Explanation of CentOS7 firewall commands
The firewall in CentOS 7 is a very powerful function, but it has been upgraded in the firewall in CentOS 7. Let's take a look at the usage of the firewall in CentOS 7 in detail.
FirewallD provides dynamic firewall management tools that support network/firewall zones to define network links and interface security levels. It supports IPv4, IPv6 firewall settings, and Ethernet bridging, and has runtime configuration and permanent configuration options. It also supports interfaces that allow services or applications to directly add firewall rules. In the past, the system-config-firewall/lokkit firewall model was static. Every modification required that the firewall be completely restarted. This process includes the uninstallation of the kernel netfilter firewall module and the loading of the modules required for the new configuration. The uninstallation of the module will damage the status firewall and established connections.
On the contrary, firewall daemon dynamically manages the firewall and can be changed without restarting the entire firewall. Therefore, there is no need to reload all kernel firewall modules. However, to use firewall daemon, all firewall changes must be implemented through the daemon to ensure that the status of the daemon process is consistent with that of the firewall in the kernel. In addition, firewall daemon cannot parse firewall rules added by the ip * tables and ebtables command line tools.
The daemon provides currently activated firewall settings through the D-BUS and accepts changes made using the PolicyKit authentication method through the D-BUS.
"Daemon"
Applications, daemon, and users can enable a firewall feature through a D-BUS request. Features can be predefined firewall functions, such as service, port and Protocol combinations, Port/datagram forwarding, disguise, ICMP interception, or custom rules. This feature can be enabled for a specified period of time or disabled again.
Through the so-called direct interface, other services (such as libvirt) can use iptables to add their own rules through arguments and parameters.
The netfilter firewall assistant for amanda, ftp, samba, and tftp services is also resolved by the "daemon" as long as they are also part of the predefined service. The attaching assistant is not part of the current interface. Some assistants can be loaded only when all connections controlled by the module are closed. Therefore, tracking connection information is very important and should be considered.
Static firewall (system-config-firewall/lokkit)
The static firewall Models Using system-config-firewall and lokkit are still available and will continue to be provided, but cannot be used together with the "daemon. The user or administrator can decide which solution to use.
A selector will appear when the software is installed, started for the first time, or connected for the first time. You can select the firewall solution to use. Other solutions will be complete and can be enabled in change mode.
Firewall daemon is independent of system-config-firewall, but it cannot be used at the same time.
Use static firewall rules of iptables and ip6tables
If you want to use your own iptables and ip6tables static firewall rules, install iptables-services and disable firewalld and enable iptables and ip6tables:
Yum install iptables-services
Systemctl mask firewalld. service
Systemctl enable iptables. service
Systemctl enable ip6tables. service
The static firewall rule configuration files are/etc/sysconfig/iptables and/etc/sysconfig/ip6tables.
Note: The iptables and iptables-services packages do not provide firewall rules that match the services. these services are used to ensure compatibility and for users who want to use their own firewall rules. you can install and use system-config-firewall to create the rules required by the above services. to use system-config-firewall, you must stop firewalld.
After creating rules for the service and disabling firewalld, you can enable the iptables and ip6tables services:
Systemctl stop firewalld. service
Systemctl start iptables. service
Systemctl start ip6tables. service
What is a region?
The Network Area defines the credibility level of the network connection. This is a one-to-many relationship, which means that a single connection can be only a part of a region, while a region can be used for many connections.
Predefined services
A service is a combination of ports and/or Protocol entries. Optional content includes the netfilter assistant module and IPv4 and IPv6 addresses.
Port and Protocol
A tcp or udp port can be a port or a port range.
ICMP Blocking
You can select an Internet-controlled packet protocol. These packets can be information requests but responses to information requests or error conditions.
Disguise
Private network addresses can be mapped to public IP addresses. This is a regular address conversion.
Port forwarding
A port can be mapped to another port and/or another host.
Which region is available?
The regions provided by firewalld are sorted by trust.
Discard
Any inbound packets are discarded without any response. Only outbound network connections are allowed.
Blocking
Any incoming network connection is rejected and an IPv4 icmp-host-prohibited packet or an IPv6 icmp6-adm-prohibited packet is returned. Only Network Connections initialized by the system are allowed.
