How to configure and use firewalls in RHEL 7 _linux

RHEL7 use FIREWALLD instead of the original iptables, the operation settings and the original is a little different:

View firewall status: Systemctl status Firewalld

Start firewall: Systemctl start FIREWALLD

Stop firewall: Systemctl stop FIREWALLD

Everything in the firewall is associated with one or more zones, which are described in the following sections:

Zone         Description 
-----------------------------------------------------
Drop (immutable)     Deny all Incoming connections, outgoing ones are accepted. 
Block (immutable)    Deny all incoming connections, with ICMP host prohibited messages issued. 
Trusted (immutable)    Allow all network Connections public public       		areas
External       		for computers with masquerading enabled, protecting a local network 
DMZ for        		computers publicly AC Cessible with restricted access. 
Work for        		trusted work areas home for 
trusted home Network Connections internal for       		Internal Network, restrict incoming connections

Drop (discarded)
any received network packets are discarded and there is no reply. There is only a network connection that can be sent out.

Block (restricted)
Any received network connection is rejected by IPv4 icmp-host-prohibited information and IPv6 icmp6-adm-prohibited information.

Public (Common)
Used in public areas, you cannot trust that other computers within your network will not cause harm to your computer and receive only selected connections.

External (external)
In particular, an external network with cloaking enabled for the router. You cannot trust other calculations from the network, and you cannot trust that they will not harm your computer and receive only selected connections.

DMZ (demilitarized zone)
For computers in your demilitarized zone, this area can be accessed publicly, with limited access to your internal network, only to receive selected connections.

Work (work)
For the workspace. You can basically believe that other computers in the network will not harm your computer. Just receive the selected connection.

Home (family)
for home Networking. You can base your trust on other computers in your network without compromising your computer. Just receive the selected connection.

Internal (internal)
For internal networks. You can basically trust other computers within your network to not threaten your computer. Just accept the selected connection.

Trusted (Trust)
All network connections can be accepted.

Some common commands for manipulating firewalls:

--Show firewall status

[Root@localhost zones]# Firewall-cmd--state
Running

--List a few zone currently
[Root@localhost zones]# Firewall-cmd--get-zones
Block DMZ drop external home internal public trusted work

--Get the zones of the current activity
[Root@localhost zones]# Firewall-cmd--get-active-zones
Public
Interfaces:ens32 veth4103622

--Get the default zone
[Root@localhost zones]# Firewall-cmd--get-default-zone
Public

--Get the current support service
[root@localhost zones]# firewall-cmd--get-service           
rh-satellite-6 amanda-client bacula bacula-client DHCP DHCPv6 dhcpv6-client DNS FTP high-availability http HTTPS imaps IPP ipp-client IPSec Kerberos kpasswd LDAP ldaps libvirt the LIBVIRT-TLS mount D MS-WBT MySQL NFS NTP OpenVPN pmcd pmproxy pmwebapi pmwebapis pop3s PostgreSQL proxy-dhcp radius rpc-bind Samba samba-cli ent smtp ssh telnet tftp tftp-client transmission-client vnc-server Wbem-https

--Check the service that will be activated after the next overload.
[Root@localhost zones]# firewall-cmd--get-service--permanent
rh-satellite-6 amanda-client bacula bacula-client dhcp DHCPv6 dhcpv6-client DNS FTP high-availability http HTTPS imaps IPP Ipp-client IPSec Kerberos kpasswd LDAP ldaps libvirt libvirt-tls mdns mountd mysql NFS ntp MS-WBT OpenVPN pmcd pm Webapi Pmwebapis pop3s PostgreSQL proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client Transmiss Ion-client Vnc-server Wbem-https

--List Zone public ports
[Root@localhost zones]# firewall-cmd--zone=public--list-ports

