Install
yum install firewalld
If you need a graphical interface, then install it
yum install firewall-config
introduce
The Firewall Guardian
firewalld
service introduces a concept of trust levels to manage the connections and interfaces associated with it. It supportsipv4 与 ipv6
and supports bridges, usingfirewall-cmd (command)
orfirewall-config (gui)
to dynamicallykernel netfilter
manage temporary or permanent interface rules, and take effect in real time without restarting the service.
Firewall can classify different network connections into different trust levels, Zone provides the following levels:
level name | meaning |
---|---|
drop | Drop all incoming packets without giving any response |
block | Deny all externally-originated connections, allow internal-originated connections |
public | Allow specified incoming connections |
external | Same as above, for masqueraded incoming connections, generally used for routing and forwarding |
dmz | Allow restricted incoming connections |
work | Allows restricted access to trusted computers, similar to a workgroup |
home | Same as above, similar to homegroup |
internal | Same as above, scoped to all internet users |
trusted | Trust all connections |
Instructions:
Start shutdown:
systemctl start firewalld
: start up,
systemctl enable firewalld
: start up at startup
systemctl stop firewalld
: disable
systemctl disable firewalld
: cancel start up
View the rules
View help
firewall-cmd --help
View running status
firewall-cmd --state
View activated Zone information
firewall-cmd --get-active-zones
View the Zone information of the specified interface
firewall-cmd --get-zone-of-interface=eth0
View interfaces at a specified level
firewall-cmd --zone=public --list-interfaces
View all information at a specified level, such as public
firewall-cmd --zone=public --list-all
View information allowed at all levels
firewall-cmd --get-service
View the services that are allowed in all Zones levels after restarting, that is, services that are permanently released
firewall-cmd --get-service --permanent
management rules
firewall-cmd --panic-on
: : Discard
firewall-cmd --panic-off
Cancel discard
firewall-cmd --query-panic
: View discard status
firewall-cmd --reload
: Update rules, do not restart services
firewall-cmd --complete-reload
: Update rules, restart services
Add an interface to a trust level, such as adding eth0 to public, and it will take effect permanently
firewall-cmd --zone=public --add-interface=eth0 --permanent
Set public as the default trust level
firewall-cmd --set-default-zone=public
management port
List allowed ingress ports at dmz level
firewall-cmd --zome=dmz --list-ports
allow tcp port 8080 to dmz level
firewall-cmd --zone=dmz --add-port=8080/tcp
Allow a range of udp ports to the public level and take effect permanently
firewall-cmd --zome=public --add-port=5060-5059/udp --permanent
Managed Services
Add smtp service to work zone
firewall-cmd --zone=work --add-service=smtp
Remove the smtp service in the work zone
firewall-cmd --zone=work --remove-service=smtp
Configure ip address masquerading
Check
firewall-cmd --zone=external --query-masquerade
open camouflage
firewall-cmd --zone=external --add-masquerade
turn off camouflage
firewall-cmd --zone=external --remove-masquerade
port forwarding
To turn on port forwarding, you need to first
firewall-cmd --zone=external --add-masquerade
Then forward tcp 22 port to 3753
firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753
Forward 22 port data to the same port on another ip
firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.168.1.100
Forward 22 port data to another ip's 2055 port
firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.168.1.100