Public
The parts that can be made public. You think that other computers on the network are untrusted and may hurt your computer. Only selected connections are allowed. (You do not trust the other computers on networks to not harm your computer. Onlyselected incoming connections are accepted .)
External
Used to enable disguised external networks, such as routers. You think that other computers on the network are untrusted and may hurt your computer. Only selected connections are allowed.
Isolation zone (dmz)
It is used to allow computers in the isolation zone (dmz) to be accessed by external networks only. Only selected connections are accepted.
Work
Used in the Work Network. You trust that most computers on the network will not affect your computer. Only selected connections are accepted.
Home
Used in the home network. You trust that most computers on the network will not affect your computer. Only selected connections are accepted.
Internal
Used in internal networks. You trust that most computers on the network will not affect your computer. Only selected connections are accepted.
Trusted
Allow all network connections.
Which region should I select?
For example, public Wi-Fi connections should be primarily untrusted, and home wired networks should be quite trustworthy. Select the region that best matches your network.
How to configure or add a region?
You can use any firewalld Configuration tool to configure or add regions and modify configurations. Tools include graphical tools such as firewall-config, command line tools such as firewall-cmd, and D-BUS interfaces. Alternatively, you can create or copy a region file in the configuration file directory. @ PREFIX @/lib/firewalld/zones is used for default and backup configuration, and/etc/firewalld/zones is used for User Creation and custom configuration files.
How to Set or modify a region for a network connection
The region settings are stored in the ifcfg file of the network connection with the ZONE = option. If this option is missing or empty, firewalld uses the default configured area.
If the connection is controlled by NetworkManager, you can use nm-connection-editor to modify the region.
Network Connections controlled by NetworkManager
The firewall cannot configure network connections by the name displayed by NetworkManager, but only network interfaces can be configured. Therefore, before the network connection, NetworkManager informs firewalld of the network interface corresponding to the connection described in the configuration file. If there is no configuration area in the configuration file, the interface will be configured to the default area of firewalld. If more than one interface is used for network connection, all interfaces will be applied to fiwewalld. The change of the interface name will also be controlled by NetworkManager and applied to firewalld.
Since then, the network connection will be used as a relationship with the region.
If an interface is disconnected, NetworkManager will also tell firewalld to delete the interface from the region.
After the firewalld is started or restarted by the systemd or init script, firewalld notifies NetworkManager to add the network connection to the region.
Network controlled by scripts
There is a limit for connections controlled by network scripts: no Daemon notifies firewalld to add connections to the region. This work is only performed in the ifcfg-post Script. Therefore, the rename of the network connection cannot be applied to firewalld. Similarly, restarting firewalld during a connection activity will lead to a loss of association with it. This situation is now intentionally fixed. The simplest is to add all unconfigured connections to the default region.
The region defines the features of the firewall in the region:
Use firewalld
You can use the graphic interface tool firewall-config or the command line Client firewall-cmd to enable or disable firewall features.
Use firewall-cmd
The command line tool firewall-cmd supports all firewall features. For the status and query mode, the command only returns the status and no other output.
General applications
Get firewalld status
Firewall-cmd -- state
This action returns the status of firewalld without any output. You can use the following methods to obtain status output:
Firewall-cmd -- state & echo "Running" | echo "Not running"
In Fedora 19, status output is more intuitive than previously:
# Rpm-qf $ (which firewall-cmd)
Firewalld-0.3.3-2.fc19.noarch # firewall-cmd -- state
Not running
Reload the firewall without changing the status:
Firewall-cmd -- reload
If you use-complete-reload, the status information will be lost. This option should only be used to handle firewall problems. For example, the status information and firewall rules are normal, but no connection can be established.
Obtain the list of supported regions
Firewall-cmd -- get-zones
This command outputs a list separated by spaces.
Obtain all supported services
Firewall-cmd -- get-services
This command outputs a list separated by spaces.
Obtain all supported ICMP types
Firewall-cmd -- get-icmptypes
This command outputs a list separated by spaces.
List features of all enabled regions
Firewall-cmd -- list-all-zones
The output format is:
<Zone>
Interfaces: <interface1> ..
