Use Firewall in CentOS 7

Use Firewall in CentOS 7

In CentOS 7, a new service is introduced,Firewalld, the following figure shows the relationship and difference between Firewall and iptables.

To install it, you only need

#yuminstallfirewalld

If you need a graphical interface, install

#yuminstallfirewall-config

I. Introduction

The firewall guard firewalld service introduces a concept of trust level to manage the connections and interfaces associated with it. It supports ipv4 and ipv6, and supports bridges. It uses firewall-cmd (command) or firewall-config (gui) to dynamically manage the temporary or permanent interface rules of kernel netfilter, and takes effect in real time without restarting the service.

Firewall can classify different network connections to different trust levels. The Zone provides the following levels:

• Drop: discard all incoming packets without giving any response

• Block: deny all external connections and allow internal connections

• Public: allow the specified connection

• External: Same as above. It is used for access to the disguised connection and is generally used for route forwarding.

• Dmz: allow restricted access to connections

• Work: allows restricted connections to trusted computers, similar to workgroup

• Home: Same as above, similar to homegroup

• Internal: Same as above, for all Internet users

• Trusted: trust all connections

Ii. Usage

# Systemctlstartfirewalld # Start, # systemctlenablefirewalld # start # systemctlstopfirewalld # disable # systemctldisablefirewalld # cancel startup

Specific rule management can be usedfirewall-cmd, The specific usage can be

$firewall-cmd--help

1. View rules

View running status

$firewall-cmd--state

View activated Zone information

$firewall-cmd--get-active-zonespublicinterfaces:eth0eth1

View the Zone information of a specified Interface

$firewall-cmd--get-zone-of-interface=eth0public

View interfaces at a specified level

$firewall-cmd--zone=public--list-interfaceseth0

View all information at a specified level, such as public

$firewall-cmd--zone=public--list-allpublic(default,active)interfaces:eth0sources:services:dhcpv6-clienthttpsshports:masquerade:noforward-ports:icmp-blocks:richrules:

View permitted information of all levels

$firewall-cmd--get-service

View All permitted services at the Zones level after restart, that is, services that are permanently released

$firewall-cmd--get-service--permanent

2. Manage Rules

# Firewall-cmd -- panic-on # discard # firewall-cmd -- panic-off # cancel discard $ firewall-cmd -- query-panic # view discard status # firewall-cmd -- reload # update rules, do not restart the service # firewall-cmd -- complete-reload # update the rule and restart the service

Add an API to a trust level. For example, add eth0 to public and then take effect permanently.

#firewall-cmd--zone=public--add-interface=eth0--permanent

Set public to the default trust level

#firewall-cmd--set-default-zone=public

A. Management Port

List allowed dmz-level access ports

#firewall-cmd--zome=dmz--list-ports

Allow tcp port 8080 to dmz

#firewall-cmd--zone=dmz--add-port=8080/tcp

Allow a range of udp ports to the public level and take effect permanently

#firewall-cmd--zome=public--add-port=5060-5059/udp--permanent

B. Management services

Add smtp service to work zone

#firewall-cmd--zone=work--add-service=smtp

Remove the smtp service from work zone

#firewall-cmd--zone=work--remove-service=smtp

C. Configure ip address disguise

View

#firewall-cmd--zone=external--query-masquerade

Open disguise

#firewall-cmd--zone=external--add-masquerade

Disable disguise

#firewall-cmd--zone=external--remove-masquerade

D. port forwarding

To enable port forwarding, you must first

#firewall-cmd--zone=external--add-masquerade

Forward tcp port 22 to port 3753.

#firewall-cmd--zone=external--add-forward-port=port=22:proto=tcp:toport=3753

Forward port 22 data to the same port of another ip Address

#firewall-cmd--zone=external--add-forward-port=port=22:proto=tcp:toaddr=192.168.1.100

Forward data from port 22 to port 2055 of another ip Address

#firewall-cmd--zone=external--add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.168.1.100

The above are some common methods. For more advanced methods, refer:

• Https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html

• Https://fedoraproject.org/wiki/FirewallD