Common command operation of firewall of CentOS7 series

Posted by planethax on Thu, 10 Mar 2022 15:56:19 +0100

firewalld

Introduction to firewalld

firewalld is a daemon that can configure and monitor system firewall rules. It covers the settings of iptables, IP6 tables and ebtables.

firewalld features

  • The dynamic firewall function is realized
  • You can communicate with firewalld through DBus message system to request to open the network port, so as to dynamically manage the firewall rules
  • Use XML file to store firewall rules and realize configuration persistence.

firewalld installation

Generally, after installing CentOS7 Linux system, it comes with firewalld firewall service by default. If not, execute the following command to install:

# yum -y install   firewalld
# systemctl  start firewalld
# systemctl enable  firewalld

firewalld predefined area description

regionexplain
trustedAllow all incoming traffic
publicReject incoming traffic unless it is related to outgoing traffic or matches predefined services such as ssh. Default area for new network interface
workIncoming traffic is rejected unless it is related to outgoing traffic or matches predefined services such as ssh
homeReject incoming traffic unless it is related to outgoing traffic or matches predefined services such as SSH and Samba client
internelThe initial state is the same as the home area
externalReject incoming traffic unless it is related to outgoing traffic or matches ssh predefined services. IPv4 outgoing traffic forwarded through this area will be masqueraded to make it look like the IPv4 address from the outgoing network interface rather than the source IP of the host
dmzReject incoming traffic unless it is related to outgoing traffic or matches ssh predefined services
blockReject all incoming traffic unless related to outgoing traffic
dropDiscard all incoming traffic unless related to outgoing traffic

firewalld configuration method

  • Use the graphical tool firewall config
  • Use the command line tool firewalld CMD
  • Directly edit the configuration file in the / etc/firewalld / directory

Firewall CMD command

  1. Check whether the firewalld service is running
# systemctl  status firewalld  | grep 'Active:'
# firewall-cmd  --state
  1. Get predefined information

Firewall CMD predefined information includes available zones, available service names, and available ICMP blocking types.

The firewall CMD command displays a description of the options for predefined information

optionexplain
--get-zonesDisplay predefined areas
--get-servicesDisplay predefined services
--get-icmptypesDisplays predefined ICMP blocking types

The configuration file generates corresponding XML configuration files in the / etc/firewalld/{zones,services,icmptypes} directory to customize your own regions, services and ICMP blocking types.

Use the firewall CMD command to display predefined information

  • Display predefined areas
# firewall-cmd   --get-zones
  • Display predefined services
# firewall-cmd  --get-services
  • Displays predefined ICMP types
# firewall-cmd  --get-icmptypes  | fmt -5
  1. Regional management

Use the firewall CMD command to obtain and manage the area, bind the network interface for the specified area, etc
Description of firewall CMD command area management options

optionexplain
--get-default-zoneDisplays the default area for network connections or interfaces
--set-default-zone=<zone>Set the default area for network connections or interfaces
--get-active-zonesDisplays all active areas
--get-zone-of-interface=<interface>Displays the area of the specified interface binding
--zone=<zone> --add-interface=<interface>Bind the network interface for the specified area
--zone=<zone> --change-interface=<interface>Change the bound network interface for the specified region
--zone=<zone> --remove-interface=<interface>Unbound network interface for the specified zone
--list-all-zonesShow all areas and their rules
[--zone=<zone>] --list-allDisplays all rules in the specified area. If omitted -- zone = < zone >, it indicates the operation on the default area
  • Show default area
# firewall-cmd  --get-default-zone
  • Displays all rules for the default area
# firewall-cmd  --list-all
  • Display the area corresponding to the network interface ens33
# firewall-cmd  --get-zone-of-interface=ens33
  • Change the area corresponding to the network interface ens33
# firewall-cmd  --zone=internal  --change-interface=ens33
# firewall-cmd  --zone=internal  --list-interfaces
# firewall-cmd  --get-zone-of-interface=ens33
  • Displays all active areas
# firewall-cmd --get-active-zones
  1. Manage services in the area
  • For each zone, you can configure the services allowed to access
  • For the predefined service firewall CMD -- get services, you can use the service name or port number to configure.
  • For non predefined services, only port number configuration can be used.

Description of options for service management in firewall CMD command area

optionexplain
[--zone=<zone>] --list-servicesDisplays all services allowed to access in the specified area
[--zone=<zone>] --add-service=<service>Set a service that is allowed to access for the specified locale
[--zone=<zone>] --remove-service=<service>Delete a service that has been set to allow access in the specified region
[--zone=<zone>] --list-portsDisplays all port numbers that are allowed to access in the specified area
[--zone=<zone>] --add-port=<portid>[-<portid>]/<protocol>Set the port number (including the protocol name) of a certain section / section that is allowed to be accessed for the specified region
[--zone=<zone>] --remove-port=<portid>[-<portid>]/<protocol>Delete the port number (including protocol name) that has been set to allow access in the specified region
[--zone=<zone>] --list-icmp-blocksShow all access denied in the specified ICMP area
[--zone=<zone>] --add-icmp-block=<icmptype>Sets an ICMP type of access denied for the specified locale
[--zone=<zone>] --remove-icmp-block=<icmptype>Deletes an ICMP type that has been set to deny access in the specified region

