Firewall configuration and usage in RHEL 7
- 2020-05-15 03:19:26
- OfStack
firewalld is used in RHEL7 instead of the original iptables. The operation Settings are a little different from the original ones:
View firewall status: systemctl status firewalld
Enable firewall: systemctl start firewalld
Stop the firewall: systemctl stop firewalld
In the firewall, each section is associated with one or more regions. The following sections are explained:
Zone Description
-----------------------------------------------------
drop (immutable) Deny all incoming connections, outgoing ones are accepted.
block (immutable) Deny all incoming connections, with ICMP host prohibited messages issued.
trusted (immutable) Allow all network connections
public Public areas, do not trust other computers
external For computers with masquerading enabled, protecting a local network
dmz For computers publicly accessible with restricted access.
work For trusted work areas
home For trusted home network connections
internal For internal network, restrict incoming connections
drop (discarded)
Any network packets received are discarded without any reply. Only network connections can be sent out.
block (restriction)
Any received network connection is rejected by icmp-host-prohibited information for IPv4 and icmp6-adm-prohibited information for IPv6.
public (public)
When used in a public area, you cannot trust other computers in the network not to harm your computer and can only receive selected connections.
external (external)
In particular, an extranet that enables camouflage for routers. You can't trust other calculations from the network that won't harm your computer and can only receive selected connections.
dmz (demilitarized zone)
Computers in your DMZ that are publicly accessible, have limited access to your internal network, and receive only selected connections.
work (work)
For the workspace. You can basically trust that other computers in the network will not harm your computer. Only the selected connection is received.
home (family)
For home networking. You can basically trust that other computers in the network will not harm your computer. Only the selected connection is received.
internal (internal)
For internal networking. You can basically trust other computers in the network not to threaten your computer. Accept only selected connections.
trusted (trust)
Accept all network connections.
Some common commands for operating a firewall:
-- display firewall status
[root@localhost zones]# firewall-cmd --state
running
-- list how many zone are currently available
[root@localhost zones]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
-- get the currently active zones
[root@localhost zones]# firewall-cmd --get-active-zones
public
interfaces: ens32 veth4103622
-- get the default zone
[root@localhost zones]# firewall-cmd --get-default-zone
public
-- get current support for service
[root@localhost zones]# firewall-cmd --get-service
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt MySQL nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
-- check the service that will be activated after the next reload.
[root@localhost zones]# firewall-cmd --get-service --permanent
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
List zone public ports
[root@localhost zones]# firewall-cmd --zone=public --list-ports
-- lists the current Settings for zone public
[root@localhost zones]# firewall-cmd --zone=public --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
-- increase zone public open http service
[root@localhost zones]# firewall-cmd --zone=public --add-service=http
success
[root@localhost zones]# firewall-cmd --permanent --zone=internal --add-service=http
success
-- reload the configuration
[root@localhost zones]# firewall-cmd --reload
success
-- added zone internal open 443/tcp protocol port
[root@localhost zones]# firewall-cmd --zone=internal --add-port=443/tcp
success
-- list all service of zone internal
[root@localhost zones]# firewall-cmd --zone=internal --list-services
dhcpv6-client ipp-client mdns samba-client ssh
Set the black/white list
-- add 172.28.129.0/24 segment to zone trusted (trust)
[root@localhost zones]# firewall-cmd --permanent --zone=trusted --add-source=172.28.129.0/24
success
-- whitelist the zone truste
[root@localhost zones]# firewall-cmd --permanent --zone=trusted --list-sources
172.28.129.0/24
-- active zone
[root@localhost zones]# firewall-cmd --get-active-zones
public
interfaces: eno16777736
-- add zone truste and reload, then look at -- get-active-zones
[root@localhost zones]# firewall-cmd --reload
success
[root@localhost zones]# firewall-cmd --get-active-zones
public
interfaces: ens32 veth4103622
trusted
sources: 172.28.129.0/24
-- list all rules for zone drop
[root@localhost zones]# firewall-cmd --zone=drop --list-all
drop
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
-- add 172.28.13.0/24 to zone drop
[root@localhost zones]# firewall-cmd --permanent --zone=drop --add-source=172.28.13.0/24
success
-- need to be reloaded after adding
[root@localhost zones]# firewall-cmd --reload
success
[root@localhost zones]# firewall-cmd --zone=drop --list-all
drop
interfaces:
sources: 172.28.13.0/24
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@localhost zones]# firewall-cmd --reload
success
-- delete 172.28.13.0/24 from zone drop
[root@localhost zones]# firewall-cmd --permanent --zone=drop --remove-source=172.28.13.0/24
success
-- view all zones rules
[root@localhost ~]# firewall-cmd --list-all-zones
A few last points:
1. Most of the time, we need to open the port or access some IP. We need to check which zone is our current default, and then add port and source to the corresponding zone, so as to make it useful to the outside world.
For example, my current default zone is public, and I need to open port 80 for external access, then execute the following command:
[root@localhost zones]# firewall-cmd --zone=public --permanent --add-port=80/tcp
success
[root@localhost zones]# firewall-cmd --reload
success
2. When using the command, add --permanent means permanently in effect, it will still be in effect after the firewall service is restarted. Otherwise, it only works until the service is restarted.
3, we execute the command, the results are actually reflected in the specific configuration file, in fact, we can directly modify the corresponding configuration file can be.
To public zone as an example, the corresponding configuration file is/etc/firewalld/zones/public xml, like we just add port 80, embodied in public. The contents of the xml for:
[root@localhost zones]# cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<port protocol="tcp" port="80"/>
</zone>
You can take a step further to understand the structure of the configuration file and configure it yourself, but remember to restart the firewall service or reload service after configuration.