CentOS 7 USES firewall cmd to control port and port forwarding details

1. firewalld daemon

The firewall-cmd command requires the firewalld process to be running. We can use systemctl status/start/stop/restart firewalld to control the daemon. The firewalld process serves firewalls.

firewall does not take effect immediately after some configuration changes are made (especially to configuration files). There are two ways to activate the latest configuration systemctl restart firewalld and firewall-cmd --reload The first one is to restart the firewalld service, and the second one is recommended to "overload the configuration file". Reloading the configuration file does not break the connecting tcp session, while restarting the service disconnects the tcp session.

2. Control ports/services

You can control port opening in two ways, one by specifying a port number and the other by specifying a service name. Although opening http service means opening port 80, it still cannot be closed by port number, that is to say, those opened by specified service name should be closed by specified service name. What is opened by specifying a port number is closed by specifying a port number. One more thing to note is that when specifying a port 1 must specify what protocol it is, tcp or udp. After knowing this, after need not close firewall first every time, can let firewall real effective.

firewall-cmd --add-service=mysql #  open mysql port 
firewall-cmd --remove-service=http #  stop http port 
firewall-cmd --list-services  #  View open services 
firewall-cmd --add-port=3306/tcp #  Open by tcp access 3306
firewall-cmd --remove-port=80tcp #  Stop by tcp access 3306
firewall-cmd --add-port=233/udp  #  Open by udp access 233
firewall-cmd --list-ports  #  View open ports 

3. IP disguise

The firewall implements the ability to disguise IP, which is used in the port forwarding below.

firewall-cmd --query-masquerade #  Check to see if camouflage is allowed IP
firewall-cmd --add-masquerade #  Allow firewall camouflage IP
firewall-cmd --remove-masquerade#  Prohibit firewall camouflage IP

4. Port forwarding

Port forwarding forwards traffic to the specified port at the specified address when the specified address accesses the specified port. The forwarding destination defaults to native if ip is not specified, and the source port is used by default if ip is specified but no port is specified.

If port forwarding is not available after it has been configured, check the following two questions:

For example, when I forward port 80 to port 8080, I first check whether the local port 80 and the target port 8080 are open for listening Second, check whether the camouflage IP is allowed. If not, open the camouflage IP

#  will 80 Port traffic is forwarded to 8080
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080
#  will 80 Port traffic is forwarded to 
firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.1.0.1192.168.0.1
#  will 80 Port traffic is forwarded to 192.168.0.1 the 8080 port 
firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1:toport=8080

When we want to hide a port, we can block that port from the firewall, open an irregular port, and configure firewall port forwarding to forward traffic. Port forwarding can also be used for traffic distribution, with a firewall dragging a number of machines running different services, and then using the firewall to forward traffic from different ports to different machines.

conclusion