Firewall Service Introduction
The Firewall service is the default installed Firewall service for the REDHAT7 and CENTOS7 systems, and the concept of a trust level to manage the connections and interfaces associated with it. It supports IPv4 and IPv6, and supports the network Bridge, using Firewall-cmd (command) or Firewall-config (GUI) to dynamically manage kernel NetFilter temporary or permanent interface rules that take effect immediately without restarting the service.
Firewall can classify different network connections into different trust levels, Zone provides the following levels:
Drop: Discard all incoming packets without giving any response block
: Deny all externally initiated connections, allow internal-initiated connections public
: Allow specified access connection
external: ibid., entry connection to disguise, general for routing forwarding
DMZ: Allow restricted access connections
work: Allows trusted computers to be restricted to access connections, similar to workgroup home
: Ibid., similar to homegroup
internal: ibid., range for all internet users
Trusted: Trust all connections
'
Rules for installation and use of firewall
1. Installation of Firewall service
Yum Install Firewalld-y
2. Install firewall graphics Operation interface
Yum Install Firewall-config-y
3. Firewall service startup and shutdown operations
Start the Firewall service
Systemctl Start Firewalld.service
Boot Firewall Service
Systemctl Enable Firewalld.service
Turn off the Firewall service
Systemctl Stop Firewalld.service
Cancel Boot boot Firewall service
Systemctl Disable Firewalld.service
Restart the Firewall service
Systemctl Restart Firewalld.service
4. Firewall service rule management, use Firwwall-cmd command
See how rules are used
Firewall-cmd--help
To view the running status of the Firewall service
Firwwall-cmd--state
Viewing Zone information that has been activated
Firewall-cmd--get-active-zones
View Zone information for the specified interface
Firewall-cmd--get-zone-of-interface=ens160
View ports at a specified level
Firewall-cmd--zone=public--list-all
View information that is allowed for all levels
Firewall-cmd--get-service
View the services that are allowed in all zones levels
Firewall-cmd--get-service--permanent
5. Rule management of firewall services
Firewall-cmd--panic-on # Discard
firewall-cmd--panic-off # Cancel Discard
firewall-cmd--query-panic # view discard status
Firewall-cmd--reload # Update rule, do not restart service
firewall-cmd--complete-reload # Update rule, restart service
Add an interface to a trust level
Firewall-cmd--zone=public--add-interface=ens160--permanent
Set public as the default trust level
Firewall-cmd--set-default-zone=public
6. Firewall Management port
List the allowed entry ports at the DMZ level
Firewall-cmd--ZONE=DMZ--list-ports
Allow TCP port 8080 to DMZ level
Firewall-cmd--zone=dmz--add-port=8080/tcp
firewall-cmd--reload
Allow a range of UDP ports to the public level and take effect permanently
Firewall-cmd--zone=public--add-port=5000-5020/udp--permanent
7. Firewall Management Services
Add SMTP service to work zone
Firewall-cmd--zone=work--ADD-SERVICE=SMTP
Remove the SMTP service in work zone
Firewall-cmd--zone=work--REMOVE-SERVICE=SMTP
8. Firewall Configure IP Address camouflage
View Camouflage
Firewall-cmd--zone=external--query-masquerade
Open disguise
Firewall-cmd--zone=external--add-masquerade
Turn off camouflage
Firewall-cmd--zone=external--remove-masquerade
9. Firewall port Forwarding
To open port forwarding, you need to first
Firewall-cmd--zone=external--add-masquerade
Then forward TCP 22 port to 3753
Firewall-cmd--zone=external--add-forward-port=port=22:proto=tcp:toport=3753
Forward 22-Port data to another IP-192.168.1.100 on the same port
Firewall-cmd--zone=external--add-forward-port=port=22:proto=tcp:toaddr=192.168.1.100
Forward 22-Port data to another IP-192.168.1.100 2055 port
firewall-cmd--zone=external--add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.168.1.100