Shulou(Shulou.com)06/01 Report--

Editor to share with you how to configure firewalld rules in Linux. I hope you will get something after reading this article. Let's discuss it together.

Firewalls are critical for controlling network traffic to and from Linux servers. It can define a set of firewall rules to control incoming traffic on the host.

What is FirewallD?

"firewalld" is firewall daemon. It provides a dynamically managed firewall with a very powerful filtering system called Netfilter, provided by the Linux kernel.

FirewallD uses the concepts of zones and services, while iptables uses chain and rules. Compared with iptables, "FirewallD" provides a very flexible way to handle firewall management.

Each zones can be configured according to specified standards to accept or deny certain services or ports according to your requirements, and it can be associated with one or more network interfaces. The default zone is the public zone. [yijiFirewalld zones [/ yiji] the following command lists the zones provided by FirewallD. Run the following command to list the zones:

[root@server1 ~] # firewall-cmd-- get-zonesblock dmz drop external home internal public trusted workblock: for IPv4, any incoming connection is rejected by the icmp-host-prohibited message, and for IPv6 it is icmp6-adm-prohibited. * * dmz:** is applied to computers in your DMZ area, which are publicly accessible, but access to the internal network is restricted. Only selected incoming connections are accepted. * * drop:** any incoming connections will be discarded without any notification. Only outgoing connections are allowed. * * external:** is used for external networks that enable NAT masquerade when acting as a router in the system. Only selected incoming connections are allowed. * * home:** is used in home networks. Only selected incoming connections are accepted. * * internal:** is used in the internal network, and other systems on the network are usually trusted. Only selected incoming connections are accepted. * * public:** is used in public areas and only accepts selected incoming connections. * * trusted:** accepts all network connections. * * work:** is used in the work area, and most other computers on the same network are trusted. Only selected incoming connections are accepted.

Firewalld services

The service configuration of Firewalld is a predefined service. To list the available service modules, run the following command:

[root@server1 ~] # firewall-cmd-- temporary and permanent settings for get-servicesFirewalld

Firewalld uses two separate configurations, temporary settings and permanent settings:

Temporary settings: temporary settings will not remain the same when the system is restarted. This means that temporary settings are not automatically saved to permanent settings. Permanent settings: permanent settings are stored in the configuration file and will be loaded each time you restart and become a new temporary setting. Enable and disable Firewalld

Firewalld is installed in Centos7/8 by default. How to enable or disable firewalld when using the following command:

# enable Firewall [root @ server1 ~] # systemctl start firewalld# disable Firewall [root @ server1 ~] # systemctl stop firewalld# boot [root@server1 ~] # systemctl enable firewlald# disable boot [root@server1 ~] # systemctl disable firewalld

View the status of firewlald:

[root@server1 ~] # systemctl status firewalld or [root@server1 ~] # firewall-cmd-staterunningzone Management

Firewalld provides a different level of security for each zone, and the public area is set to the default area. The following command looks at the default area:

[root@server1] # firewall-cmd-- get-default-zonepublic

The following command views the configuration of the default area:

[root@server1 ~] # firewall-cmd-- list-allpublic (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ntp ssh ports: 2222/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

By using a combination of the options "- zone" and "- change-interface", you can easily change the interface in zone. For example, to assign the "ens33" interface to the "home" area, run the following command:

[root@server1 ~] # firewall-cmd-- zone=home-- change-interface=ens33success [root@server1 ~] # firewall-cmd-zone=home-- list-allhome (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

To view all active zone, run the following command:

[root@server1 ~] # firewall-cmd-- get-active-zoneshome interfaces: ens33public interfaces: ens160

To change the default zone, use the following command. For example, to change the default area to home, run the following command:

[root@server1] # firewall-cmd-- set-default-zone=home

To find the area associated with the ens160 interface, run the following command:

[root@server1] # firewall-cmd-- get-zone-of-interface=ens160public

To create a new zone, use the following command. For example, to create a new zone named "test" and take effect permanently, run:

[root@server1 ~] # firewall-cmd-- permanent-- new-zone=testsuccess [root@server1 ~] # firewall-cmd-- reloadsuccess open and close ports

Opening a specific port allows users to access the system from the outside, which represents a security risk. Therefore, open the required ports for certain services only if necessary.

