Centos7 firewalld firewall basic operation

Preface

In the centos6 version, iptables used by the firewall, iptables is a static firewall, that is, it cannot dynamically add open ports, you must add open ports in the configuration file, and then restart iptables to take effect. The centos7 firewall uses firewalld, which is dynamic. You can add open ports through commands, and the changes can take effect without restarting the service.

Firewall management

systemctl enable firewalld       #Set boot up
systemctl start firewalld        #Open service
systemctl status firewalld or firewall-cmd --state    #Check status
systemctl disable firewalld    #stop
systemctl stop firewalld       #Disable

Area management

By dividing the network into different areas, the access control strategy between different areas is formulated to control the data flow transmitted between different program areas. For example, the Internet is an untrusted zone, while the internal network is a highly trusted zone. [Network Security] (https://cloud.tencent.com/product/ns?from=10680) model can be initialized during installation, initial startup and first network connection establishment. This model describes the trustworthiness level of the entire network environment to which the host is connected, and defines how to handle new connections. There are several different initialization zones as follows: Except for the trusted zone, all zones are rejected by default.

• Block: Any incoming network packets will be blocked. (Reject all connections by default)
• Work area (work): I believe that other computers on the network will not harm your computer.
• Home area (home): I believe that other computers on the network will not harm your computer.
• Public area (public): do not trust any computer on the network, only choose to accept incoming network connections. (Default area)
• Isolated zone (DMZ): The isolated zone is also called a demilitarized zone. A layer of network is added between the internal and external networks to serve as a buffer. For isolated areas, the only option is to accept incoming network connections.
• Trusted zone (trusted): All network connections are acceptable. (Accept all packets by default)
• Drop area (drop): Any incoming network connection is rejected. (Discard all received packets by default)
• Internal: Trust other computers on the network without harming your computer. Only choose to accept incoming network connections.
• External area (external): Do not trust other computers on the network, it will not harm your computer. Only choose to accept incoming network connections.

Common operations

Note: When the --zone=zone is not added after the rule, it is added to the default zone by default. Note: permanent is permanent, and the rule still exists after reload; if it is not added, the rule becomes invalid after reload.1. View all areas and rules

[ root@lianst ~]# firewall-cmd --list-all-zones
work
 target:default
 icmp-block-inversion: no
 interfaces: 
 sources:.....<Other omissions>

2. View all areas

[ root@lianst ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block

3. View all effective areas

[ root@lianst ~]# firewall-cmd --get-active-zones
public
 interfaces: venet0

4. The data received from the 200.1.1.0/24 network segment enters the work area for inspection (permant means permanent writing to the configuration file)

[ root@lianst ~]# firewall-cmd --permanent --add-source=200.1.1.0/24--zone=work 

5. Reload firewalld configuration file

[ root@lianst ~]# firewall-cmd --reload 
success

6. The data received from eth0 enters the dmz area for inspection

[ root@lianst ~]# firewall-cmd --permanent --add-interface=eth0 --zone=dmz

7. Set the trusted zone as the default zone

[ root@lianst ~]# firewall-cmd --set-default-zone=trusted

8. Add to the work area to allow access to http services

[ root@lianst ~]# firewall-cmd --permanent --add-service=http --zone=work

9. Add a rule to allow access to the tcp 3260 port to the work area

[ root@lianst ~]# firewall-cmd --permanent --add-port=3260/tcp --zone=work

10. Add rules to the default zone, and automatically switch to port 80 when accessing port 8080

[ root@lianst ~]# firewall-cmd --permant --add-forwardpord=port=8080:proto=tcp:toport=80

11. Allow ssh service through the firewall

[ root@lianst ~]# firewall-cmd --enable service=ssh(--disable: prohibit)

12. Block 111.73.157.199 access

[ root@niaoyun software]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="111.73.157.199" drop'

Direct mode

FirewallD includes a direct mode, which can be used to complete some tasks, such as opening the 443 port of the TCP protocol

[ root@lianst ~]# firewall-cmd --direct -add-rule ipv4 filter INPUT 0-p tcp --dport 443-j ACCEPT
[ root@lianst ~]# firewall-cmd --reload

Other commands

1. View service list

[ root@lianst ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openV** pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

2. Temporarily allow samba service to pass 600 seconds

[ root@lianst ~]# firewall-cmd --enable service=samba --timeout=600

3. Remove interface from zone

[ root@lianst ~]# firewall-cmd trusted --remove-interface=eht0

4. Remove service from zone

[ root@lianst ~]# firewall-cmd --zone=public--remove-service=http