Firewall system has been changed from the default CENTOS7 iptable a firewall, using different methods, the following is a detailed description
First, port management
Listed dmz level are allowed to enter the port
# firewall-cmd --zone=dmz --list-ports
Tcp port 8080 to allow dmz level
# firewall-cmd --zone=dmz --add-port=8080/tcp
Permit udp port to the level of a range of public and permanent
# firewall-cmd --zone=public --add-port=5060-5059/udp --permanent
Second, network interface cards
All listed public zone card
# firewall-cmd --zone=public --list-interfaces
The eth0 added to the public zone, permanent
# firewall-cmd --zone=public --permanent --add-interface=eth0
eth0 existence and public zone, add the card to the work zone, and it is removed from the public zone in
# firewall-cmd --zone=work --permanent --change-interface=eth0
Delete public zone in eth0, permanent
# firewall-cmd --zone=public --permanent --remove-interface=eth0
Third, management services
Adding SMTP service to work zone
# firewall-cmd --zone=work --add-service=smtp
Removing the work zone in the smtp service
# firewall-cmd --zone=work --remove-service=smtp
Fourth, the ip address masquerading external zone of
View
# firewall-cmd --zone=external --query-masquerade
Open disguise
# firewall-cmd --zone=external --add-masquerade
Close disguise
# firewall-cmd --zone=external --remove-masquerade
Fifth, the public zone of the port forwarding configuration
To turn on port forwarding, you need to
# firewall-cmd --zone=public --add-masquerade
And then forwarded to the port tcp 22 3753
# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=3753
Forwarding the data to another port 22 on the same port ip
# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toaddr=192.168.1.100
Forwarding the data port 22 to port 2055 of another ip
# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.168.1.100
Sixth, the public zone configuration icmp
View all supported icmp types
# firewall-cmd --get-icmptypes destination-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded
Lists
# firewall-cmd --zone=public --list-icmp-blocks
Added echo-request shield
# firewall-cmd --zone=public --add-icmp-block=echo-request [--timeout=seconds]
Removing echo-reply shield
# firewall-cmd --zone=public --remove-icmp-block=echo-reply
Seven, IP banned (this is the most we usually use)
# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='222.222.222.222' reject" 单个IP # firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='222.222.222.0/24' reject" IP段 # Firewall-cmd --permanent --add-rich-rule = "rule family = ipv4 source address = 192.168.1.2 port port = 80 protocol = tcp accept" a port of a single IP
This is our most used. Sealing an IP, and a reject accept reject port allows
Of course, we can still be banned by ip ipset
Ip ban
# firewall-cmd --permanent --zone=public --new-ipset=blacklist --type=hash:ip # firewall-cmd --permanent --zone=public --ipset=blacklist --add-entry=222.222.222.222
Ban segment
# firewall-cmd --permanent --zone=public --new-ipset=blacklist --type=hash:net # firewall-cmd --permanent --zone=public --ipset=blacklist --add-entry=222.222.222.0/24
Pour ipset rules
# firewall-cmd --permanent --zone=public --new-ipset-from-file=/path/blacklist.xml
Then banned blacklist
# firewall-cmd --permanent --zone=public --add-rich-rule='rule source ipset=blacklist drop'
Seven, IP and port ban
# firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=192.168.1.2 port port=80 protocol=tcp accept"
Only the 192.168.1.2 IP only allow port 80 access (Access Denied simply accept replace reject, delete the rule to -add-rich-rule into -remove-rich-rule can)
# firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=192.168.1.2/24 port port=80 protocol=tcp accept"
Only the 192.168.1.2 IP segment only allow port 80 access (Access Denied simply accept replace reject, delete the rule to -add-rich-rule into -remove-rich-rule can)
Eight dual-NIC network card without firewall restrictions
# firewall-cmd --permanent --zone=public --add-interface=eth1
Public network card default -zone = public areas
# firewall-cmd --permanent --zone=trusted --add-interface=eth2
-Zone = trusted network card is trusted by all network connections pharmaceutically region
Nine, Reload to take effect
# firewall-cmd --reload
View shielding results
firewall-cmd --list-rich-rules