Detailed explanation of firewall rule setting and command of white list setting
- 2021-07-10 21:12:16
- OfStack
1. Set firewall rules
Example 1: Exposing Port 8080 to the External
firewall-cmd --permanent --add-port=8080/tcp
Example 2: Make port 3306 of mysql service accessible only to servers on the 192.168. 1.1/24 network segment
# Add rule
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"
#reload Bring into effect
firewall-cmd --reload
Example 3: Port Forwarding, which forwards access to Port 3306 of the local machine to Port 3306 of the 192.168. 1.1 server
# Open camouflage IP
firewall-cmd --permanent --add-masquerade
# