CentOS7 Firewall super detailed usage

The biggest change in CentOs7 is the firewall. The common firewall rules, port forwarding and masquerading are listed below.

1. Basic Rules of Firewalld

--get-default-zone Print the current zone that has been set as the default zone, which is the public zone by default.

[root@centos7 ~]# firewall-cmd --get-default-zone
public

--new-zone=ZONE_NAME create your own custom zone

[root@centos7 ~]# firewall-cmd --permanent --new-zone=testing
success

--set-default modify the default region

[root@centos7 ~]# firewall-cmd --permanent --set-default-zone=testing

--get-zones print a list of all available zones

[root@centos7 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

--list-all-zones show detailed information for each zone, for simplicity, the results for only one zone are shown here

[root@centos7 ~]# firewall-cmd --list-all-zones
public (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client dns http https ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

--get-active-zones only lists currently used zones, with the ability to bind to interfaces

[root@centos7 ~]# firewall-cmd --get-active-zones
public
  interfaces: eth0

--get-services List predefined services available for firewall rules, which are bound to ports

[root@centos7 ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https

--list-services List the services allowed in the zone, the default public zone is listed below

[root@centos7 ~]# firewall-cmd --list-services
dhcpv6-client dns http https ssh

--add-service Add an additional service in the specified zone, in this example, the Kerberos service will be added to the public zone

[root@centos7 ~]# firewall-cmd --add-service=kerberos
success
[root@centos7 ~]# firewall-cmd --list-services
dhcpv6-client dns http https kerberos ssh

--remove-service remove service access to the zone

[root@centos7 ~]# firewall-cmd --remove-service=kerberos
success
[root@centos7 ~]# firewall-cmd --list-services
dhcpv6-client dns http https ssh

--add-source=IP Add an IP address or address range to the zone

[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-source=10.10.10.0/24
success

--list-sources List source addresses that have been applied to the zone

[root@centos7 ~]# firewall-cmd --permanent --zone=testing --list-sources
10.10.10.0/24

--remove-source=IP Remove source IP addresses or address ranges that have been added to the zone

[root@centos7 ~]# firewall-cmd --permanent --zone=testing --remove-source=10.10.10.0/24
success

Multiple IP addresses or ranges can be added as sources for a single zone

[root@centos7 ~]# firewall-cmd --list-ports
9000/tcp

--list-ports list ports allowed by default zone

[root@centos7 ~]# firewall-cmd --list-ports
9000/tcp

--remove-port remove added port

[root@centos7 ~]# firewall-cmd --remove-port=9000/tcp
success

The example below will create a new "test" zone and apply it to 192.168.1.0/24, then allow the SSH service and TCP port 9000 into the zone

[root@centos7 ~]# firewall-cmd --permanent --new-zone=test
success
[root@centos7 ~]# firewall-cmd --permanent --zone=test --add-source=192.168.1.0/24
success
[root@centos7 ~]# firewall-cmd --permanent --zone=test --add-service=ssh
success
[root@centos7 ~]# firewall-cmd --permanent --add-port=9000/tcp --zone=test
success
[root@centos7 ~]# firewall-cmd --reload
success

List test area information

[root@centos7 ~]# firewall-cmd --list-all --zone=test
test
  interfaces:
  sources: 192.168.1.0/24
  services: ssh
  ports: 9000/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

These types of rules are fairly basic, next we dive into rich rules that provide more flexibility

二、Firewalld Rich Rules

Rich rules provide a greater level of control with greater customization options, and rich rules can also be used to configure logging, masquerading, port forwarding, and rate limiting

Once multiple rules are in place, they will be processed in a certain order, port forwarding and masquerading rules will be applied first, followed by any log rules, then any allow rules, and finally any deny rules; a packet will use whatever it applies to the first rule, if it doesn't match a rule, it will deny by default

--add-rich-rule='RULE' is used to add the specified rule, here we allow TCP ports 8080 to 8090 to enter 192.168.0.10/32 from the 10.0.0.0/24 range

[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 destination address=192.168.0.10/32 port port=8080-8090 protocol=tcp accept'
success

--list-rich-rules List all rich rules for the specified region

[root@centos7 ~]# firewall-cmd --permanent --zone=testing --list-rich-rules
rule family="ipv4" source address="10.0.0.0/24" destination address="192.168.0.10/32" port port="8080-8090" protocol="tcp" accept

--remove-rich-rule remove existing rule

[root@centos7 ~]# firewall-cmd --permanent --zone=testing --remove-rich-rule='rule family=ipv4 source address=10.0.0.0/24 destination address=192.168.0.10/32 port port=8080-8090 protocol=tcp accept'
success

Here we create a rich rule to deny any access from 192.168.0.10/24

[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=192.168.0.10/24 reject'
success

Rich rules can also be used to rate limit, here we are limiting incoming SSH connections to 10 per minute

[root@centos7 ~]# firewall-cmd --permanent --add-rich-rule='rule service name=ssh limit value=10/m accept'
success

Rich rules can also be used to send messages to log files, and logging can also be rate limited, here, we log SSH connections from 192.168.0.0/24 at a rate of no more than 50 log entries per minute. Only log level "info" or more important.

[root@centos7 ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="ssh" log prefix="ssh" level="info" limit value="50/m" accept'
success

3. Network address translation

NAT can be masqueraded or port forwarded with firewalld, both of which can be configured with firewall-cmd, it is worth noting that masquerading can only be done with IPv4 and not IPv6

3.1 Address masquerading with firewalld

--add-masquerade add masquerade within the zone

[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-masquerade
success

--query-masquerade Whether the query is successfully masqueraded

[root@centos7 ~]# firewall-cmd --permanent --query-masquerade
yes

In this example, any packets sent to the addresses defined in the zone "testing" will be spoofed

[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade'
success

In this example, anything from 192.1681.0/24 will be disguised

3.2 Port forwarding with firewalld

In the example below, the local system forwards all traffic sent to port 22 to 10.0.0.10:2222, so any traffic sent to this server on port 22 will be forwarded to the external system 10.0.0.10 on TCP 2222, at In this case, the port forwarding rule only applies to the origin specified in the "test" area

[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-forward-port=port=22:proto=tcp:toport=2222:toaddr=10.0.0.10
success

Query whether the forwarding is successful

[root@centos7 ~]# firewall-cmd --permanent --zone=testing --query-forward-port=port=22:proto=tcp:toport=2222:toaddr=10.0.0.10
yes

Another way to see if masquerading is enabled

[root@centos7 ~]# firewall-cmd --permanent --list-all --zone=testing
testing
  interfaces:
  sources:
  services:
  ports:
  masquerade: yes
  forward-ports: port=22:proto=tcp:toport=2222:toaddr=10.0.0.10
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.1.0/24" masquerad

Rich rules can be used for more detailed control, we can specify a specific source address within the test area instead of the entire area

[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 forward-port port=22 protocol=tcp to-port=2222 to-addr=10.0.0.10'
success

We can't use the "to-addr" parameter, if so, the port forwarding will happen entirely on localhost, we can use "--list-rich-rules" to see the rich rules for the specified region

[root@centos7 ~]# firewall-cmd --permanent --zone=testing --list-rich-rules
rule family="ipv4" source address="192.168.1.0/24" masquerade
rule family="ipv4" source address="192.168.1.0/24" forward-port port="22" protocol="tcp" to-port="2222" to-addr="10.0.0.10"

PS: This is a translated foreign RHCE tutorial. It took half a day to sort it out. Please correct me if there are any deficiencies.