The following is reproduced fromhttps://wangchujiang.com/linux-command/c/firewall-cmd.html
The new firewall software on Linux is similar to iptables
Firewall CMD is the character interface management tool of firewalld. Firewalld is a feature of centos7. It has two greatest advantages: it supports dynamic update and does not need to restart the service;The second is to add the concept of "zone" of firewall.
Compared with iptables, firewalld has at least two advantages:
Firewalld can dynamically modify a single rule, instead of having to refresh all rules to take effect like iptables.
Firewalld is much more user-friendly than iptables. Even if you don't understand "five tables and five links" and don't understand TCP / IP protocol, most functions can be achieved.
Firewalld itself does not have the function of firewall, but like iptables, it needs to be implemented through the Netfilter of the kernel. That is to say, just like iptables, firewalld is used to maintain rules, and what really works with rules is the Netfilter of the kernel, but the structure and use methods of firewalld and iptables are different.
-h, --help#Display help information;-V, --version#Display version information(this option cannot be combined with other options);-q, --quiet#Do not print status messages;
--state#Display the status of firewalld;--reload#Service reloading without interruption;--complete-reload#Interrupt the reload of all connections;--runtime-to-permanent#Save the current firewall rules permanently;--check-config#Check the correctness of configuration;
--get-log-denied#Obtain the log of rejected records;--set-log-denied=<value>#Set the rejected log, which can only be one of 'all', 'unicast', 'broadcast', 'multicast', and 'off';
#Install firewalldyuminstallfirewalld firewall-configsystemctl start firewalld#Startsystemctl stop firewalld#Stopsystemctlenablefirewalld#Enable auto startsystemctl disable firewalld#Disable auto startsystemctl status firewalld#Or firewall - CMD -- state to view the status#How to shut down the service#You can also turn off firewalld firewall, which is not familiar at present, and use iptables. The command is as follows:systemctl stop firewalldsystemctl disable firewalldyuminstalliptables-servicessystemctl start iptablessystemctlenableiptables
firewall-cmd --version#View versionfirewall-cmd --help#View help#View settings:firewall-cmd --state#Display statusfirewall-cmd --get-active-zones#View area informationfirewall-cmd --get-zone-of-interface=eth0#View the area of the specified interfacefirewall-cmd --panic-on#Reject all packagesfirewall-cmd --panic-off#Cancel reject statusfirewall-cmd --query-panic#Check whether to rejectfirewall-cmd --reload#Update firewall rulesfirewall-cmd --complete-reload#The difference between the two is that the first does not need to be disconnected, that is, one of the firewalld features adds rules dynamically, and the second one needs to be disconnected, similar to restarting a service#Add the interface to the area. The default interface is in publicfirewall-cmd --zone=public --add-interface=eth0#Permanent effect plus -- permanent and reload firewall#Set the default interface area, which takes effect immediately without restartfirewall-cmd --set-default-zone=public#To view all open ports:firewall-cmd --zone=dmz --list-ports#Add a port to the zone:firewall-cmd --zone=dmz --add-port=eight thousand and eighty/tcp#For permanent effect, the method is the same as above#Opening a service is similar to visualizing the port. The service needs to be added to the configuration file. There is a services folder under the / etc / firewalld directory. This is not discussed in detail. Please refer to the document for detailsfirewall-cmd --zone=work --add-service=smtp#Remove servicefirewall-cmd --zone=work --remove-service=smtp#Displays a list of supported regionsfirewall-cmd --get-zones#Set as home areafirewall-cmd --set-default-zone=home#View current areafirewall-cmd --get-active-zones#Set the interface of the current areafirewall-cmd --get-zone-of-interface=enp03s#Show all public areas (public)firewall-cmd --zone=public --list-all#Temporarily modify the network interface (enp0s3) to internalfirewall-cmd --zone=internal --change-interface=enp03s#Permanently modify the network interface enp03s to internalfirewall-cmd --permanent --zone=internal --change-interface=enp03s
#Show list of servicesThe most important services, such as Amanda, FTP, samba and TFTP, have been provided by firewall D. you can use the following commands to view them:firewall-cmd --get-services#Allow SSH service to pass throughfirewall-cmd --new-service=ssh#Prohibit SSH service from passing throughfirewall-cmd --delete-service=ssh#Open TCP port 8080firewall-cmd --enableports=eight thousand and eighty/tcp#Temporarily allow the samba service to pass for 600 secondsfirewall-cmd --enableservice=samba --timeout=six hundred#Show current servicefirewall-cmd --list-services#Add HTTP service to internalfirewall-cmd --permanent --zone=internal --add-service=httpfirewall-cmd --reload#Reload firewall without changing state
#Open port 443 / TCPfirewall-cmd --add-port=four hundred and forty-three/tcp#Permanently open 3690 / TCP portfirewall-cmd --permanent --add-port=three thousand six hundred and ninety/tcp#It seems that you need to reload the port permanently, but not temporarily. If you use reload, the temporarily opened port will be invalid#Other services may also be like this. This is not testedfirewall-cmd --reload#If you look at the firewall, you can see the added ports as wellfirewall-cmd --list-all
#Firewall D includes a direct mode that allows you to do some work, such as opening port 9999 of the TCP protocolfirewall-cmd --direct -add-rule ipv4 filter INPUTzero-p tcp --dportnine thousand-j ACCEPTfirewall-cmd --reload
Custom service management
