Fireall-cmd some orders.

Firewall Service Introduction

The Firewall service is the default installed Firewall service for the REDHAT7 and CENTOS7 systems, and the concept of a trust level to manage the connections and interfaces associated with it. It supports IPv4 and IPv6, and supports the network Bridge, using Firewall-cmd (command) or Firewall-config (GUI) to dynamically manage kernel NetFilter temporary or permanent interface rules that take effect immediately without restarting the service.

Firewall can classify different network connections into different trust levels, Zone provides the following levels:

Drop: Discard all incoming packets without giving any response block 
: Deny all externally initiated connections, allow internal-initiated connections public 
: Allow specified access connection 
external: ibid., entry connection to disguise, general for routing forwarding 
DMZ: Allow restricted access connections 
work: Allows trusted computers to be restricted to access connections, similar to workgroup home 
: Ibid., similar to homegroup 
internal: ibid., range for all internet users 
Trusted: Trust all connections
'

　　

Rules for installation and use of firewall

1. Installation of Firewall service

Yum Install Firewalld-y

　　

2. Install firewall graphics Operation interface

Yum Install Firewall-config-y

3. Firewall service startup and shutdown operations
Start the Firewall service

Systemctl Start Firewalld.service

Boot Firewall Service

Systemctl Enable Firewalld.service

Turn off the Firewall service

Systemctl Stop Firewalld.service

Cancel Boot boot Firewall service

Systemctl Disable Firewalld.service

Restart the Firewall service

Systemctl Restart Firewalld.service

　　

4. Firewall service rule management, use Firwwall-cmd command

See how rules are used

Firewall-cmd--help

　　

To view the running status of the Firewall service

Firwwall-cmd--state

　　

Viewing Zone information that has been activated

Firewall-cmd--get-active-zones

View Zone information for the specified interface

Firewall-cmd--get-zone-of-interface=ens160

View ports at a specified level

Firewall-cmd--zone=public--list-all

View information that is allowed for all levels

Firewall-cmd--get-service

View the services that are allowed in all zones levels

Firewall-cmd--get-service--permanent

5. Rule management of firewall services

Firewall-cmd--panic-on # Discard
firewall-cmd--panic-off # Cancel Discard
firewall-cmd--query-panic # view discard status
Firewall-cmd--reload # Update rule, do not restart service
firewall-cmd--complete-reload # Update rule, restart service

　　

Add an interface to a trust level

Firewall-cmd--zone=public--add-interface=ens160--permanent

Set public as the default trust level

Firewall-cmd--set-default-zone=public

　　

6. Firewall Management port

List the allowed entry ports at the DMZ level

Firewall-cmd--ZONE=DMZ--list-ports

　　

Allow TCP port 8080 to DMZ level

Firewall-cmd--zone=dmz--add-port=8080/tcp
firewall-cmd--reload

　　

Allow a range of UDP ports to the public level and take effect permanently

Firewall-cmd--zone=public--add-port=5000-5020/udp--permanent

　　

7. Firewall Management Services

Add SMTP service to work zone

Firewall-cmd--zone=work--ADD-SERVICE=SMTP

　　

Remove the SMTP service in work zone

Firewall-cmd--zone=work--REMOVE-SERVICE=SMTP

　　

8. Firewall Configure IP Address camouflage

View Camouflage

Firewall-cmd--zone=external--query-masquerade

　　

Open disguise

Firewall-cmd--zone=external--add-masquerade

　　

Turn off camouflage

Firewall-cmd--zone=external--remove-masquerade

　　

9. Firewall port Forwarding

To open port forwarding, you need to first

Firewall-cmd--zone=external--add-masquerade

　　

Then forward TCP 22 port to 3753

Firewall-cmd--zone=external--add-forward-port=port=22:proto=tcp:toport=3753

　　

Forward 22-Port data to another IP-192.168.1.100 on the same port

Firewall-cmd--zone=external--add-forward-port=port=22:proto=tcp:toaddr=192.168.1.100

　　

Forward 22-Port data to another IP-192.168.1.100 2055 port

firewall-cmd--zone=external--add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.168.1.100