To get a list of open ports in the current area, run the following command:

[root@server1] # firewall-cmd-- list-ports2222/tcp

The following example permanently adds a specific port to the list:

[root@server1] # firewall-cmd-- permanent-- add-port=8080/tcpsuccess [root@server1] # firewall-cmd-- reloadsuccess

Similarly, to delete a specific port, run the following command:

[root@server1] # firewall-cmd-- remove-port=8080/tcpsuccess

You can use the following command to confirm that ports have been added or deleted each time:

[root@server1] # firewall-cmd-- list-ports

If you want to open the port for a specific area, for example, the following command opens port 80 for the home area:

[root@server1] # firewall-cmd-- permanent-- zone=home-- add-port=80/tcpsuccess [root@server1] # firewall-cmd-- reloadsuccess

Similarly, to remove a specific port in a specific area from an open port, run:

[root@server1 ~] # firewall-cmd-- zone=home-- remove-port=80/tcpsuccess add and remove service types

The Firewalld service configuration is a predefined service that loads automatically if the service is enabled. Using predefined services makes it easier for users to enable and disable access to services.

The predefined service profile is located in the / usr/lib/firewalld/services directory.

For Firewalld services, you don't need to remember any ports, and you can allow all ports at once.

For example, execute the following command to allow the samba service. The samba service needs to enable the following set of ports: "139/tcp and 445/tcp" and "137/udp and 138/udp".

After adding the 'samba' service, all ports are activated at the same time because all port information is in the samba service configuration. The following is the service profile for the predefined samba in Firewalld:

[root@server1 ~] # cat / usr/lib/firewalld/services/samba.xml

The following is the release of the samba service in the home area:

[root@server1] # firewall-cmd-- permanent-- zone=home-- add-service=sambasuccess [root@server1] # firewall-cmd-- reloadsuccess

To get more information about the samba service, run the following command:

[root@server1 ~] # firewall-cmd-- info-service=sambasamba ports: 137/udp 138/udp 139/tcp 445/tcp protocols: source-ports: modules: netbios-ns destination:

To add more than one service at a time, execute the following command. For example, to add http and https services, run the following command:

[root@server1 ~] # firewall-cmd-- permanent-- zone=home-- add-service= {http,https} success [root@server1 ~] # firewall-cmd-- reloadsuccess sets port forwarding

Port forwarding is a method of forwarding any incoming network traffic from one port to another internal port or to an external port on another machine.

Note: IP camouflage must be enabled for port forwarding. Use the command shown below to enable masquerading for the external area.

[root@server1] # firewall-cmd-permanent-zone=external-add-masquerade

To check if IP masquerading is enabled for the zone, run the following command:

[root@server1] # firewall-cmd-- zone=external-- query-masqueradeyes

Displays yes, indicating that camouflage has been turned on.

To redirect a port to another port on the same system, for example, redirect all packets on port 80 to port 8080:

[root@server1] # firewall-cmd-permanent-zone=external-add-forward-port=port=80:proto=tcp:toport=8080success

If you want to forward traffic to another server, for example, redirect all packets on port 80 to port 8080 on a server with an IP of 10.0.0.75:

[root@server1] # firewall-cmd-permanent-zone=external-add-forward-port=port=80:proto=tcp:toport=8080:toaddr=10.0.0.75success

For example, to allow traffic from a specific source address and only allow connections to the server from a specific subnet, run the following command:

[root@server1 ~] # firewall-cmd-- permanent-- zone=home-- add-source=192.168.1.0/24success rich rule settings

Rich rules allow you to create more complex firewall rules with commands that are easy to understand, but rich rules are hard to remember. Check the manual man firewalld.richlanguage and find examples.

