Firewall (firewall) open port / delete port, etc

August 14, 2021 218 point heat 0 liked it 2 comments

Normally

Release the port. That's all

#Port release (general)
firewall-cmd --zone=public --add-port=45056/tcp --permanent
firewall-cmd --zone=public --add-port=45056/udp --permanent
#Delete port
firewall-cmd --zone=public --remove-port=45056/tcp --permanent
firewall-cmd --zone=public --remove-port=45056/udp--permanent

#Overload firewall configuration file

firewall-cmd --reload

 

Advanced operation:

The following is reproduced from https://wangchujiang.com/linux-command/c/firewall-cmd.html

firewall-cmd

The new firewall software on Linux is similar to iptables

Supplementary notes

Firewall CMD is the character interface management tool of firewalld. Firewalld is a feature of centos7. It has two greatest advantages: it supports dynamic update and does not need to restart the service; The second is to add the concept of "zone" of firewall.

Compared with iptables, firewalld has at least two advantages:

  1. Firewalld can dynamically modify a single rule, instead of having to refresh all rules to take effect like iptables.
  2. Firewalld is much more user-friendly than iptables. Even if you don't understand "five tables and five links" and don't understand TCP / IP protocol, most functions can be achieved.

Firewalld itself does not have the function of firewall, but like iptables, it needs to be implemented through the Netfilter of the kernel. That is to say, just like iptables, firewalld is used to maintain rules, and what really works with rules is the Netfilter of the kernel, but the structure and use methods of firewalld and iptables are different.

Command format

 firewall-cmd [ option .. . ]

option

General options

 -h, --help #Display help information; -V, --version #Display version information. (this option cannot be combined with other options); -q, --quiet #Do not print status messages;

Status options

 --state #Display the status of firewalld; --reload #Service reloading without interruption; --complete-reload #Interrupt the reload of all connections; --runtime-to-permanent #Save the current firewall rules permanently; --check-config #Check the correctness of configuration;

log option

 --get-log-denied #Obtain the log of rejected records; --set-log-denied = < value >  #Set the rejected log, which can only be one of 'all', 'unicast', 'broadcast', 'multicast', and 'off';

example

 #Install firewalld yum install firewalld firewall-config systemctl start  firewalld #Start systemctl stop firewalld #Stop systemctl enable firewalld #Enable auto start systemctl disable firewalld #Disable auto start systemctl status firewalld #Or firewall - CMD -- state to view the status

 #How to shut down the service
 #You can also turn off firewalld firewall, which is not familiar at present, and use iptables. The command is as follows: systemctl stop firewalld systemctl disable firewalld yum install iptables-services systemctl start iptables systemctl enable iptables

Configure firewalld

 firewall-cmd --version #View version firewall-cmd --help #View help

 #View settings: firewall-cmd --state #Display status firewall-cmd --get-active-zones #View area information firewall-cmd --get-zone-of-interface = eth0 #View the area of the specified interface firewall-cmd --panic-on #Reject all packages firewall-cmd --panic-off #Cancel reject status firewall-cmd --query-panic #Check whether to reject firewall-cmd --reload #Update firewall rules firewall-cmd --complete-reload #The difference between the two is that the first does not need to be disconnected, that is, one of the firewalld features adds rules dynamically, and the second one needs to be disconnected, similar to restarting a service


 #Add the interface to the area. The default interface is in public firewall-cmd --zone = public --add-interface = eth0 #Permanent effect plus -- permanent and reload firewall
 
 #Set the default interface area, which takes effect immediately without restart firewall-cmd --set-default-zone = public #To view all open ports: firewall-cmd --zone = dmz --list-ports #Add a port to the zone: firewall-cmd --zone = dmz --add-port = eight thousand and eighty /tcp #For permanent effect, the method is the same as above
 
