Port number > [ - < Port number > ] / < protocol > Add a new source port ( Port segment ) To this service [ P only ] --service = < service name > --remove-source-port = < Port number > [ - < Port number > ] / < protocol > Remove the source port from the service ( Port segment ) [ P only ] --service = < service name > --query-source-port = < Port number > [ - < Port number > ] / < protocol > Query whether the service has added a source port ( Port segment ) [ P only ] --service = < service name > --get-source-ports Display all source ports of the service [ P only ] --service = < service name > --add-module = < module > Add a module for the service [ P only ] --service = < service name > --remove-module = < module > Remove a module for the service [ P only ] --service = < service name > --query-module = < module > Query whether the service has added a module [ P only ] --service = < service name > --get-modules Display all modules added by the service [ P only ] --service = < service name > --set-destination = < ipv > : < address > [ / < mask > ] Set destination for ipv to address in service [ P only ] --service = < service name > --remove-destination = < ipv > Disable destination for ipv i service [ P only ] --service = < service name > --query-destination = < ipv > : < address > [ / < mask > ] Return whether destination ipv is set for service [ P only ] --service = < service name > --get-destinations List destinations in service [ P only ]
firewall-cmd --add-service = mysql #Open MySQL port firewall-cmd --remove-service = http #Block http port firewall-cmd --list-services #View open services firewall-cmd --add-port = three thousand three hundred and six /tcp #Open access to 3306 via tcp firewall-cmd --remove-port = 80tcp #Prevent access to 3306 via tcp firewall-cmd --add-port = two hundred and thirty-three /udp #Open access via udp 233 firewall-cmd --list-ports #View open ports
firewall-cmd --query-masquerade #Check whether IP masquerade is allowed firewall-cmd --add-masquerade #Allow firewall to masquerade IP firewall-cmd --remove-masquerade #Forbid firewall from masquerading IP
-
For example, if I forward port 80 to port 8080, first check whether the local port 80 and the target port 8080 are open for listening -
Secondly, check whether the masquerade IP is allowed. If not, enable the masquerade IP
firewall-cmd --add-forward-port = port = eighty :proto = tcp:toport = eight thousand and eighty #Forward the traffic of port 80 to 8080 firewall-cmd --add-forward-port = port = eighty :proto = tcp:toaddr = one hundred and ninety-two point one six eight .0.1 #Forward the traffic on port 80 to 192.168.0.1 firewall-cmd --add-forward-port = port = eighty :proto = tcp:toaddr = one hundred and ninety-two point one six eight .0.1:toport = eight thousand and eighty #Forward the traffic of port 80 to port 8080 of 192.168.0.1
-
When we want to hide a port, we can block the access to that port on the firewall, and then open an irregular port, and then configure the port forwarding of the firewall to forward the traffic. -
Port forwarding can also be used to distribute traffic. A firewall drags many machines running different services, and then uses the firewall to forward traffic from different ports to different machines.