The general structure of rich rules is as follows: rule [source] [destination] service | port | protocol | icmp-block | icmp-type | masquerade | forward-port | source-port [log] [audit] [accept | reject | drop | mark]

To allow access from the address 192.168.0.0swap 24, run the following command:

[root@server1] # firewall-cmd-- zone=public-- add-rich-rule='rule family= "ipv4" source address= "192.168.0.0Uniplic24" accept'success

To allow the connection from the address 192.168.0.0plus 24 to access the ssh service, run the following command:

[root@server1 ~] # firewall-cmd-- zone=public-- add-rich-rule='rule family= "ipv4" source address= "192.168.0.0 ssh 24" service name= "ssh" ssh "level=" info "accept'success

To deny traffic from 192.168.10.0 to access the ssh service, run the following command:

[root@server1] # firewall-cmd-- zone=public-- add-rich-rule='rule family= "ipv4" source address= "192.168.10.0Uniplic24" port port=22 protocol=tcp reject'success

To delete any rich rules, use the-- remove-rich-rule option, list the rich rules using-- list-rich-rules below, and then delete the rich rules:

[root@server1 ~] # firewall-cmd-- zone=public-- list-rich-rulesrule family= "ipv4" source address= "192.168.0.0service name= 24" acceptrule family= "ipv4" source address= "192.168.0.0Universe 24" service name= "ssh" log prefix= "ssh" level= "info" acceptrule family= "source address=" 192.168.10.0Universe 24 "port port=" 22 "protocol=" tcp "reject [root@server1 ~] # firewall-cmd-- zone=public-- remove-rich-rule='rule family= "ipv4" source address= "192.168.0.0ssh 24" accept'success [root@server1 ~] # firewall-cmd-- zone=public-- remove-rich-rule='rule family= "ipv4" source address= "192.168.0.0Universe 24" service name= "ssh" log prefix= "ssh" level= "info" accept'success [root@server1 ~] # firewall-cmd-zone=public-remove-rich-rule='rule family= ipv4 "source address=" 192.168.10.0max 24 "port port=" 22 "protocol=" tcp "reject'successFirewalld 's Direct rules

Direct rules are similar to iptables commands and are useful for users who are familiar with iptables commands. Alternatively, you can edit the rules in the / etc/firewalld/direct.xml file and reload the firewall to activate them. Direct rules are mainly used by services or applications to add specific firewall rules.

The following Direct rule opens port 8080 on the server:

[root@server1] # firewall-cmd-- permanent-- direct-- add-rule ipv4 filter INPUT 0-p tcp-- dport 8081-j ACCEPTsuccess [root@server1] # firewall-cmd-- reloadsuccess

To list the Direct rules in the current area, run:

[root@server1] # firewall-cmd-- direct-- get-all-rulesipv4 filter INPUT 0-p tcp-- dport 8080-j ACCEPTipv4 filter INPUT 0-p tcp-- dport 8081-j ACCEPT

Delete the Direct rule using the following command:

[root@server1] # firewall-cmd-- direct-- get-all-rulesipv4 filter INPUT 0-p tcp-- dport 8080-j ACCEPTipv4 filter INPUT 0-p tcp-- dport 8081-j ACCEPT [root@server1] # firewall-cmd-- permanent-- direct-- remove-rule ipv4 filter INPUT 0-p tcp-- dport 8080-j ACCEPTsuccess [root@server1 ~] # firewall-cmd-- reloadsuccess

How to empty the chain of a table? Here are the syntax and examples:

Firewall-cmd-- direct-- remove-rules ipv4 [table] [chain] [root@server1] # firewall-cmd-- permanent-- direct-- remove-rules ipv4 filter INPUTsuccess [root@server1 ~] # firewall-cmd-- reloadsuccess [root@server1 ~] # firewall-cmd-- direct-- get-all-rules after reading this article, I believe you have some understanding of "how to configure firewalld rules in Linux". If you want to know more about it, welcome to follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.