Use Firewall and centosfirewall in CentOS 7

Use Firewall and centosfirewall in CentOS 7

In CentOS 7, a new service is introduced,FirewalldThe following figure shows the relationship and difference between Firewall and iptables.

To install it, you only need

yum install firewalld

If you need a graphical interface, install

yum install firewall-config

I. Introduction

The firewall guard firewalld service introduces a concept of trust level to manage the connections and interfaces associated with it. It supports ipv4 and ipv6, and supports bridges. It uses firewall-cmd (command) or firewall-config (gui) to dynamically manage the temporary or permanent interface rules of kernel netfilter, and takes effect in real time without restarting the service.

Zone

Firewall can classify different network connections to different trust levels. The Zone provides the following levels:

• Drop: discard all incoming packets without giving any response
• Block: deny all external connections and allow internal connections
• Public: allow the specified connection
• External: Same as above. It is used for access to the disguised connection and is generally used for route forwarding.
• Dmz: allow restricted access to connections
• Work: allows restricted connections to trusted computers, similar to workgroup
• Home: Same as above, similar to homegroup
• Internal: Same as above, for all Internet users
• Trusted: trust all connections

Filter rules

• Source: Filter by source address
• Interface: Filter by Nic
• Service: Filter by service name
• Port: Filter by port
• Icmp-block: icmp packet filtering, Which is configured according to the icmp Type
• Masquerade: ip address disguise
• Forward-port: port forwarding
• Rule: Custom Rules

The priority of the filter rule follows the following order:

1. Source
2. Interface
3. Firewalld. conf

Ii. Usage

# Systemctl start firewalld # start, # systemctl enable firewalld # start # systemctl stop firewalld # disable # systemctl disable firewalld # cancel start

Specific rule management can be usedfirewall-cmd, The specific usage can be

$ Firewall-cmd -- help -- zone = NAME # specify zone -- permanent # permanent modification, -- take effect after reload -- timeout = seconds # continuous effect, automatically removed after expiration, for debugging, cannot be used together with -- permanent

1. View rules

View running status

$ firewall-cmd --state

View activated Zone information

$ firewall-cmd --get-active-zonespublic  interfaces: eth0 eth1

View the Zone information of a specified Interface

$ firewall-cmd --get-zone-of-interface=eth0public

View interfaces at a specified level

$ firewall-cmd --zone=public --list-interfaceseth0

View all information at a specified level, such as public

$ firewall-cmd --zone=public --list-allpublic (default, active)  interfaces: eth0  sources:  services: dhcpv6-client http ssh  ports:  masquerade: no  forward-ports:  icmp-blocks:  rich rules:

View permitted information of all levels

$ firewall-cmd --get-service

View All permitted services at the Zones level after restart, that is, services that are permanently released

$ firewall-cmd --get-service --permanent

2. Manage Rules

# Firewall-cmd -- panic-on # discard # firewall-cmd -- panic-off # cancel discard # firewall-cmd -- query-panic # view discard status # firewall-cmd -- reload # update rules, do not restart the service # firewall-cmd -- complete-reload # update the rule and restart the service

Add an API to a trust level. For example, add eth0 to public and modify it permanently.

# firewall-cmd --zone=public --add-interface=eth0 --permanent

 

Set public to the default trust level

# firewall-cmd --set-default-zone=public

A. Management Port

List allowed dmz-level access ports

# firewall-cmd --zone=dmz --list-ports

 

Allow tcp port 8080 to dmz

# firewall-cmd --zone=dmz --add-port=8080/tcp

 

Allow a range of udp ports to the public level and take effect permanently

# firewall-cmd --zone=public --add-port=5060-5059/udp --permanent

 

B. Nic Interface

List all NICs in public zone

# firewall-cmd --zone=public --list-interfaces

 

Add eth0 to public zone, permanent

# firewall-cmd --zone=public --permanent --add-interface=eth0

 

Eth0 and public zone exist. Add the network adapter to work zone and delete it from public zone.

# firewall-cmd --zone=work --permanent --change-interface=eth0

 

Delete eth0 in public zone, permanent

# firewall-cmd --zone=public --permanent --remove-interface=eth0

 

C. Management Service

Add smtp service to work zone

# firewall-cmd --zone=work --add-service=smtp

 

Remove the smtp service from work zone

# firewall-cmd --zone=work --remove-service=smtp

 

D. Configure the ip address disguise in the external zone

View

# firewall-cmd --zone=external --query-masquerade

 

Open disguise

# firewall-cmd --zone=external --add-masquerade

 

Disable disguise

# firewall-cmd --zone=external --remove-masquerade

 

E. Configure public zone port forwarding

To enable port forwarding, you must first

# firewall-cmd --zone=public --add-masquerade

 

Forward tcp port 22 to port 3753.

# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=3753

 

Forward port 22 data to the same port of another ip Address

# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toaddr=192.168.1.100

 

Forward data from port 22 to port 2055 of another ip Address

# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.168.1.100

 

F. Configure the public zone icmp

View All supported icmp types

# firewall-cmd --get-icmptypesdestination-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded

 

List

# firewall-cmd --zone=public --list-icmp-blocks

 

Add echo-request Blocking

# firewall-cmd --zone=public --add-icmp-block=echo-request [--timeout=seconds]

 

Remove echo-reply shielding

# firewall-cmd --zone=public --remove-icmp-block=echo-reply

 

G. IP Blocking

# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='222.222.222.222' reject"