Services: <service1> ..
Ports: <port1> ..
Forward-ports: <forward port1> ..
Icmp-blocks: <icmp type1> ....
All features enabled in the output zone <zone>. If the region is omitted, information about the default region is displayed.
Firewall-cmd [-- zone = <zone>] -- list-all
Obtain network settings in the default Region
Firewall-cmd -- get-default-zone
Set the default Region
Firewall-cmd -- set-default-zone = <zone>
New access requests for interfaces configured in the default region will be placed in the new default region. Currently active connections will not be affected.
Obtain the activity region
Firewall-cmd -- get-active-zones
This command outputs the interfaces contained in each region in the following format:
<Zone1 >:< interface1> <interface2>... <zone2 >:< interface3> ..
Obtain a region based on the Interface
Firewall-cmd -- get-zone-of-interface = <interface>
The name of the region to which the output interface belongs.
Add an interface to a region
Firewall-cmd [-- zone = <zone>] -- add-interface = <interface>
If the interface does not belong to a region, the interface is added to the region. If the region is omitted, the default region is used. The interface will be re-applied after being reloaded.
Modify the region of an interface
Firewall-cmd [-- zone = <zone>] -- change-interface = <interface>
This option is similar to the-add-interface option, but when the interface already exists in another region, the interface will be added to the new region.
Delete an interface from a region
Firewall-cmd [-- zone = <zone>] -- remove-interface = <interface>
Check whether an interface exists in the region.
Firewall-cmd [-- zone = <zone>] -- query-interface = <interface>
Whether the interface exists in this region. No output.
Lists the services enabled in a region.
Firewall-cmd [-- zone = <zone>] -- list-services
Enable emergency mode to block all network connections to prevent emergencies
Firewall-cmd -- panic-on
Disable emergency mode
Firewall-cmd -- panic-off
The Code is as follows:
The emergency mode has changed in version 0.3.0.
In FirewallD versions earlier than 0.3.0, the options for panic are-enable-panic and-disable-panic.
Query emergency mode
Firewall-cmd -- query-panic
This command returns the status of emergency mode, with no output. You can use the following methods to obtain status output:
Firewall-cmd -- query-panic & echo "On" | echo "Off"
Processing runtime Region
Modifications made to the region in runtime mode are not permanently valid. After reload or restart, the modification will become invalid.
Enable a service in the region
Firewall-cmd [-- zone = <zone>] -- add-service = <service> [-- timeout = <seconds>]
This enables a service in the region. If no region is specified, the default region is used. If a time-out period is set, the service will only enable the specified number of seconds. If the service is active, no warning is reported.
For example, to enable the ipp-client service in the region to take effect for 60 seconds:
Firewall-cmd -- zone = home -- add-service = ipp-client -- timeout = 60
For example, enable the http service in the default region:
Firewall-cmd -- add-service = http
Disable a service in the region
Firewall-cmd [-- zone = <zone>] -- remove-service = <service>
This disables a service in the region. If no region is specified, the default region is used.
For example, disable the http service in the home region:
Firewall-cmd -- zone = home -- remove-service = http
Regional services will be disabled. If the service is not enabled, no warning is reported.
Check whether a specific service is enabled in the region.
Firewall-cmd [-- zone = <zone>] -- query-service = <service>
If the service is enabled, 1 is returned; otherwise, 0 is returned. No output information.
Enable regional port and Protocol combinations
Firewall-cmd [-- zone = <zone>] -- add-port = <port> [-<port>]/<protocol> [-- timeout = <seconds>]
This will enable the combination of ports and protocols. A port can be a single <port> or a port range <port>-<port>. The protocol can be tcp or udp.
Disable port and Protocol combinations
Firewall-cmd [-- zone = <zone>] -- remove-port = <port> [-<port>]/<protocol>
Check whether port and Protocol combinations are enabled in the region.
Firewall-cmd [-- zone = <zone>] -- query-port = <port> [-<port>]/<protocol>
If enabled, this command returns a value. No output information.
Enable the IP camouflage function in the region
Firewall-cmd [-- zone = <zone>] -- add-masquerade
This enables the camouflage function of the region. The private network address is hidden and mapped to a public IP address. This is a form of address translation and is often used in routing. Due to kernel restrictions, the camouflage function can only be used for IPv4.
