Shulou(Shulou.com)06/02 Report--

This article introduces the relevant knowledge of "how CentOS7 uses firewall-cmd to open and close firewalls and ports". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

1. Centos7 version strengthens the firewall, no longer uses the original iptables, and enables firewalld

Basic use of 1.firewalld

Launch: systemctl start firewalld

Check status: systemctl status firewalld

Stop: systemctl disable firewalld

Disable: systemctl stop firewalld

Enable a service at boot time: systemctl enable firewalld.service

Disable one service at boot time: systemctl disable firewalld.service

Check to see if the service is powered on: systemctl is-enabled firewalld.service

View the list of started services: systemctl list-unit-files | grep enabled

View the list of services that failed to start: systemctl-- failed

two。 Configure firewalld-cmd

View version: firewall-cmd-- version

Check out help: firewall-cmd-help

Display status: firewall-cmd-- state

View all open ports: firewall-cmd-- zone=public-- list-ports

Update firewall rules: firewall-cmd-- reload

View area information: firewall-cmd-- get-active-zones

View the area to which the specified API belongs: firewall-cmd-- get-zone-of-interface=eth0

Reject all packages: firewall-cmd-- panic-on

Cancel rejection status: firewall-cmd-- panic-off

Check whether to reject: firewall-cmd-- query-panic

3. So how do you open a port?

Add

Firewall-cmd-- zone=public (scope)-- add-port=80/tcp (port and access type)-- permanent (permanent)

Firewall-cmd-zone=public-add-service=http-permanent

Firewall-cmd-reload # reload, update firewall rules

Firewall-cmd-zone= public-query-port=80/tcp # View

Firewall-cmd-- zone= public-- remove-port=80/tcp-- permanent # delete

Firewall-cmd-list-services

Firewall-cmd-get-services

Firewall-cmd-add-service=

Firewall-cmd-delete-service=

The / etc/firewalld/zones/public.xml file is modified each time the port and service are modified, so it can also be modified between files and then reloaded

Using the command is actually modifying the file, which needs to be reloaded to take effect.

Firewall-cmd-zone=public-query-port=80/tcp

Firewall-cmd-zone=public-query-port=8080/tcp

Firewall-cmd-zone=public-query-port=3306/tcp

Firewall-cmd-zone=public-add-port=8080/tcp-permanent

Firewall-cmd-zone=public-add-port=3306/tcp-permanent

Firewall-cmd-zone=public-query-port=3306/tcp

Firewall-cmd-zone=public-query-port=8080/tcp

Firewall-cmd-reload # will not take effect until it is reloaded

Firewall-cmd-zone=public-query-port=3306/tcp

Firewall-cmd-zone=public-query-port=8080/tcp

4. Parameter interpretation

-add-service # added services

-zone # scope

-add-port=80/tcp # add port, format: Port / communication protocol

-permanent # is in effect forever. Without this parameter, it will expire after restart.

5. Detailed use

Firewall-cmd-- permanent-- zone=public-- add-rich-rule='rule family= "ipv4" source address= "192.168.0.4 Universe 24" service name= "http" accept' / / set an ip to access a service

Firewall-cmd-- permanent-- zone=public-- remove-rich-rule='rule family= "ipv4" source address= "192.168.0.4 Universe 24" service name= "http" accept' / / delete configuration

Firewall-cmd-- permanent-- add-rich-rule 'rule family=ipv4 source address=192.168.0.1/2 port port=80 protocol=tcp accept' / / set an ip to access a port

Firewall-cmd-- permanent-- remove-rich-rule 'rule family=ipv4 source address=192.168.0.1/2 port port=80 protocol=tcp accept' / / Delete configuration

Firewall-cmd-- query-masquerade # check whether camouflage IP is allowed

Firewall-cmd-add-masquerade # allows firewalls to camouflage IP

Firewall-cmd-remove-masquerade # forbids firewalls to disguise IP

Firewall-cmd-- add-forward-port=port=80:proto=tcp:toport=8080 # forwards traffic from port 80 to 8080

Firewall-cmd-- add-forward-port=proto=80:proto=tcp:toaddr=192.168.1.0.1 # forwards traffic from port 80 to 192.168.0.1

Firewall-cmd-add-forward-port=proto=80:proto=tcp:toaddr=192.168.0.1:toport=8080 # forwards traffic from port 80 to port 8080 of 192.168.0.1

II. Versions below centos7

1. Open 80pr 22pr 8080 port

/ sbin/iptables-I INPUT-p tcp-- dport 80-j ACCEPT

/ sbin/iptables-I INPUT-p tcp-- dport 22-j ACCEPT

/ sbin/iptables-I INPUT-p tcp-- dport 8080-j ACCEPT

two。 Save

/ etc/rc.d/init.d/iptables save

3. View open ports

/ etc/init.d/iptables status

4. Turn off the firewall

1) it takes effect permanently and will not be restored after restart.

Enable: chkconfig iptables on

Turn off: chkconfig iptables off

2) effective immediately and resume after restart

Enable: service iptables start

Turn off: service iptables stop

This is the end of the introduction of "how to use firewall-cmd to open and close firewalls and ports in CentOS7". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.