Shulou(Shulou.com)06/01 Report--

Today, I would like to share with you the relevant knowledge of how to use the Linux firewall-cmd command. The content is detailed and the logic is clear. I believe most people still know too much about this knowledge, so share this article for your reference. I hope you can get something after reading this article. Let's take a look at it.

Linux common command firewall-cmd is a new firewall software on Linux, similar to iptables.

The new firewall software on firewall-cmdLinux, a tool similar to iptables

It is added that firewall-cmd is the character interface management tool of firewalld, and firewalld is a major feature of centos7. There are two biggest benefits: it supports dynamic updates without restarting the service; the second is to add the concept of "zone" to the firewall.

Firewalld has at least two advantages over iptables:

Firewalld can dynamically modify a single rule without having to refresh all the rules to take effect, as iptables did.

Firewalld is much more user-friendly than iptables, and most functions can be achieved even if you don't understand the "five tables and five chains" and the TCP/IP protocol.

Firewalld itself does not have the function of a firewall, but needs to be implemented through the kernel netfilter like iptables, that is to say, like firewalld and iptables, their role is to maintain rules, and the real use of rules is the kernel netfilter, but firewalld and iptables are not structured and used in the same way.

Command format

Firewall-cmd [options.] options General options

-h,-- help # displays help information;-V,-- version # displays version information. (this option cannot be combined with other options);-Q,-- quiet # does not print status messages; status options

-- state # shows the status of firewalld;-- reload # reloads without interrupting services;-- complete-reload # interrupts the reloading of all connections;-- runtime-to-permanent # permanently saves the rules of the current firewall;-- check-config # checks configuration correctness; logging options

-- get-log-denied # gets the log whose record is rejected;-- set-log-denied= # sets the log to be rejected and can only be one of the 'all','unicast','broadcast','multicast','off' Example # install firewalld yum install firewalld firewall-config systemctl start firewalld # start systemctl stop firewalld # stop systemctl enable firewalld # enable automatic start systemctl disable firewalld # disable automatic start systemctl status firewalld # or firewall-cmd-- state check status # turn off the service # you can also turn off the FirewallD firewall that you are not familiar with and use iptables with the following command: systemctl stop firewalld systemctl disable firewalld yum install iptables-services systemctl start iptables systemctl enable iptables configure firewalld

Firewall-cmd-- version # View version firewall-cmd-- help # View help # View Settings: firewall-cmd-- state # display status firewall-cmd-- get-active-zones # View Zone Information firewall-cmd-- get-zone-of-interface=eth0 # View firewall-cmd of the specified API-- panic-on # reject all packages firewall-cmd-- panic-off # fetch Reject status firewall-cmd-- query-panic # check whether to deny firewall-cmd-- reload # update firewall rules firewall-cmd-- complete-reload # the difference between the two is that the first one does not need to be disconnected Is one of the firewalld features to dynamically add rules, the second needs to be disconnected, similar to restart service # add the interface to the zone, the default interface is in public firewall-cmd-zone=public-add-interface=eth0 # permanent plus-permanent and then reload firewall # set the default interface zone Effective immediately no need to restart firewall-cmd-- set-default-zone=public # View all open ports: firewall-cmd-- zone=dmz-- list-ports # add a port to the area: firewall-cmd-- zone=dmz-- add-port=8080/tcp # if you want the method to take effect permanently, open a service as above, which is similar to visualizing the port. The service needs to be added in the configuration file. There is a services folder in the / etc/firewalld directory. I won't elaborate on this. For more information, refer to the document firewall-cmd-- zone=work-- add-service=smtp # remove Service firewall-cmd-- zone=work-- remove-service=smtp # display the list of supported areas firewall-cmd-- get-zones # set to the home area firewall-cmd-- set-default-zone=home # View the current zone firewall-cmd-- get-active-zones # set the interface firewall-cmd-- get-zone-of-interface=enp03s # of the current zone Show all public firewall-cmd-- zone=public-- list-all # temporarily modify network interface (enp0s3) to internal area (internal) firewall-cmd-- zone=internal-- change-interface=enp03s # permanently modify network interface enp03s to internal area (internal) firewall-cmd-- permanent-- zone=internal-- change-interface=enp03s service management

# display the list of services the most important services such as Amanda, FTP, Samba and TFTP have been provided by FirewallD You can view it with the following command: firewall-cmd-- get-services # allows the SSH service to use firewall-cmd-- new-service=ssh # prohibits the SSH service from opening port 8080 firewall-cmd of TCP through firewall-cmd-- delete-service=ssh #-- enable ports=8080/tcp # temporarily allows the Samba service to pass 600 seconds firewall-cmd-- enable service=samba-- timeout=600 # shows the current service firewall-cmd-- list-services # add Add HTTP service to internal firewall-cmd-- permanent-- zone=internal-- add-service=http firewall-cmd-- reload # reload firewall port management without changing state

# Open 443/TCP port firewall-cmd-- add-port=443/tcp # permanently open 3690/TCP port firewall-cmd-- permanent-- add-port=3690/tcp # permanently open the port seems to need reload, temporarily open the port seems to be useless, if you use the reload temporarily opened port will fail # this may be the case with other services, this did not test firewall-cmd-- reload # check the firewall The added port can also be seen in firewall-cmd-list-all direct mode.