Disable IP spoofing IN THE REGION
Firewall-cmd [-- zone = <zone>] -- remove-masquerade
Query the camouflage status of a region
Firewall-cmd [-- zone = <zone>] -- query-masquerade
If enabled, this command returns a value. No output information.
Enable area ICMP Blocking
Firewall-cmd [-- zone = <zone>] -- add-icmp-block = <icmptype>
This will enable the selected Internet Control Packet Protocol (ICMP) for blocking. ICMP packets can be request information, created response packets, and error responses.
Area-prohibited ICMP Blocking
Firewall-cmd [-- zone = <zone>] -- remove-icmp-block = <icmptype>
Query the area's ICMP blocking function
Firewall-cmd [-- zone = <zone>] -- query-icmp-block = <icmptype>
If enabled, this command returns a value. No output information.
For example, response packets in the blocked area:
Firewall-cmd -- zone = public -- add-icmp-block = echo-reply
Enable port forwarding or ing in the region
Firewall-cmd [-- zone = <zone>] -- add-forward-port = <port> [-<port>]: proto = <protocol> {: toport = <port> [-<port>] |: toaddr = <address> |: toport = <port> [-<port>]: toaddr = <address>}
The port can be mapped to the same port of another host, or different ports of the same host or another host. The port number can be a separate port <port> or a port range <port>-<port>. The protocol can be tcp or udp. The target port can be the port number <port> or the port range <port>-<port>. The destination address can be an IPv4 address. Due to kernel restrictions, the port forwarding function can only be used for IPv4.
Port forwarding or port ing in prohibited regions
Firewall-cmd [-- zone = <zone>] -- remove-forward-port = <port> [-<port>]: proto = <protocol> {: toport = <port> [-<port>] |: toaddr = <address> |: toport = <port> [-<port>]: toaddr = <address>}
Query port forwarding or port ing in a region
Firewall-cmd [-- zone = <zone>] -- query-forward-port = <port> [-<port>]: proto = <protocol> {: toport = <port> [-<port>] |: toaddr = <address> |: toport = <port> [-<port>]: toaddr = <address>}
If enabled, this command returns a value. No output information.
For example, forward the ssh of the region home to 127.0.0.2.
Firewall-cmd -- zone = home -- add-forward-port = 22: proto = tcp: toaddr = 127.0.0.2
Process Permanent Region
Permanent options do not directly affect the running status. These options are only available when the service is reloaded or restarted. To use runtime and permanent settings, you must set both. Option-permanent must be the first parameter permanently set.
Obtain services supported by permanent options
Firewall-cmd -- permanent -- get-services
Obtain the list of ICMP types supported by permanent options
Firewall-cmd -- permanent -- get-icmptypes
Obtain supported permanent regions
Firewall-cmd -- permanent -- get-zones
Enable services in the region
Firewall-cmd -- permanent [-- zone = <zone>] -- add-service = <service>
This will permanently enable services in the region. If no region is specified, the default region is used.
A service in the disabled Area
Firewall-cmd -- permanent [-- zone = <zone>] -- remove-service = <service>
Check whether the service in the region is enabled.
Firewall-cmd -- permanent [-- zone = <zone>] -- query-service = <service>
If the service is enabled, this command returns a value. This command has no output information.
For example, enable the ipp-client Service in the home region permanently.
Firewall-cmd -- permanent -- zone = home -- add-service = ipp-client
Permanently enable a port-Protocol combination in the region
Firewall-cmd -- permanent [-- zone = <zone>] -- add-port = <port> [-<port>]/<protocol>
Permanently disable a port in the region-Protocol combination
Firewall-cmd -- permanent [-- zone = <zone>] -- remove-port = <port> [-<port>]/<protocol>
Check whether the port-Protocol combination is permanently enabled in the region
Firewall-cmd -- permanent [-- zone = <zone>] -- query-port = <port> [-<port>]/<protocol>
If the service is enabled, this command returns a value. This command has no output information.
For example, permanently enable the https (tcp 443) port in the home region.
