Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to install and manage FirewallD on CentOS". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn how to install and manage FirewallD on CentOS.

Firewall FirewallD is a very powerful feature in centos 7. FirewallD provides a dynamic firewall management tool that supports network / firewall zone (zone) definition of network links and interface security levels.

Installation and management

Start the service and start it when the system boots:

Sudo systemctl start firewalldsudo systemctl enable firewalld

To stop and disable:

Sudo systemctl stop firewalldsudo systemctl disable firewalld

Check the status of the firewall. The output should be running or not running

Sudo firewall-cmd-state

To view the status of the FirewallD daemon:

Sudo systemctl status firewalld

Enable a service at boot time

Systemctlenable firewalld.service

Disable a service at boot time

Systemctldisable firewalld.service

View all open ports

Firewall-cmd--zone=public-list-ports

Update firewall rules

Firewall-cmd-reload

View area information

Firewall-cmd--get-active-zones

View the area to which the specified interface belongs

Firewall-cmd--get-zone-of-interface=eth0

Reload the FirewallD configuration

Sudo firewall-cmd-reload configuration set

Add rules to both persistent rule sets and run-time rule sets

Sudo firewall-cmd-zone=public-add-service=http-permanentsudo firewall-cmd-zone=public-add-service=http

Add rules to the persistent rule set and reload FirewallD

Sudo firewall-cmd-- zone=public-- add-service=http-- permanentsudo firewall-cmd-- reload firewall zone

To find the default area

Sudo firewall-cmd-get-default-zone

To modify the default area

Sudo firewall-cmd-set-default-zone=internal

To view the area used by your network interface

Sudo firewall-cmd-get-active-zones

Sample output

Public interfaces: eth0

To get all the configurations for a particular area

Sudo firewall-cmd-zone=public-list-all

Sample output

Public (default, active) interfaces: ens160 sources: services: dhcpv6-client http ssh ports: 12345/tcp masquerade: no forward-ports: icmp-blocks: rich rules:

To get the configuration of all areas

Sudo firewall-cmd-list-all-zones

Sample output

Block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules:... work interfaces: sources: services: dhcpv6-client ipp-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: use with the service

To view the default available services

Sudo firewall-cmd-get-services

For example, to enable or disable the HTTP service

Sudo firewall-cmd-zone=public-add-service=http-permanentsudo firewall-cmd-zone=public-remove-service=http-permanent

Allow or deny any port / protocol

For example: allow or disable TCP traffic on port 12345

Sudo firewall-cmd-zone=public-add-port=12345/tcp-permanentsudo firewall-cmd-zone=public-remove-port=12345/tcp-permanent port forwarding

The following is to forward traffic from port 80 to port 12345 on the same server

Sudo firewall-cmd-zone= "public"-add-forward-port=port=80:proto=tcp:toport=12345

Building a rule set with FirewallD

Set the default region of eth0 to dmz. Of the default areas provided, dmz (demilitarized zone) is the most suitable for this program, as it only allows SSH and ICMP

Sudo firewall-cmd-set-default-zone=dmzsudo firewall-cmd-zone=dmz-add-interface=eth0

Add HTTP and HTTPS permanent service rules to the dmz area

Sudo firewall-cmd-zone=dmz-add-service=http-permanentsudo firewall-cmd-zone=dmz-add-service=https-permanent

Reload FirewallD to make the rule take effect immediately

Sudo firewall-cmd-reload

If you run firewall-cmd-zone=dmz-list-all, you will have the following output

Dmz (default) interfaces: eth0 sources: services: http https ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: advanced configuration

Allow all IPv4 traffic from host 192.168.0.14

Sudo firewall-cmd-zone=public-add-rich-rule 'rule family= "ipv4" source address=192.168.0.14 accept'

Deny TCP traffic from IPv4 from host 192.168.1.10 to 22

Sudo firewall-cmd-zone=public-add-rich-rule 'rule family= "ipv4" source address= "192.168.1.10" port port=22 protocol=tcp reject'

Allow TCP traffic from IPv4 on host 10.1.0.3 to 80 and forward traffic to port 6532

Sudo firewall-cmd-zone=public-add-rich-rule 'rule family=ipv4 source address=10.1.0.3 forward-port port=80 protocol=tcp to-port=6532'

Forward IPv4 traffic from port 80 on host 172.31.4.2 to port 8080 (masquerade needs to be activated on the zone)

Sudo firewall-cmd-zone=public-add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=172.31.4.2'

List your current rich rules

Sudo firewall-cmd-list-rich-rules

Direct interface of iptables

To view all custom chains or rules added to FirewallD

Firewall-cmd-direct-get-all-chainsfirewall-cmd-direct-get-all-rules Thank you for your reading, the above is the content of "how to install and manage FirewallD on CentOS". After the study of this article, I believe you have a deeper understanding of how to install and manage FirewallD on CentOS, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.