Install
yum install firewalldIf you need a graphical interface, then install it
yum install firewall-configintroduce
The Firewall Guardian
firewalldservice introduces a concept of trust levels to manage the connections and interfaces associated with it. It supportsipv4 与 ipv6and supports bridges, usingfirewall-cmd (command)orfirewall-config (gui)to dynamicallykernel netfiltermanage temporary or permanent interface rules, and take effect in real time without restarting the service.
Firewall can classify different network connections into different trust levels, Zone provides the following levels:
| level name | meaning |
|---|---|
| drop | Drop all incoming packets without giving any response |
| block | Deny all externally-originated connections, allow internal-originated connections |
| public | Allow specified incoming connections |
| external | Same as above, for masqueraded incoming connections, generally used for routing and forwarding |
| dmz | Allow restricted incoming connections |
| work | Allows restricted access to trusted computers, similar to a workgroup |
| home | Same as above, similar to homegroup |
| internal | Same as above, scoped to all internet users |
| trusted | Trust all connections |
Instructions:
Start shutdown:
systemctl start firewalld: start up,
systemctl enable firewalld: start up at startup
systemctl stop firewalld: disable
systemctl disable firewalld: cancel start up
View the rules
View help
firewall-cmd --helpView running status
firewall-cmd --stateView activated Zone information
firewall-cmd --get-active-zonesView the Zone information of the specified interface
firewall-cmd --get-zone-of-interface=eth0View interfaces at a specified level
firewall-cmd --zone=public --list-interfacesView all information at a specified level, such as public
firewall-cmd --zone=public --list-allView information allowed at all levels
firewall-cmd --get-serviceView the services that are allowed in all Zones levels after restarting, that is, services that are permanently released
firewall-cmd --get-service --permanentmanagement rules
firewall-cmd --panic-on: : Discard
firewall-cmd --panic-offCancel discard
firewall-cmd --query-panic: View discard status
firewall-cmd --reload: Update rules, do not restart services
firewall-cmd --complete-reload: Update rules, restart services
Add an interface to a trust level, such as adding eth0 to public, and it will take effect permanently
firewall-cmd --zone=public --add-interface=eth0 --permanentSet public as the default trust level
firewall-cmd --set-default-zone=publicmanagement port
List allowed ingress ports at dmz level
firewall-cmd --zome=dmz --list-portsallow tcp port 8080 to dmz level
firewall-cmd --zone=dmz --add-port=8080/tcpAllow a range of udp ports to the public level and take effect permanently
firewall-cmd --zome=public --add-port=5060-5059/udp --permanentManaged Services
Add smtp service to work zone
firewall-cmd --zone=work --add-service=smtpRemove the smtp service in the work zone
firewall-cmd --zone=work --remove-service=smtpConfigure ip address masquerading
Check
firewall-cmd --zone=external --query-masqueradeopen camouflage
firewall-cmd --zone=external --add-masqueradeturn off camouflage
firewall-cmd --zone=external --remove-masqueradeport forwarding
To turn on port forwarding, you need to first
firewall-cmd --zone=external --add-masqueradeThen forward tcp 22 port to 3753
firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753Forward 22 port data to the same port on another ip
firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.168.1.100Forward 22 port data to another ip's 2055 port
firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.168.1.100