The biggest change in CentOs7 is the firewall. The common firewall rules, port forwarding and masquerading are listed below.
1. Basic Rules of Firewalld
--get-default-zone Print the current zone that has been set as the default zone, which is the public zone by default.
[root@centos7 ~]# firewall-cmd --get-default-zone
public
--new-zone=ZONE_NAME create your own custom zone
[root@centos7 ~]# firewall-cmd --permanent --new-zone=testing
success
--set-default modify the default region
[root@centos7 ~]# firewall-cmd --permanent --set-default-zone=testing
--get-zones print a list of all available zones
[root@centos7 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
--list-all-zones show detailed information for each zone, for simplicity, the results for only one zone are shown here
[root@centos7 ~]# firewall-cmd --list-all-zones public (default, active) interfaces: eth0 sources: services: dhcpv6-client dns http https ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
--get-active-zones only lists currently used zones, with the ability to bind to interfaces
[root@centos7 ~]# firewall-cmd --get-active-zones
public
interfaces: eth0
--get-services List predefined services available for firewall rules, which are bound to ports
[root@centos7 ~]# firewall-cmd --get-services RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https
--list-services List the services allowed in the zone, the default public zone is listed below
[root@centos7 ~]# firewall-cmd --list-services dhcpv6-client dns http https ssh
--add-service Add an additional service in the specified zone, in this example, the Kerberos service will be added to the public zone
[root@centos7 ~]# firewall-cmd --add-service=kerberos success [root@centos7 ~]# firewall-cmd --list-services dhcpv6-client dns http https kerberos ssh
--remove-service remove service access to the zone
[root@centos7 ~]# firewall-cmd --remove-service=kerberos success [root@centos7 ~]# firewall-cmd --list-services dhcpv6-client dns http https ssh
--add-source=IP Add an IP address or address range to the zone
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-source=10.10.10.0/24 success
--list-sources List source addresses that have been applied to the zone
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --list-sources 10.10.10.0/24
--remove-source=IP Remove source IP addresses or address ranges that have been added to the zone
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --remove-source=10.10.10.0/24 success
Multiple IP addresses or ranges can be added as sources for a single zone
[root@centos7 ~]# firewall-cmd --list-ports 9000/tcp
--list-ports list ports allowed by default zone
[root@centos7 ~]# firewall-cmd --list-ports 9000/tcp
--remove-port remove added port
[root@centos7 ~]# firewall-cmd --remove-port=9000/tcp success
The example below will create a new "test" zone and apply it to 192.168.1.0/24, then allow the SSH service and TCP port 9000 into the zone
[root@centos7 ~]# firewall-cmd --permanent --new-zone=test success [root@centos7 ~]# firewall-cmd --permanent --zone=test --add-source=192.168.1.0/24 success [root@centos7 ~]# firewall-cmd --permanent --zone=test --add-service=ssh success [root@centos7 ~]# firewall-cmd --permanent --add-port=9000/tcp --zone=test success [root@centos7 ~]# firewall-cmd --reload success
List test area information
[root@centos7 ~]# firewall-cmd --list-all --zone=test test interfaces: sources: 192.168.1.0/24 services: ssh ports: 9000/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
These types of rules are fairly basic, next we dive into rich rules that provide more flexibility
二、Firewalld Rich Rules
Rich rules provide a greater level of control with greater customization options, and rich rules can also be used to configure logging, masquerading, port forwarding, and rate limiting
Once multiple rules are in place, they will be processed in a certain order, port forwarding and masquerading rules will be applied first, followed by any log rules, then any allow rules, and finally any deny rules; a packet will use whatever it applies to the first rule, if it doesn't match a rule, it will deny by default
--add-rich-rule='RULE' is used to add the specified rule, here we allow TCP ports 8080 to 8090 to enter 192.168.0.10/32 from the 10.0.0.0/24 range
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 destination address=192.168.0.10/32 port port=8080-8090 protocol=tcp accept' success
--list-rich-rules List all rich rules for the specified region
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --list-rich-rules rule family="ipv4" source address="10.0.0.0/24" destination address="192.168.0.10/32" port port="8080-8090" protocol="tcp" accept
--remove-rich-rule remove existing rule
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --remove-rich-rule='rule family=ipv4 source address=10.0.0.0/24 destination address=192.168.0.10/32 port port=8080-8090 protocol=tcp accept' success
Here we create a rich rule to deny any access from 192.168.0.10/24
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=192.168.0.10/24 reject' success
Rich rules can also be used to rate limit, here we are limiting incoming SSH connections to 10 per minute
[root@centos7 ~]# firewall-cmd --permanent --add-rich-rule='rule service name=ssh limit value=10/m accept' success
Rich rules can also be used to send messages to log files, and logging can also be rate limited, here, we log SSH connections from 192.168.0.0/24 at a rate of no more than 50 log entries per minute. Only log level "info" or more important.
[root@centos7 ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="ssh" log prefix="ssh" level="info" limit value="50/m" accept' success
3. Network address translation
NAT can be masqueraded or port forwarded with firewalld, both of which can be configured with firewall-cmd, it is worth noting that masquerading can only be done with IPv4 and not IPv6
3.1 Address masquerading with firewalld
--add-masquerade add masquerade within the zone
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-masquerade
success
--query-masquerade Whether the query is successfully masqueraded
[root@centos7 ~]# firewall-cmd --permanent --query-masquerade
yes
In this example, any packets sent to the addresses defined in the zone "testing" will be spoofed
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade' success
In this example, anything from 192.1681.0/24 will be disguised
3.2 Port forwarding with firewalld
In the example below, the local system forwards all traffic sent to port 22 to 10.0.0.10:2222, so any traffic sent to this server on port 22 will be forwarded to the external system 10.0.0.10 on TCP 2222, at In this case, the port forwarding rule only applies to the origin specified in the "test" area
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-forward-port=port=22:proto=tcp:toport=2222:toaddr=10.0.0.10 success
Query whether the forwarding is successful
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --query-forward-port=port=22:proto=tcp:toport=2222:toaddr=10.0.0.10 yes
Another way to see if masquerading is enabled
[root@centos7 ~]# firewall-cmd --permanent --list-all --zone=testing testing interfaces: sources: services: ports: masquerade: yes forward-ports: port=22:proto=tcp:toport=2222:toaddr=10.0.0.10 icmp-blocks: rich rules: rule family="ipv4" source address="192.168.1.0/24" masquerad
Rich rules can be used for more detailed control, we can specify a specific source address within the test area instead of the entire area
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 forward-port port=22 protocol=tcp to-port=2222 to-addr=10.0.0.10' success
We can't use the "to-addr" parameter, if so, the port forwarding will happen entirely on localhost, we can use "--list-rich-rules" to see the rich rules for the specified region
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --list-rich-rules rule family="ipv4" source address="192.168.1.0/24" masquerade rule family="ipv4" source address="192.168.1.0/24" forward-port port="22" protocol="tcp" to-port="2222" to-addr="10.0.0.10"
PS: This is a translated foreign RHCE tutorial. It took half a day to sort it out. Please correct me if there are any deficiencies.