Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge about "how to use FirewallD in Linux". In the actual case operation process, many people will encounter such difficulties. Next, let Xiaobian lead you to learn how to deal with these situations! I hope you can read carefully and learn something!

FirewallD is a very powerful feature in centos 7. FirewallD provides a dynamic firewall management tool that supports network/firewall zones to define network links and interface security levels.

Install and manage FirewallD

CentOS 7 and Fedora 20+ already include FirewallD, but it is not activated by default. It can be controlled like any other systemd unit.

1. Start the service and start it at system boot time:

sudo systemctl start firewalldsudo systemctl enable firewalld

To stop and disable:

sudo systemctl stop firewalldsudo systemctl disable firewalld

2. Check the firewall status. The output should be running or not running.

sudo firewall-cmd --state

3. To view the status of the FirewallD daemon:

sudo systemctl status firewalld

example output

firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled) Active: active (running) since Wed 2015-09-02 18:03:22 UTC; 1min 12s agoMain PID: 11954 (firewalld) CGroup: /system.slice/firewalld.service └─11954 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

4. Reload FirewallD configuration:

sudo firewall-cmd --reload Configure FirewallD

FirewallD uses XML for configuration. Unless it's a very special configuration, you don't have to deal with them, you should use firewall-cmd instead.

Configuration files are located in two directories: /usr/lib/FirewallD holds default configurations such as default zones and utility services. Avoid modifying them because they are overwritten every time the firewall package is updated. Save the system configuration file in/etc/firewalld. These files override the default configuration.

configuration set

FirewallD uses two configuration sets: Runtime and Persistent. Run-time configuration changes are not retained when the system restarts or FirewallD is restarted, and changes to persistent configuration sets are not applied to the running system.

By default, the firewall-cmd command applies to runtime configuration, but using the-permanent flag saves to persistent configuration. To add and activate persistence rules, you can use one of two methods.

Add rules to both the persistent rule set and the runtime rule set.

sudo firewall-cmd --zone=public --add-service=http --permanentsudo firewall-cmd --zone=public --add-service=http

Add the rule to the persistent rule set and reload FirewallD.

sudo firewall-cmd --zone=public --add-service=http --permanentsudo firewall-cmd --reload

The reload command deletes all runtime configurations and applies persistent configurations. Because firewalld manages rule sets dynamically, it doesn't break existing connections and sessions.

firewall zone

A zone is a pre-built set of rules for the various trust levels that a given location or scenario (e.g., home, public, trusted, etc.) may have. Different zones allow different network services and inbound traffic types, while denying any other traffic. When FirewallD is enabled for the first time, public will be the default zone.

Zones can also be used for different network interfaces. For example, to separate the internal network and Internet interfaces, you can allow DHCP on the internal zone, but only HTTP and SSH on the external zone. Any interfaces that are not explicitly set to a specific zone are added to the default zone.

To find the default zone:

sudo firewall-cmd --get-default-zone

To modify the default region:

sudo firewall-cmd --set-default-zone=internal

To view the zones used by your network interface:

sudo firewall-cmd --get-active-zones

Example output:

public interfaces: eth0

To get all the configurations for a particular region:

sudo firewall-cmd --zone=public --list-all

Example output:

public (default, active) interfaces: ens160 sources: services: dhcpv6-client http ssh ports: 12345/tcp masquerade: no forward-ports: icmp-blocks: rich rules:

To get the configuration for all zones:

sudo firewall-cmd --list-all-zones

Example output:

block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: ... work interfaces: sources: services: dhcpv6-client ipp-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: used with services

FirewallD can allow relevant traffic based on predefined rules for a particular network service. You can create your own custom system rules and add them to any zone. Configuration files for default supported services are located in/usr/lib /firewalld/services, and user-created service files are located in/etc/firewalld/services.

To view the default available services:

sudo firewall-cmd --get-services

For example, to enable or disable HTTP services:

sudo firewall-cmd --zone=public --add-service=http --permanentsudo firewall-cmd --zone=public --remove-service=http --permanent Allow or deny arbitrary ports/protocols

For example: Allow or disable TCP traffic on port 12345.

sudo firewall-cmd --zone=public --add-port=12345/tcp --permanentsudo firewall-cmd --zone=public --remove-port=12345/tcp --permanent

Here's how to forward traffic from port 80 to port 12345 on the same server.

sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345

To forward a port to another server:

1. Activate masquerade in the desired area.

sudo firewall-cmd --zone=public --add-masquerade

2. Add forwarding rules. The example is forwarding traffic on port 80 on a remote server with IP address 123.456.78.9 to 8080.

sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.456.78.9

To delete a rule, replace-add with-remove. For example:

sudo firewall-cmd --zone=public --remove-masquerade Build rule sets with FirewallD

For example, here's how to configure basic rules for your server using FirewallD (if you're running a web server).

Set the default zone for eth0 to dmz. Of the default zones provided, dmz (demilitarized zone) is best suited for this program because it only allows SSH and ICMP.

sudo firewall-cmd --set-default-zone=dmzsudo firewall-cmd --zone=dmz --add-interface=eth0

Add HTTP and HTTPS permanent service rules to the dmz zone:

sudo firewall-cmd --zone=dmz --add-service=http --permanentsudo firewall-cmd --zone=dmz --add-service=https --permanent

Reload FirewallD for the rule to take effect immediately:

sudo firewall-cmd --reload

If you run firewall-cmd-zone=dmz-list-all, you get the following output:

dmz (default) interfaces: eth0 sources: services: http https ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:

This tells us that the dmz zone is our default zone, which is used for source addresses and ports of all networks in the eth0 interface. Incoming HTTP (port 80), HTTPS (port 443), and SSH (port 22) traffic is allowed, and since there are no IP versioning restrictions, these apply to IPv4 and IPv6. IP masquerading and port forwarding are not allowed. We don't have ICMP blocks, so ICMP traffic is completely allowed. There are no Rich rules that allow all outbound traffic.

advanced configuration

Services and ports are appropriate for basic configurations, but may be more restrictive for advanced scenarios. Rich rules and direct interfaces allow you to add fully customized firewall rules to any zone for any port, protocol, address, and operation.

rich rule

There are many rich rule syntaxes, but they are fully documented in the man page of firewalld.richlanguage(5)(or man firewalld.richlanguage in the terminal). Use-add-rich-rule, -list-rich-rules, -remove-rich-rule. and firewall-cmd commands to manage them.

Here are some common examples:

Allow all IPv4 traffic from host 192.168.0.14

sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.0.14 accept'

Deny IPv4 TCP traffic from host 192.168.1.10 to port 22.

sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject'

Allow IPv4 TCP traffic from host 10.1.0.3 to port 80 and forward traffic to port 6532.

sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=10.1.0.3 forward-port port=80 protocol=tcp to-port=6532'

Forward IPv4 traffic on port 80 on host 172.31.4.2 to port 8080 (masquerade needs to be activated on the zone).

sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=172.31.4.2'

List your current rich rules:

sudo firewall-cmd --list-rich-rulesiptables direct interface

For the most advanced use, or iptables expert, FirewallD provides a direct interface that allows you to pass raw iptables commands to it. Direct interface rules are not persistent unless-permanent is used.

To view all custom chains or rules added to FirewallD:

Firewall-cmd --direct --get-all-chainsFirewall-cmd --direct --get-all-rules"What are the ways to use FirewallD in Linux" is introduced here. Thank you for reading it. If you want to know more about industry-related knowledge, you can pay attention to the website. Xiaobian will output more high-quality practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.