firewalld is centos7 started to provide firewall management tool that provides a dynamically managed firewall, of course, the lower is still called netfilter.
A region (Zone)
firewalld card will correspond to a different zone (zone), zone a total of nine default, block, dmz, drop, external , home, internal, public, trusted, work.
Second, the services (Services)
/ usr / lib / firewalld / Services directory holds another configuration files, each corresponding to a particular network service, such as service ssh.
The corresponding configuration file records the tcp / udp port, the latest firewalld the service uses the default has been defined more than 70 services for our use.
Service configuration changes simply copy / usr / lib / firewalld / services configuration file to / etc / firewalld / services can be modified.
Three, firewalld commonly used commands
installation
yum install firewalld
start up
systemctl start firewalld
stop
systemctl stop firewalld
View version
firewall-cmd --version
View Status
firewall-cmd --state
Reload
firewall-cmd --reload
View firewalld support service
firewall-cmd --get-services
View service currently loaded zone
firewall-cmd --list-services
View Regional Information
firewall-cmd --get-active-zone
Viewing active region
firewall-cmd --get-active-zones
Check the specified interface belongs
firewall-cmd --get-zone-of-interface=ens33
Default View area
firewall-cmd --get-default-zone
Set the default region
firewall-cmd --set-default-zone public
Get all the regions
firewall-cmd --get-zones
Reject all packages
firewall-cmd --panic-on
Unblock state
firewall-cmd --panic-off
Check whether to reject
firewall-cmd --query-panic
The interface to the area
firewall-cmd --zone=public --add-interface=eth0
Remove the interface from the zone
firewall-cmd --zone=public --remove-interface=eth0
Modify the interface belongs
firewall-cmd --zone=dmz --change-interface=eth0
Query region contains an interface
firewall-cmd --zone=public --query-interface=eth0
Fourth, the open port (most common)
Viewing area open all ports
firewall-cmd --zone=public --list-ports
Was added to a port area
firewall-cmd --zone=public --add-port=8080/tcp
To delete a port from the zone
firewall-cmd --zone=public --remove-port=8080/tcp
Permanent plus --permanent then reload firewall
note that if coupled with --permanent parameters, the configuration will be written to the specified area of the configuration file, such as: /etc/firewalld/zones/public.xml
Fifth, how to open a service
Open a service, similar to the port visualization, services need to be added in the configuration file, / etc / firewalld under / services directory.
Query area to enable service
firewall-cmd --zone=public --list-services
Add the ssh service to the public area
firewall-cmd --zone=public --add-service=ssh
Remove the service
firewall-cmd --zone=public --remove-service=ssh
6, how to set up port forwarding
To use port forwarding, open the firewall masquerading
firewall-cmd --add-masquerade --permanent
Such as: We want access to the machine 192.168.1.222 3306 port forwarding on port 3306 to host 192.168.1.111
Port 1 3306 release, first the machine
firewall-cmd --permanent --zone=public --add-port=3306/tcp
2, 3306 to request access to the local port forwarding to host 192.168.1.111 3306
firewall-cmd --permanent --zone=public --add-forward-port=port=3306:proto=tcp:toaddr=192.168.1.111:toport=3306
So when we visited 222 host port 3306, the actual access port 111 is 3306 host.