Firewall-cmd -- permanent -- zone = home -- add-port = 443/tcp
Permanently enable camouflage in the region
Firewall-cmd -- permanent [-- zone = <zone>] -- add-masquerade
This enables the camouflage function of the region. The private network address is hidden and mapped to a public IP address. This is a form of address translation and is often used in routing. Due to kernel restrictions, the camouflage function can only be used for IPv4.
Permanently disable camouflage in the region
Firewall-cmd -- permanent [-- zone = <zone>] -- remove-masquerade
Query the permanent disguised State in a region
Firewall-cmd -- permanent [-- zone = <zone>] -- query-masquerade
If the service is enabled, this command returns a value. This command has no output information.
Enable ICMP blocking permanently in the region
Firewall-cmd -- permanent [-- zone = <zone>] -- add-icmp-block = <icmptype>
This will enable the selected Internet Control Packet Protocol (ICMP) for blocking. ICMP packets can be request information or created response packets or error response packets.
Permanently Disable ICMP blocking in the region
Firewall-cmd -- permanent [-- zone = <zone>] -- remove-icmp-block = <icmptype>
Query the ICMP permanent status in the region
Firewall-cmd -- permanent [-- zone = <zone>] -- query-icmp-block = <icmptype>
If the service is enabled, this command returns a value. This command has no output information.
For example, blocking response packets in public areas:
Firewall-cmd -- permanent -- zone = public -- add-icmp-block = echo-reply
Enable port forwarding or ing permanently in the region
Firewall-cmd -- permanent [-- zone = <zone>] -- add-forward-port = <port> [-<port>]: proto = <protocol> {: toport = <port> [-<port>] |: toaddr = <address> |: toport = <port> [-<port>]: toaddr = <address>}
The port can be mapped to the same port of another host, or different ports of the same host or another host. The port number can be a separate port <port> or a port range <port>-<port>. The protocol can be tcp or udp. The target port can be the port number <port> or the port range <port>-<port>. The destination address can be an IPv4 address. Due to kernel restrictions, the port forwarding function can only be used for IPv4.
Permanently disable port forwarding or port ing in the region
Firewall-cmd -- permanent [-- zone = <zone>] -- remove-forward-port = <port> [-<port>]: proto = <protocol> {: toport = <port> [-<port>] |: toaddr = <address> |: toport = <port> [-<port>]: toaddr = <address>}
Query the port forwarding or port ing status of a region
Firewall-cmd -- permanent [-- zone = <zone>] -- query-forward-port = <port> [-<port>]: proto = <protocol> {: toport = <port> [-<port>] |: toaddr = <address> |: toport = <port> [-<port>]: toaddr = <address>}
If the service is enabled, this command returns a value. This command has no output information.
For example, forward the ssh service in the home region to 127.0.0.2.
Firewall-cmd -- permanent -- zone = home -- add-forward-port = 22: proto = tcp: toaddr = 127.0.0.2
Direct options
Direct options are mainly used to enable services and applications to add rules. The rule is not saved and must be submitted again after being reloaded or restarted. The passed parameter <args> is consistent with iptables, ip6tables, and ebtables.
Option-direct must be the first parameter of the direct option.
Send the command to the firewall. The <args> parameter can be an iptables, ip6tables, or an ebtables command line parameter.
Firewall-cmd -- direct -- passthrough {ipv4 | ipv6 | eb} <args>
Add a new chain for the table <table> <chain>.
Firewall-cmd -- direct -- add-chain {ipv4 | ipv6 | eb} <table> <chain>
Delete a chain from the <table> table <chain>.
Firewall-cmd -- direct -- remove-chain {ipv4 | ipv6 | eb} <table> <chain>
Query <chain> whether the chain exists and the table <table>. If yes, 0 is returned; otherwise, 1 is returned.
Firewall-cmd -- direct -- query-chain {ipv4 | ipv6 | eb} <table> <chain>
If enabled, this command returns a value. This command has no output information.
Returns the list of links in the <table> table separated by spaces.
Firewall-cmd -- direct -- get-chains {ipv4 | ipv6 | eb} <table>
Add a chain with the parameter <args> for the table <table> and set the priority to <priority>.
