Firewall under CentOS 7

The CentOS 7 default utility uses FIREWALLD as the firewall, discarding the original iptables. But the kernel still uses iptable as the management

Reference documents

Https://access.redhat.com/documentation/zh-CN/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html

Http://www.myhome.net.tw/2015_02/p10.htm

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/72/74/wKioL1XkFm3AvG20AAL-747JQqk399.jpg "title=" Firewall_stack.png "width=" "height=" 455 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:500px;height:455px; "alt=" Wkiol1xkfm3avg20aal-747jqqk399.jpg "/>

Firewall start and Close commands

#systemctl start Firewalld#systemctl enable Firewalld#systemctl stop firewalld#systemctl disable Firewalld#systemctl Status Firewalld

1FIREWALLD Catalog

/usr/lib/firewalld This directory is a preset set of data, is the most primitive configuration. You can see a lot of XML files under their directory.

/ETC/FIREWALLD storage is now in a useful configuration document, and if not, it will take the default configuration document in the/USR/LIB/FIREWALLD directory.

Commands for 2Friewall

Firewalld can be managed through the GUI interface, and in CentOS with Windows, Applications->sundry->firewall can be managed and configured

You can also use the command line to manage the Firewall-cmd to specific configuration, you can practical man command to understand FIREWALLD related commands practical way

# Man firewalld.conf# Mans firewall-cmd# man firewalld.zone# man firewalld.service# mans firewalld.icmptype# man FIREWALLD.D Irect

The common commands are as follows

1 adding HTTP and HTTPS services

# firewall-cmd--permanent--zone=public--add-service=http# firewall-cmd--permanent--zone=public--add-service= https# Firewall-cmd--reload (non-disruptive connection loading)

where--permanent (translation: Permanent) is permanently modified

2 modifying port 22 to 23456 for SSH

[[Email protected] ~]# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services /[[email protected] ~]# vi /etc/firewalld/services/ssh.xml<?xml version= "1.0"  encoding= "Utf-8"?><service>  <short>ssh</short>  < description>secure shell  (SSH)  is a protocol for logging into  and executing commands on remote machines. it provides secure  encrypted communications. if you plan on accessing your machine  Remotely via ssh over a firewalled interface, enable this option.  you need the openssh-server package installed for this option  to be useful.</description>  <port protocol= "TCP"  port= "23456"/ ></service>[[email protected] ~]# firewall-cmd --complete-reload  (Interrupt connection load) [[email protected] ~]#  vi /etc/ssh/sshd_config#        $OpenBSD:  sshd_config,v  1.93 2014/01/10 05:59:19 djm Exp $# This is the sshd  Server system-wide configuration file.  see# sshd_config (5)  for more  information.# this sshd was compiled with path=/usr/local/bin:/usr/bin#  The strategy used for options in the default sshd_config  Shipped with# openssh is to specify options with their default  value where# possible, but leave them commented.  uncommented  options override the# default value.# if you want to change  the port on a selinux system, you have to tell# selinux about this change .# semanage port -a -t ssh_port_t -p tcp  #PORTNUMBER #port 23456# addressfamily any#listenaddress 0.0.0.0#listenaddress :: [[email protected] ~]#  systemctl restart sshd[[email protected] ~]# systemctl status  sshdsshd.service - openssh server daemon   loaded: loaded  (/usr/ lib/systemd/system/sshd.service; enabled)    Active: active  (running)  since  Mon 2015-08-31 17:47:22 CST; 25s ago Main PID: 12302  (sshd)    CGroup: /system.slice/sshd.service            ?.. 12302 /usr/sbin/sshd -daug 31 17:47:22 localhost.localdomain systemd[1]:  Started openssh server daemon. Aug 31 17:47:22 localhost.localdomain sshd[12302]: server listening on &NBSP;0.0.0.0&NBSP;PORT&NBSP;23456.AUG&NBSP;31&NBSP;17:47:22&NBSP;LOCALHOST.LOCALDOMAIN&NBSP;SSHD[12302]:  Server listening on :: port 23456.Aug 31 17:47:23  Localhost.localdomain python[12304]: selinux is preventing /usr/sbin/sshd from  name_bind access on the tcp_socket port 23456.                                                                                                                *****  Plugin bind_ports  (92.2  confidence)  suggests   ************************ ... Hint: some lines were ellipsized, use -l to show in full. [[email protected] ~]#

This article is from the "Watch the world on the shoulders of Giants" blog, please be sure to keep this source http://lixiaotao.blog.51cto.com/985722/1690193

Firewall under CentOS 7