# FirewallD includes a direct mode, which can be used to accomplish some tasks, such as opening port 9999 firewall-cmd of TCP protocol-direct-add-rule ipv4 filter INPUT 0-p tcp-dport 9000-j ACCEPT firewall-cmd-reload custom service management

Option

(with [P only] at the end means that this option cannot be used with other options except with (--permanent)! )-- new-service= create a custom service [P only]-- new-service-from-file= [--name=] reads the configuration from the file to create a new custom service [P only]-- delete-service= deletes an existing service [P only]-- load-service-defaults= Load icmptype default settings [P only]-- info-service= displays information about the service-- path-service= displays the path to the file of the service [P only]-- service=-- set-description= sets description information for the service [P only]-- service=-- get-description Display the description of the service [P only]-- service=-- set-short= sets a short description for the service [P only]-- service=-- get-short displays a short description of the service [P only]-- service=-- add-port= [-] / Add a new port (port segment) to the service [P only]-- service=-- remove-port= [-] / remove a port (port segment) from the service [P only]-- service=-- query-port= [-] / Query whether the service has added a port (port segment) [P only]-- service=-- get-ports shows all ports added by the service [P only]-- service=-- add-protocol= adds a protocol for the service. [P only]-- service=-- remove-protocol= removes a protocol from the service [P only]-- service=-- query-protocol= queries whether a protocol has been added to the service [P only]-- service=-- get -protocols shows all protocols added by the service [P only]-- service=-- add-source-port= [-] / add new source ports (port segments) to the service [P only]-- service=-- remove-source-port= [-] / Delete source port (port segment) from the service [P only]-service=-- query-source-port= [-] / query whether a source port (port segment) [P only]-- service=-- get-source-ports has been added to the service Show all source ports of the service [P only]-- service=-- add-module= add a module for the service [P only]-- service=-- remove-module= remove a module for the service [P only]-- service=-- query-module= lookup Ask whether a module has been added to the service [P only]-- service=-- get-modules shows all modules added by the service [P only]-- service=-- set-destination=: [/] Set destination for ipv to address in service [P only]-- service=-- remove-destination= Disable destination for ipv i service [P only] ]-- service=-- query-destination=: [/] Return whether destination ipv is set for service [P only]-- service=-- get-destinations List destinations in service [P only] Control Port / Service

The opening of the port can be controlled in two ways, one is to specify the port number and the other is to specify the service name. Although opening http service means opening port 80, it cannot be closed by port number, that is, those opened by specified service name should be closed by specified service name, and those opened by specified port number should be closed by specified port number. Another thing to note is that when specifying a port, be sure to specify what protocol it is, tcp or udp. After knowing this, you don't have to turn off the firewall every time, you can make the firewall really effective.

Firewall-cmd-- add-service=mysql # Open mysql port firewall-cmd-- remove-service=http # Block http port firewall-cmd-- list-services # View open service firewall-cmd-- add-port=3306/tcp # Open access to 3306 firewall-cmd through tcp-- remove-port=80tcp # block access to 3306 firewall-cmd-- add-port=233/udp through tcp # Open access to 233firewall-cmd via udp-- list-ports # View open ports masquerading IP

Firewall-cmd-- query-masquerade # check if camouflage IP firewall-cmd is allowed-- add-masquerade # allows firewall to camouflage IP firewall-cmd-- remove-masquerade# forbids firewall camouflage IP port forwarding

Port forwarding forwards traffic to the specified port at the specified address when it accesses the specified port. The forwarding purpose defaults to the local machine if ip is not specified, and the source port is used by default if ip is specified but no port is specified. If it is not available after port forwarding is configured, you can check the following two questions:

For example, if I forward port 80 to port 8080, first check whether the local port 80 and the target port 8080 are open for listening.

Second, check whether camouflage IP is allowed. If not, enable camouflage IP.

Firewall-cmd-- add-forward-port=port=80:proto=tcp:toport=8080 # forwards traffic on port 80 to 8080 firewall-cmd-- add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1 # forwards traffic on port 80 to 192.168.0.1 firewall-cmd-- add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1:toport=8080 # forwards traffic on port 80 to port 8080 on 192.168.0.1 when we want to hide a port You can block access to that port on the firewall, then open an irregular port, and then configure the firewall port to forward the traffic.

Port forwarding can also do traffic distribution, a firewall drags many machines running different services, and then uses the firewall to forward traffic from different ports to different machines.

These are all the contents of the article "how to use Linux firewall-cmd commands". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.