 #Opening a service is similar to visualizing the port. The service needs to be added to the configuration file. There is a services folder under the / etc / firewalld directory. This is not discussed in detail. Please refer to the document for details firewall-cmd --zone = work --add-service = smtp #Remove service firewall-cmd --zone = work --remove-service = smtp #Displays a list of supported regions firewall-cmd --get-zones #Set as home area firewall-cmd --set-default-zone = home #View current area firewall-cmd --get-active-zones #Set the interface of the current area firewall-cmd --get-zone-of-interface = enp03s #Show all public areas (public) firewall-cmd --zone = public --list-all #Temporarily modify the network interface (enp0s3) to internal firewall-cmd --zone = internal --change-interface = enp03s #Permanently modify the network interface enp03s to internal firewall-cmd --permanent --zone = internal --change-interface = enp03s

Service management

 #Show list of services The most important services, such as Amanda, FTP, samba and TFTP, have been provided by firewall D. you can use the following commands to view them: firewall-cmd --get-services #Allow SSH service to pass through firewall-cmd --new-service = ssh #Prohibit SSH service from passing through firewall-cmd --delete-service = ssh #Open TCP port 8080 firewall-cmd --enable ports = eight thousand and eighty /tcp #Temporarily allow the samba service to pass for 600 seconds firewall-cmd --enable service = samba --timeout = six hundred

 #Show current service firewall-cmd --list-services #Add HTTP service to internal firewall-cmd --permanent --zone = internal --add-service = http firewall-cmd --reload #Reload firewall without changing state

Port management

 #Open port 443 / TCP firewall-cmd --add-port = four hundred and forty-three /tcp #Permanently open 3690 / TCP port firewall-cmd --permanent --add-port = three thousand six hundred and ninety /tcp #It seems that you need to reload the port permanently, but not temporarily. If you use reload, the temporarily opened port will be invalid
 #Other services may also be like this. This is not tested firewall-cmd --reload #If you look at the firewall, you can see the added ports as well firewall-cmd --list-all

Direct mode

 #Firewall D includes a direct mode that allows you to do some work, such as opening port 9999 of the TCP protocol firewall-cmd --direct -add-rule ipv4 filter INPUT zero -p tcp --dport nine thousand -j ACCEPT firewall-cmd --reload

Custom service management

option

 (with [ P only ] It means that this option cannot be used with other options except for (- - permanent)!) --new-service = < service name > Create a custom service [ P only ] --new-service-from-file = < file name >  [ --name = < service name > ] Read the configuration from the file to create a new custom service [ P only ] --delete-service = < service name > Delete an existing service [ P only ] --load-service-defaults = < service name > Load icmptype default settings [ P only ] --info-service = < service name > Displays information about the service --path-service = < service name > Displays the relevant path of the file for the service [ P only ] --service = < service name > --set-description = < describe > Set the description information for the service [ P only ] --service = < service name > --get-description Displays the description of the service [ P only ] --service = < service name > --set-short = < describe > Set a short description for the service [ P only ] --service = < service name > --get-short Displays a short description of the service [ P only ] --service = < service name > --add-port = < Port number > [ - < Port number > ] / < protocol > Add a new port to the service ( Port segment )  [ P only ] --service = < service name > --remove-port = < Port number > [ - < Port number > ] / < protocol > Remove a port from the service ( Port segment )  [ P only ] --service = < service name > --query-port = < Port number > [ - < Port number > ] / < protocol > Query whether the service has added a port ( Port segment )  [ P only ] --service = < service name > --get-ports Displays all ports added by the service [ P only ] --service = < service name > --add-protocol = < protocol > Add a protocol for the service [ P only ] --service = < service name > --remove-protocol = < protocol > Remove a protocol from the service [ P only ] --service = < service name > --query-protocol = < protocol > Query whether the service has added a protocol [ P only ] --service = < service name > --get-protocols Displays all protocols added by the service [ P only ] --service = < service name > --add-source-port = < Port number > [ - < Port number > ] / < protocol > Add new source port ( Port segment ) To the service [ P only ] --service = < service name > --remove-source-port = < Port number > [ - < Port number > ] / < protocol > Remove the source port from the service ( Port segment )  [ P only ] --service = < service name > --query-source-port = < Port number > [ - < Port number > ] / < protocol > Query whether the service has added a source port ( Port segment )  [ P only ] --service = < service name > --get-source-ports Displays all source ports for the service [ P only ] --service = < service name > --add-module = < module > Add a module to the service [ P only ] --service = < service name > --remove-module = < module > Remove a module for the service [ P only ] --service = < service name > --query-module = < module > Query whether a module is added to the service [ P only ] --service = < service name > --get-modules Displays all modules added by the service [ P only ] --service = < service name > --set-destination = < ipv > : < address > [ / < mask > ] Set destination for ipv to address in  service  [ P only ] --service = < service name > --remove-destination = < ipv > Disable destination for ipv i service  [ P only ] --service = < service name > --query-destination = < ipv > : < address > [ / < mask > ] Return whether destination ipv is set  for  service  [ P only ] --service = < service name > --get-destinations List destinations in  service  [ P only ]