Omitting -- zone = < zone > indicates that the default area is operated

  1. Set the service or port number that is allowed to access for the default locale
# firewall-cmd  --list-services
# firewall-cmd --add-service=http
  1. Set the allowed service or port number for the internal locale
# firewall-cmd  --zone=internal  --add-service=mysql
# firewall-cmd  --zone=internal  --remove-service=samba-client
# firewall-cmd  --zone=internal --list-services
# firewall-cmd  --zone=internal --add-port=8080/tcp
# firewall-cmd  --zone=internal --list-ports
  1. Sets the ICMP type of access denied for the default locale
# firewall-cmd  --add-icmp-block=source-quench
# firewall-cmd --list-icmp-blocks
  1. IP camouflage and port forwarding
  • firewalld supports SNAT and DNAT configurations.
  • You can easily configure IP camouflage (a SNAT) and port forwarding (a DNAT) using firewall CMD
    IP camouflage and port forwarding in firewall CMD command area
optionexplain
[--zone=<zone> --list-forward-portsDisplays the IPv4 port forwarding set in the specified region
[--zone=<zone> --add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]Set IPV4 port forwarding for the specified region
[--zone=<zone> --remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]Delete the setting of IPV4 port forwarding for the specified area
[--zone=<zone>] --query-masqueradeCheck whether IP camouflage (IPV4) is enabled in the specified area
[--zone=<zone>] --add-masqueradeEnables IP impersonation (IPv4) for the specified zone
[--zone=<zone>] --remove-masqueradeDisable IP impersonation (IPv4) for the specified zone

Use the firewall CMD command to set up IP camouflage and port forwarding

  • Turn on IP camouflage for the default area
# firewall-cmd  --add-masquerade
# firewall-cmd  --query-masquerade
  • Set port forwarding for default locale
// Access to port 80 of the public zone is redirected to port 3128
# firewall-cmd --add-forward-port=port=80:proto=tcp:toport=3128
// Access to port 21 of the public area is redirected to port 21 of 192.0.2.155
# firewall-cmd --add-forward-port=port=21:proto=tcp:toaddr=192.0.2.155
// Access to port 22155 of the public area is redirected to port 22 of 192.0.2.155
# firewall-cmd --add-forward-port=port=22155:proto=tcp:toport=22:toaddr=192.0.2.155
// Access to port 22166 of the public area is redirected to port 22 of 192.0.2.166
# firewall-cmd --add-forward-port=port=22166:proto=tcp:toport=22:toaddr=192.0.2.166 
// Displays the forwarding port for the default locale
# firewall-cmd  --list-forward-ports
// Delete the port forwarding rule set in the default region
# firewall-cmd --remove-forward-port=port=80:proto=tcp:toport=3128
# firewall-cmd --remove-forward-port=port=22166:proto=tcp:toport=22:toaddr=192.0.2.166
# firewall-cmd --list-forward-ports
  1. Two configuration modes
    Firewall CMD has two configuration modes:
  • Runtime mode: indicates the firewall configuration running in the current memory.
  • Persistent mode: indicates the configuration when restarting the firewall or reloading firewall rules.

Description of options related to configuration mode of firewall CMD command

optionexplain
--reloadReload the firewall rules and keep the status information, that is, apply the persistent configuration to the runtime configuration
--permanentThe command with this option is used to set persistence rules. These rules will not take effect until firewalld is restarted or firewall rules are reloaded; Commands without this parameter are used to set run-time rules
--runtime-to-permanentWrites the current runtime configuration to the rule configuration file to make it a persistent configuration

If the user wants to configure both runtime rules and persistence rules, there are three methods:

  • Method 1: set run-time rules and persistence rules independently
# firewall-cmd --zone=public --add-service=https
# firewall-cmd --zone=public --add-service=https --permanent
  • Method 2: set the persistence rule, and then reload the configuration to make it a runtime rule
# firewall-cmd --zone=public --add-service=https --permanent
# firewall-cmd --reload
  • Method 3: set the runtime rule, and then write it to the configuration file to make it a persistent rule.
# firewall-cmd --zone=public  --add-service=https
# firewall-cmd --runtime-to-permanent
  1. Advanced configuration
    Firewall CMD also supports two advanced configuration methods:
  • Use rich rule
    Use the – add rich rule ='rule 'option to specify complex rules that require specific syntax.
// Add a complex rule to allow access to local MySQL services from 192.166.0.0/24 network
# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.166.0.0/24" service name="mysql" accept'
// Show complex rules
# firewall-cmd --list-rich-rules
// Delete defined complex rules
# firewall-cmd --remove-rich-rule='rule family="ipv4" source address="192.166.0.0/24" service name="mysql" accept'
  • Use direct interface
    You can directly use the command syntax of iptables IP6 tables and ebtables by using the – direct option of firewall CMD command
// In the filter table_ public_ Allow a rule is inserted at the beginning of the chain to allow access to port 666 of the machine
# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT
// Display filter table in_ public_ Chain rule of allow
# firewall-cmd --direct --get-rules  ipv4  filter IN_public_allow
// Delete filter table IN_public_allow defined rules in the chain
# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 666 -j ACCEPT

Rules configured with the firewall CMD -- permanent -- direct command will be written to a separate configuration file, / etc / firewalld / direct xml.

  1. Use panic mode
    When the server suffers from a serious network attack, the Panic mode can be enabled. After entering this mode, all inbound and outbound traffic and established connection packets will be discarded
# firewall-cmd --panic-on

Turn off Panic mode

# firewall-cmd --panic-off

Displays whether it is currently in Panic mode

# firewall-cmd --query-panic

This is the end of the common command operation of firewall CMD. Thank you very much for reading this blog and giving more advice.

Topics: Linux Operation & Maintenance CentOS