CentOS 7 USES firewall cmd to control port and port forwarding details
- 2020-05-30 21:57:33
- OfStack
1. firewalld daemon
The firewall-cmd command requires the firewalld process to be running. We can use systemctl status/start/stop/restart firewalld to control the daemon. The firewalld process serves firewalls.
firewall does not take effect immediately after some configuration changes are made (especially to configuration files). There are two ways to activate the latest configuration
systemctl restart firewalld
and
firewall-cmd --reload
The first one is to restart the firewalld service, and the second one is recommended to "overload the configuration file". Reloading the configuration file does not break the connecting tcp session, while restarting the service disconnects the tcp session.
2. Control ports/services
You can control port opening in two ways, one by specifying a port number and the other by specifying a service name. Although opening http service means opening port 80, it still cannot be closed by port number, that is to say, those opened by specified service name should be closed by specified service name. What is opened by specifying a port number is closed by specifying a port number. One more thing to note is that when specifying a port 1 must specify what protocol it is, tcp or udp. After knowing this, after need not close firewall first every time, can let firewall real effective.
firewall-cmd --add-service=mysql # open mysql port
firewall-cmd --remove-service=http # stop http port
firewall-cmd --list-services # View open services
firewall-cmd --add-port=3306/tcp # Open by tcp access 3306
firewall-cmd --remove-port=80tcp # Stop by tcp access 3306
firewall-cmd --add-port=233/udp # Open by udp access 233
firewall-cmd --list-ports # View open ports
3. IP disguise
The firewall implements the ability to disguise IP, which is used in the port forwarding below.
firewall-cmd --query-masquerade # Check to see if camouflage is allowed IP
firewall-cmd --add-masquerade # Allow firewall camouflage IP
firewall-cmd --remove-masquerade# Prohibit firewall camouflage IP
4. Port forwarding
Port forwarding forwards traffic to the specified port at the specified address when the specified address accesses the specified port. The forwarding destination defaults to native if ip is not specified, and the source port is used by default if ip is specified but no port is specified.
If port forwarding is not available after it has been configured, check the following two questions:
# will 80 Port traffic is forwarded to 8080
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080
# will 80 Port traffic is forwarded to
firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.1.0.1192.168.0.1
# will 80 Port traffic is forwarded to 192.168.0.1 the 8080 port
firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1:toport=8080
When we want to hide a port, we can block that port from the firewall, open an irregular port, and configure firewall port forwarding to forward traffic.
Port forwarding can also be used for traffic distribution, with a firewall dragging a number of machines running different services, and then using the firewall to forward traffic from different ports to different machines.
conclusion