--List zone public current settings
[Root@localhost zones]# firewall-cmd--zone=public--list-all
Public (default, active)
interfaces:eno16777736
Sources
Services:dhcpv6-client SSH
Ports
Masquerade:no
Forward-ports:
Icmp-blocks:
Rich rules:
--Add Zone public open HTTP service
[Root@localhost zones]# firewall-cmd--zone=public--add-service=http
Success
[Root@localhost zones]# firewall-cmd--permanent--zone=internal--add-service=http
Success

--Reload configuration
[Root@localhost zones]# Firewall-cmd--reload
Success

--Add zone internal open 443/TCP protocol ports
[Root@localhost zones]# firewall-cmd--zone=internal--add-port=443/tcp
Success

--List all service for zone internal
[root@localhost zones]# firewall-cmd--zone=internal--list-services
Dhcpv6-client ipp-client mdns samba-client ssh

set Black/White list
--Increase 172.28.129.0/24 network segment to zone trusted (trust)
[Root@localhost zones]# firewall-cmd--permanent--zone=trusted--add-source=172.28.129.0/24
Success

--List of white lists of zone TRUSTe
[Root@localhost zones]# firewall-cmd--permanent--zone=trusted--list-sources
172.28.129.0/24

--Zone of activities
[Root@localhost zones]# Firewall-cmd--get-active-zones
Public
interfaces:eno16777736

--Reload after adding zone TRUSTe, and then view--get-active-zones
[Root@localhost zones]# Firewall-cmd--reload
Success
[Root@localhost zones]# Firewall-cmd--get-active-zones
Public
Interfaces:ens32 veth4103622
Trusted
Sources:172.28.129.0/24

--List all zone drop rules
[Root@localhost zones]# firewall-cmd--zone=drop--list-all
Drop
Interfaces:
Sources
Services
Ports
Masquerade:no
Forward-ports:
Icmp-blocks:
Rich rules:

--Add 172.28.13.0/24 to Zone drop
[Root@localhost zones]# firewall-cmd--permanent--zone=drop--add-source=172.28.13.0/24
Success

--you need to reload after adding
[Root@localhost zones]# Firewall-cmd--reload
Success

[Root@localhost zones]# firewall-cmd--zone=drop--list-all
Drop
Interfaces:
Sources:172.28.13.0/24
Services
Ports
Masquerade:no
Forward-ports:
Icmp-blocks:
Rich rules:

[Root@localhost zones]# Firewall-cmd--reload
Success

--Remove 172.28.13.0/24 from zone drop
[Root@localhost zones]# firewall-cmd--permanent--zone=drop--remove-source=172.28.13.0/24
Success

--View all zones rules
[Root@localhost ~]# Firewall-cmd--list-all-zones

Finally, a few more:

1, many times we need to open the port or open an IP access, we need to first look at our current default zone, and then add the port and source in the corresponding zone, so that the external will have a role.

For example, my current default zone is public and I need to open 80 ports for external access, then execute the following command:

[Root@localhost zones]# firewall-cmd--zone=public--permanent--add-port=80/tcp
Success
[Root@localhost zones]# Firewall-cmd--reload
Success

2, the use of the time of the order plus--permanent is the meaning of permanent entry, the Firewall service after the restart is still in force. Otherwise, only valid before restarting the service.

3, we execute the command, the results are actually reflected in the specific configuration file, in fact, we can directly modify the corresponding configuration file.

Take the public zone as an example, the corresponding configuration file is/etc/firewalld/zones/public.xml, as we have just added 80 ports, the content embodied in Public.xml is:

[Root@localhost zones]# cat Public.xml <?xml version= "1.0" encoding=
"Utf-8"?>
<zone>
 < Short>public</short> <description>for use with public
 areas. You don't trust the "other computers" networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name=
 "dhcpv6-client"/>
 <service name= "ssh"/>
 <port protocol= "tcp" port= "*"/>
</zone>

This you can further understand the structure of the configuration file, after the configuration, but remember to--reload or restart the Firewall service after configuration.

The above is small set for everyone to bring the Rhel 7 firewall configuration and the use of all content, I hope that we support cloud Habitat Community ~