1. Introduction to Linux firewall
On Fedora, CentOS, Red Hat and some similar distributions, the default installed firewall software is firewalld, which is configured and controlled through the firewall-cmd command. This article mainly explains firewalld.
- Dynamic firewall management tool that supports network link and interface security levels defined by network zones
- Supports IPv4, IPv6 firewall settings and Ethernet bridge
- Support services or applications to directly add firewall rule interfaces
- Has two configuration modes
- Runtime configuration (temporary configuration)
- Permanent configuration
The relationship between Firewalld and iptables
netfilter
The packet filtering function system located in the Linux kernel
is called the "kernel state" of the Linux firewall
Firewalld/iptables
CentOS 7's default tool for managing firewall rules (Firewalld)
is called the "user mode" of the Linux firewall.
| Firewalld | iptables | |
|---|---|---|
| Configuration file | /usr/lib/firewalld,/etc/firewalld | /etc/sysconfig/iptables |
| Modifications to the rules | No need to refresh all policies and no loss of current connections | All strategies need to be refreshed and links are lost. |
| Firewall type | dynamic firewall | static firewall |
2. Firewalld starts, views, and closes
#启动: firewalld
systemctl start firewalld
#查看状态:
systemctl status firewalld
#查看firewall运行状态
firewall-cmd --state
#停止:
systemctl stop firewalld
#禁用:
systemctl disable firewalld
#重新加载firewall 一般是修改firewalld以后需要重新加载
firewall-cmd --reload
#重启firewalld
systemctl restart firewalld
3.firewalld-cmd related commands
#查看版本:
firewall-cmd --version
#查看帮助:
firewall-cmd --help
#显示状态:
firewall-cmd --state
#查看所有放行的端口:
firewall-cmd --zone=public --list-ports
#更新防火墙规则:
firewall-cmd --reload
#查看区域信息:
firewall-cmd --get-active-zones
#查询指定接口所属的区域:
firewall-cmd --get-zone-of-interface=eth0
#拒绝所有包:
firewall-cmd --panic-on
#取消拒绝状态:
firewall-cmd --panic-off
#查看是否拒绝:
firewall-cmd --query-panic
4.firewalld release port
# 查询端口是否开放
firewall-cmd --query-port=8080/tcp
# 新建永久规则,开放8080端口(TCP协议)任何ip都可以访问此端口
firewall-cmd --permanent --add-port=8080/tcp
# 移除上一个命令新建的规则
firewall-cmd --permanent --remove-port=8080/tcp
# 新建永久规则,批量开放一段端口(TCP协议)9001-9100区间的端口都开放
firewall-cmd --permanent --add-port=9001-9100/tcp
#添加或者移除规则后重新加载firewall后配置才会生效
firewall-cmd --reload
5.firewalld releases whitelist ip
# 新建永久规则,开放192.168.1.1单个源IP的访问
firewall-cmd --permanent --add-source=192.168.1.1
# 新建永久规则,开放192.168.1.0/24源IP段的访问
#192.168.1.0/24这个网络是指192.168.1.1-192.168.1.255之间的ip,24代表网络位24位,主机位8位
firewall-cmd --permanent --add-source=192.168.1.0/24
# 移除上述规则
firewall-cmd --permanent --remove-source=192.168.1.1
6.Configure rules
# 允许指定IP访问本机8080端口
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="8080" accept'
# 允许指定IP段访问本机8080-8090端口
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="8080-8090" accept'
# 禁止指定IP访问本机8080端口
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="8080" reject'
#移除第一条规则(所有的移除规则基本都是add改成remove)
firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="8080" accept'
Command explanation:
accept, allow, reject, reject, drop, reject
–add-rich-rule, add settings
–remove-rich-rule, remove settings
–permanent, take effect permanently and need to be reloaded to take effect.
7. The concept of firewall zone (domain)
#可以得到所有的域
firewall-cmd --get-zones
1. Drop: If the drop zone is used, any incoming packets will be dropped. This is similar to the iptables -j drop we used before. Using a drop rule means there will be no response.
2. Block: The blocking area will reject incoming network connections and return icmp-host-prohibited. Only connections that have been established by the server will be passed, that is, only network connections initialized by the system will be allowed.
3. Public: Only accept those selected connections. By default, only ssh and dhcpv6-client are allowed. This zone is the default zone.
4. External: This area is equivalent to the router's enable masquerading option. Only the specified connection will be accepted, i.e. ssh, and other connections will be dropped or not accepted.
5. Isolation (dmz): If you want to allow only some services to be accessed by the outside, you can define it in the dmz area. It also has the feature of only being connected via ssh.
6. Work: In this area, we can only define internal networks. For example, private network communication is only allowed, and only ssh, ipp-client and dhcpv6-client are allowed.
7. Home: This area is dedicated to the home environment. It also only allows selected connections, namely ssh, ipp-client, mdns, samba-client and dhcpv6-client.
8. Internal: This area is similar to the work area (work), only through the selected connection, like the home area.
9. Trusted: The trusted zone allows all network communications to pass. Remember: because trusted is the most trusted, even if no service is set, it is still allowed, because trusted allows all connections.