Shulou(Shulou.com)06/02 Report--

Editor to share with you how to configure and use the firewall in RHEL 7, I believe most people do not know much about it, so share this article for your reference. I hope you will gain a lot after reading this article. Let's learn about it together.

Editor to share with you how to configure and use the firewall in RHEL 7, I believe most people do not know much about it, so share this article for your reference. I hope you will gain a lot after reading this article. Let's learn about it together.

Firewalld is used in RHEL7 instead of the original iptables, and the operation settings are a little different:

View firewall status: systemctl status firewalld

Start the firewall: systemctl start firewalld

Stop the firewall: systemctl stop firewalld

Everything in the firewall is associated with one or more zones, each of which is described below:

Zone Description---drop (immutable) Deny all incoming connections, outgoing ones are accepted.block (immutable) Deny all incoming connections, with ICMP host prohibited messages issued.trusted (immutable) Allow all network connectionspublic Public areas, do not trust other computersexternal For computers with masquerading enabled Protecting a local networkdmz For computers publicly accessible with restricted access.work For trusted work areashome For trusted home network connectionsinternal For internal network, restrict incoming connections

Drop (discard)

Any received network packets are discarded and there is no reply. There can only be outgoing network connections.

Block (restriction)

Any received network connection is rejected by the icmp-host-prohibited information of IPv4 and the icmp6-adm-prohibited information of IPv6.

Public (Public)

When used in a public area, you cannot trust that other computers in the network will not cause harm to your computer and can only receive selected connections.

External (external)

Especially extranets that enable camouflage for routers. You cannot trust other calculations from the network, cannot trust that they will not cause harm to your computer, and can only receive selected connections.

Dmz (demilitarized zone)

Computers used in your demilitarized zone, which are publicly accessible, have limited access to your internal network, and receive only selected connections.

Work (work)

Used in the workspace. You can basically believe that other computers in the network will not harm your computer. Receive only selected connections.

Home (Family)

For home networks. You can basically trust that other computers in the network will not harm your computer. Receive only selected connections.

Internal (internal)

For internal networks. You can basically trust that other computers in the network will not threaten your computer. Only selected connections are accepted.

Trusted (trust)

All network connections are acceptable.

Some common commands for operating firewalls:

-- displays the firewall status

[root@localhost zones] # firewall-cmd-- state

Running

-- list how many zone there are currently

[root@localhost zones] # firewall-cmd-- get-zones

Block dmz drop external home internal public trusted work

-- get the zones of the current activity

[root@localhost zones] # firewall-cmd-- get-active-zones

Public

Interfaces: ens32 veth4103622

-- get the default zone

[root@localhost zones] # firewall-cmd-- get-default-zone

Public

-- get the current support for service

[root@localhost zones] # firewall-cmd-- get-service

RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt MySQL nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

-check the services that will be activated after the next reload.

[root@localhost zones] # firewall-cmd-get-service-permanent

RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

-- list zone public ports

[root@localhost zones] # firewall-cmd-zone=public-list-ports

-- lists the current settings for zone public

[root@localhost zones] # firewall-cmd-zone=public-list-all

Public (default, active)

Interfaces: eno16777736

Sources:

Services: dhcpv6-client ssh

Ports:

Masquerade: no

Forward-ports:

Icmp-blocks:

Rich rules:

-- add zone public Open http service

[root@localhost zones] # firewall-cmd-zone=public-add-service=http

Success

[root@localhost zones] # firewall-cmd-permanent-zone=internal-add-service=http

Success

-- reload configuration

[root@localhost zones] # firewall-cmd-- reload

Success

-- add zone internal to open 443/tcp protocol ports

[root@localhost zones] # firewall-cmd-zone=internal-add-port=443/tcp

Success

-- list all service of zone internal

[root@localhost zones] # firewall-cmd-zone=internal-list-services

Dhcpv6-client ipp-client mdns samba-client ssh

Set up blacklist / whitelist

-- add 172.28.129.0 ax 24 segment to zone trusted (trust)

[root@localhost zones] # firewall-cmd-permanent-zone=trusted-add-source=172.28.129.0/24

Success

-- whitelist of zone truste

[root@localhost zones] # firewall-cmd-permanent-zone=trusted-list-sources

172.28.129.0/24

-- active zone

[root@localhost zones] # firewall-cmd-- get-active-zones

Public

Interfaces: eno16777736

-- add zone truste and reload, and then check-- get-active-zones

[root@localhost zones] # firewall-cmd-- reload

Success

[root@localhost zones] # firewall-cmd-- get-active-zones

Public

Interfaces: ens32 veth4103622

Trusted

Sources: 172.28.129.0/24

-- list all the rules of zone drop

[root@localhost zones] # firewall-cmd-zone=drop-list-all

Drop

Interfaces:

Sources:

Services:

Ports:

Masquerade: no

Forward-ports:

Icmp-blocks:

Rich rules:

-- add 172.28.13.0 Compact 24 to zone drop

[root@localhost zones] # firewall-cmd-permanent-zone=drop-add-source=172.28.13.0/24

Success

-- need to reload after adding

[root@localhost zones] # firewall-cmd-- reload

Success

[root@localhost zones] # firewall-cmd-zone=drop-list-all

Drop

Interfaces:

Sources: 172.28.13.0/24

Services:

Ports:

Masquerade: no

Forward-ports:

Icmp-blocks:

Rich rules:

[root@localhost zones] # firewall-cmd-- reload

Success

-- remove 172.28.13.0 Universe 24 from zone drop

[root@localhost zones] # firewall-cmd-permanent-zone=drop-remove-source=172.28.13.0/24

Success

-- View all zones rules

[root@localhost] # firewall-cmd-- list-all-zones

Finally, I would like to make a few more points:

1. In many cases, we need to open the port or access to a certain IP. We need to check which of our current default zone is, and then add port and source to the corresponding zone, so that it will work externally.

For example, if my default zone is public and I need to open port 80 for external access, execute the following command:

[root@localhost zones] # firewall-cmd-zone=public-permanent-add-port=80/tcp

Success

[root@localhost zones] # firewall-cmd-- reload

Success

2. When using the command, add-"permanent" means that it will take effect permanently and will remain in effect after the firewall service is restarted. Otherwise, it is only valid until the service is restarted.

3. The results of the commands we execute are actually reflected in the specific configuration file. In fact, we can directly modify the corresponding configuration file.

Take public zone as an example, the corresponding configuration file is / etc/firewalld/zones/public.xml. For example, after we just added port 80, the content reflected in public.xml is as follows:

[root@localhost zones] # cat public.xml Public For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

You can learn more about the structure of the configuration file and configure it yourself, but remember to reload or restart the firewall service after configuration.

The above is all the contents of how to configure and use the firewall in RHEL 7. Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.