Firewall-cmd -- direct -- add-rule {ipv4 | ipv6 | eb} <table> <chain> <priority> <args>
Delete the chain with the parameter <args> from the table <table>.
Firewall-cmd -- direct -- remove-rule {ipv4 | ipv6 | eb} <table> <chain> <args>
Query whether the chain with the <args> parameter <chain> exists in the table <table>. If yes, 0 is returned; otherwise, 1 is returned.
Firewall-cmd -- direct -- query-rule {ipv4 | ipv6 | eb} <table> <chain> <args>
If enabled, this command returns a value. This command has no output information.
Obtain all the rules added to the chain in the table <table> and separate them with line breaks.
Firewall-cmd -- direct -- get-rules {ipv4 | ipv6 | eb} <table> <chain>
Current firewalld features
D-BUS Interface
The D-BUS interface provides information about the firewall status, making it possible to enable, disable, or query firewall settings.
Region
The network or firewall area defines the connection credibility. Firewalld provides several predefined regions. The region configuration options and general configuration information can be found in the firewall. zone (5) manual.
Service
A service can be a series of read ports, purposes, and additional information, or a firewall assistant module automatically added when the service is started. The use of predefined services makes it easier to enable and disable access to services. Service configuration options and common file information are described in the firewalld. service (5) manual.
ICMP Type
The Internet Control Packet Protocol (ICMP) is used to exchange packets and Internet Protocol (IP) error packets. In firewalld, you can use the ICMP type to restrict Packet Exchange. For the ICMP type configuration options and general file information, see the firewalld. icmptype (5) manual.
Direct Interface
Direct interfaces are mainly used to add specific firewall rules for services or applications. These rules are not permanently valid and need to be re-applied after receiving the startup, restart, and heavy load signals sent by firewalld through D-Bus.
Runtime configuration
The runtime configuration is not permanently valid and can be restored during reload. However, when the system or service is restarted or stopped, these options will be lost.
Permanent Configuration
Permanent configuration is stored in the configuration file. It is automatically restored every time the machine is restarted or the service is restarted or reloaded.
Tray Applet
The tray applet firewall-applet displays the firewall Status and Problems for users. It can also be used to configure settings that users can modify.
Graphical Configuration Tool
The main configuration tool of firewall daemon is firewall-config. It supports all the features of the firewall (except the direct interface used by adding rules by the Service/application ). The administrator can also use it to change the system or user policy.
Command line Client
Firewall-cmd is a tool that provides most graphical tool configuration features under the command line.
Support for ebtables
To meet all libvirt daemon requirements, ebtables is required at the kernel netfilter level to prevent access problems between ip * tables and ebtables. Because these commands access the same structure, they cannot be used at the same time.
Default/backup configuration in/usr/lib/firewalld
This directory contains the default and standby ICMP type, service, and Region configurations provided by firewalld. �� These files provided by the firewalld package cannot be modified, even if they are modified, they will be reset with the update of the firewalld package. Other ICMP types, services, and regions can be provided through software packages or file creation.
System Configuration Settings in/etc/firewalld
The system or user configuration files stored here can be customized by the System Administrator through the configuration interface or manually. These files will reload the default configuration files.
To manually modify the pre-defined icmp type, region, or service, copy the configuration from the default configuration directory to the corresponding system configuration directory, and then modify it as needed.
If you load a region with default and backup configurations, the corresponding file in/etc/firewalld will be renamed to <file>. old and then enable the backup configuration.
Features under development
Rich Language
The rich language feature provides a mechanism to configure complex IPv4 and IPv6 firewall rules through advanced languages without understanding iptables syntax.
Fedora 19 provides 2nd milestone versions of rich language features with D-Bus and command line support. The 3rd milestone version also provides support for the graphic interface firewall-config.
For more information about this feature, see firewalld Rich Language.
Lock
The locking feature adds a simple configuration method for locking local applications or service configurations for firewalld. It is a lightweight application policy.
Fedora 19 provides the second milestone version of the locking feature with support for D-Bus and command line. The 3rd milestone version also provides support under the graphic interface firewall-config.
For more information, see firewalld Lockdown.
Permanent direct rule
This feature is in its early state. It provides the function of saving direct rules and direct links. Rules do not belong to this feature.