(with[P only]It means that this option cannot be used with other options except for (- - permanent)!)--new-service=<service name>Create a custom service[P only]--new-service-from-file=<file name>[--name=<service name>]Read the configuration from the file to create a new custom service[P only]--delete-service=<service name>Delete an existing service[P only]--load-service-defaults=<service name>Load icmptype default settings[P only]--info-service=<service name>Displays information about the service--path-service=<service name>Displays the relevant path of the file for the service[P only]--service=<service name>--set-description=<describe>Set the description information for the service[P only]--service=<service name>--get-descriptionDisplays the description of the service[P only]--service=<service name>--set-short=<describe>Set a short description for the service[P only]--service=<service name>--get-shortDisplays a short description of the service[P only]--service=<service name>--add-port=<Port number>[-<Port number>]/<protocol>Add a new port to the service(Port segment)[P only]--service=<service name>--remove-port=<Port number>[-<Port number>]/<protocol>Remove a port from the service(Port segment)[P only]--service=<service name>--query-port=<Port number>[-<Port number>]/<protocol>Query whether the service has added a port(Port segment)[P only]--service=<service name>--get-portsDisplays all ports added by the service[P only]--service=<service name>--add-protocol=<protocol>Add a protocol for the service[P only]--service=<service name>--remove-protocol=<protocol>Remove a protocol from the service[P only]--service=<service name>--query-protocol=<protocol>Query whether the service has added a protocol[P only]--service=<service name>--get-protocolsDisplays all protocols added by the service[P only]--service=<service name>--add-source-port=<Port number>[-<Port number>]/<protocol>Add new source port(Port segment)To the service[P only]--service=<service name>--remove-source-port=<Port number>[-<Port number>]/<protocol>Remove the source port from the service(Port segment)[P only]--service=<service name>--query-source-port=<Port number>[-<Port number>]/<protocol>Query whether the service has added a source port(Port segment)[P only]--service=<service name>--get-source-portsDisplays all source ports for the service[P only]--service=<service name>--add-module=<module>Add a module to the service[P only]--service=<service name>--remove-module=<module>Remove a module for the service[P only]--service=<service name>--query-module=<module>Query whether a module is added to the service[P only]--service=<service name>--get-modulesDisplays all modules added by the service[P only]--service=<service name>--set-destination=<ipv>:<address>[/<mask>]Set destinationforipv to addressinservice[P only]--service=<service name>--remove-destination=<ipv>Disable destinationforipv iservice[P only]--service=<service name>--query-destination=<ipv>:<address>[/<mask>]Return whether destination ipv issetforservice[P only]--service=<service name>--get-destinationsList destinationsinservice[P only]
Control port / service
There are two ways to control port opening: one is to specify the port number, the other is to specify the service name.Although opening HTTP service means opening port 80, it can't be closed by port number. That is to say, if the service is opened by specifying the service name, it must be closed by specifying the service name;Open by the specified port number is closed by the specified port number.Another thing to note is that when you specify the port, you must specify what protocol it is, TCP or UDP.After knowing this, you don't need to turn off the firewall every time. You can make the firewall work.
firewall-cmd --add-service=mysql#Open MySQL portfirewall-cmd --remove-service=http#Block HTTP portfirewall-cmd --list-services#View open servicesfirewall-cmd --add-port=three thousand three hundred and six/tcp#Open access to 3306 through TCPfirewall-cmd --remove-port=80tcp#Block access to 3306 via TCPfirewall-cmd --add-port=two hundred and thirty-three/udp#Open access 233 through UDPfirewall-cmd --list-ports#View open ports
firewall-cmd --query-masquerade#Check if IP spoofing is allowedfirewall-cmd --add-masquerade#Allow firewall to disguise IPfirewall-cmd --remove-masquerade#Prohibit firewall from disguising IP
Port forwarding can forward traffic to the specified port with the specified address when it accesses the specified port.If the destination of forwarding is not specified, it will default to the local computer. If IP is specified but no port is specified, the source port is used by default.If the port forwarding is not available after configuration, you can check the following two problems:
For example, I forward port 80 to port 8080. First, check whether the local port 80 and the target port 8080 are open for listening
Secondly, check whether the camouflage IP is allowed. If not, the masquerade ip should be turned on
firewall-cmd --add-forward-port=port=eighty:proto=tcp:toport=eight thousand and eighty#Forward traffic from port 80 to port 8080firewall-cmd --add-forward-port=port=eighty:proto=tcp:toaddr=one hundred and ninety-two point one six eight.0.1#Forward traffic from port 80 to 192.168.0.1firewall-cmd --add-forward-port=port=eighty:proto=tcp:toaddr=one hundred and ninety-two point one six eight.0.1:toport=eight thousand and eighty#Forward traffic from port 80 to port 8080 of 192.168.0.1
When we want to hide a certain port, we can block that port access on the firewall, and then open an irregular port. After that, configure the port forwarding of the firewall to forward the traffic.
Port forwarding can also do traffic distribution. A firewall drags a number of machines running different services, and then uses the firewall to forward traffic from different ports to different machines.
This work is licensed under the Creative Commons Attribution noncommercial use 4.0 international license agreement