Control port / service

There are two ways to control port opening: one is to specify the port number, the other is to specify the service name. Although opening HTTP service means opening port 80, it can't be closed by port number. That is to say, if the service is opened by specifying the service name, it must be closed by specifying the service name; Open by the specified port number is closed by the specified port number. Another thing to note is that when you specify the port, you must specify what protocol it is, TCP or UDP. After knowing this, you don't need to turn off the firewall every time. You can make the firewall work.

 firewall-cmd --add-service = mysql #Open MySQL port firewall-cmd --remove-service = http #Block HTTP port firewall-cmd --list-services #View open services firewall-cmd --add-port = three thousand three hundred and six /tcp #Open access to 3306 through TCP firewall-cmd --remove-port = 80tcp #Block access to 3306 via TCP firewall-cmd --add-port = two hundred and thirty-three /udp #Open access 233 through UDP firewall-cmd --list-ports #View open ports

Camouflage IP

 firewall-cmd --query-masquerade #Check if IP spoofing is allowed firewall-cmd --add-masquerade #Allow firewall to disguise IP firewall-cmd --remove-masquerade #Prohibit firewall from disguising IP

Port forwarding

Port forwarding can forward traffic to the specified port with the specified address when it accesses the specified port. If the destination of forwarding is not specified, it will default to the local computer. If IP is specified but no port is specified, the source port is used by default. If the port forwarding is not available after configuration, you can check the following two problems:

  1. For example, I forward port 80 to port 8080. First, check whether the local port 80 and the target port 8080 are open for listening
  2. Secondly, check whether the camouflage IP is allowed. If not, the masquerade ip should be turned on
 firewall-cmd --add-forward-port = port = eighty :proto = tcp:toport = eight thousand and eighty    #Forward traffic from port 80 to port 8080 firewall-cmd --add-forward-port = port = eighty :proto = tcp:toaddr = one hundred and ninety-two point one six eight .0.1 #Forward traffic from port 80 to 192.168.0.1 firewall-cmd --add-forward-port = port = eighty :proto = tcp:toaddr = one hundred and ninety-two point one six eight .0.1:toport = eight thousand and eighty  #Forward traffic from port 80 to port 8080 of 192.168.0.1
  1. When we want to hide a certain port, we can block that port access on the firewall, and then open an irregular port. After that, configure the port forwarding of the firewall to forward the traffic.
  2. Port forwarding can also do traffic distribution. A firewall drags a number of machines running different services, and then uses the firewall to forward traffic from different ports to different machines.

 

Gcod

If life is just like the first sight, what is the sad autumn wind painting fan

Article review

  • Yang Jingwen

    I'm afraid it's troublesome to configure the firewall. I quietly change to use the pagoda, and just click the mouse :lol:

    August 22, 2021
  • one hundred and twenty-one

    It's great

    August 20, 2021