Introduction to the use of Linux firewall firewall

1, the basic use of FIREWALLD
Start: Systemctl start Firewalld
View status: Systemctl status Firewalld
Stop: Systemctl Disable FIREWALLD
Disable: Systemctl stop Firewalld

2.systemctl is the main tool in CentOS7 's service management tool, which incorporates the functionality of the previous services and Chkconfig.

Start a service: Systemctl start Firewalld.service
Close a service: Systemctl stop Firewalld.service
Restart A service: systemctl restart Firewalld.service
Displays the status of a service: Systemctl status Firewalld.service
enable a service at boot: systemctl enable Firewalld.service
Disable a service at boot: systemctl disable Firewalld.service
Check if the service is booting: Systemctl is-enabled firewalld.service
to view a list of services that have been started: Systemctl List-unit-files|grep enabled
to view a list of services that failed to start: Systemctl--failed

3. Configure Firewalld-cmd
View version: Firewall-cmd--version
View Help: Firewall-cmd--help
Display Status: Firewall-cmd--state
View all open ports: Firewall-cmd--zone=public--list-ports
Update firewall rules: Firewall-cmd--reload
View area information: Firewall-cmd--get-active-zones
view the specified interface area: Firewall-cmd--get-zone-of-interface=eth0
reject All packages: Firewall-cmd--panic-on
Cancel deny status: Firewall-cmd--panic-off
View reject: Firewall-cmd--query-panic

Then how do I open a port?
add
Firewall-cmd--zone=public--add-port=80/tcp--permanent (--permanent permanent, no failure after this parameter restart)
reload
Firewall-cmd--reload
view
firewall-cmd--zone= Public-- Query-port=80/tcp
delete
firewall-cmd--zone= Public-- Remove-port=80/tcp--permanent

Open FTP service at a temporary time
# firewall-cmd--add-service=ftp

FTP Service for permanent release
# firewall-cmd--add-service=ftp--permanent
permanently closed
# firewall-cmd--remove-service=ftp--permanent
Success

let the setting take effect
# systemctl Restart Firewalld

whether the setting is in effect
# iptables-l-n | grep
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:21 ctstate NEW

Check the fire walls.
# Firewall-cmd--state
Running

# Systemctl Stop Firewalld
# Firewall-cmd--state
Not running


# Firewall-cmd--list-all
Public (default)
Interfaces
Sources
services:dhcpv6-client ftp SSH
Ports
Masquerade:no
Forward-ports:
Icmp-blocks:
Rich rules:

In FirewallD's service name
# Firewall-cmd--get-service
Amanda-client bacula bacula-client DHCP DHCPv6 dhcpv6-client DNS FTP high-availability http HTTPS imaps IPP ipp-client IPs EC Kerberos KPASSWD LDAP ldaps libvirt libvirt-tls mdns mountd MS-WBT mysql NFS ntp openvpn pmcd pmproxy pmwebapi Pmwebapi s pop3s PostgreSQL proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc- Server Wbem-https

Search for the service's activation status
# Firewall-cmd--query-service FTP
Yes
# firewall-cmd--query-service SSH
Yes
# Firewall-cmd--query-service Samba
No
# Firewall-cmd--query-service http
No

Add your own Port to open
# Firewall-cmd--add-port=3128/tcp
# Firewall-cmd--list-all
Public (default)
Interfaces
Sources
services:dhcpv6-client ftp SSH
Ports:3128/tcp
Masquerade:no
Forward-ports:
Icmp-blocks:
Rich rules:

To start the FIREWALLD service:

systemctl enable firewalld.service        #设置开机启动 systemctl start firewalld.service        #开启服务 

To view the firewall status:

Systemctl Status Firewalld

1. Regional management

1.1. Introduction to the network area

By dividing the network into different regions, the access control strategy between different regions is developed to control the flow of data transmitted between different program regions. For example, the Internet is an untrusted area, and the internal network is a highly trusted zone. The network security model can be initialized during installation, initial startup, and the first time a network connection is established. The model describes the trusted level of the entire network environment to which the host is connected, and defines how new connections are handled. There are several different initialization areas:

• Blocking area (block): Any incoming network packets will be blocked.

• Work Area: Trust other computers on your network without compromising your computer.

• Home Area: Trust other computers on your network without compromising your computer.

• Common area (public): Do not trust any computer on the network, only choose to accept incoming network connections.

• Isolation Zone (DMZ): The isolation zone, also known as the demilitarized zone, adds a layer of network between inside and outside the network and acts as a buffer. For an isolated zone, only select Accept incoming network connections.

• Trust Zone (trusted): All network connections are acceptable.

• Drop zone (drop): Any incoming network connections are denied.

• Internal zone (internal): Trusts other computers on the network and does not harm your computer. Only choose to accept incoming network connections.

• External zone (external): Do not trust other computers on the network and do not harm your computer. Only choose to accept incoming network connections.

Note: The default zone for FIREWALLD is public.

1.2. Display a list of supported regions

Firewall-cmd--get-zones

1.3. Set as Family area

firewall-cmd --set-default-zone=home

1.4. View the current region

Firewall-cmd--get-active-zones

1.5. Setting the interface for the current zone

Firewall-cmd--get-zone-of-interface=enp03s

1.6. Show all common areas (public)

firewall-cmd--zone=public--list-all

1.7. Temporarily modify the network interface (ENP0S3) for the internal zone (internal)

firewall-cmd--zone=internal--change-interface=enp03s

1.8. Permanently modify the network interface enp03s for the internal zone (internal)

firewall-cmd--permanent--zone=internal--change-interface=enp03s

2. Service Management

2.1. Display the list of services

The most important services, such as Amanda, FTP, samba and TFTP, have been provided by FIREWALLD and can be viewed using the following commands:

Firewall-cmd--get-services

2.2. Allow SSH service to pass

firewall-cmd --enable service=ssh

2.3. Disable SSH service through

firewall-cmd --disable service=ssh

2.4. Open TCP's 8080 port

firewall-cmd --enable ports=8080/tcp

2.5. Temporarily allow samba service to pass 600 seconds

firewall-cmd --enable service=samba --timeout=600

2.6. Display the current service

Firewall-cmd--list-services

2.7. Add the HTTP service to the internal zone (internal)

firewall-cmd --permanent --zone=internal --add-service=http

firewall-cmd --reload     #在不改变状态的条件下重新加载防火墙

3. Port Management

3.1. Open the port

#打开443/TCP端口

firewall-cmd --add-port=443 /tcp
#永久打开3690/TCP端口 firewall-cmd --permanent --add-port=3690/tcp #永久打开端口好像需要reload一下，临时打开好像不用，如果用了reload临时打开的端口就失效了 #其它服务也可能是这样的，这个没有测试 firewall-cmd --reload #查看防火墙，添加的端口也可以看到 firewall-cmd --list-all


4. Direct mode

FIREWALLD includes a direct mode that can be used to do some work, such as opening port 9999 of the TCP protocol

firewall-cmd --direct -add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT

firewall-cmd --reload

5. How to turn off services

You can also close the FIREWALLD firewall, which is not yet familiar, and use the Iptables command as follows:

systemctl stop firewalld

systemctl disable firewalld

yum install iptables-services

systemctl start iptables

systemctl enable iptables

Introduction to the use of Linux firewall firewall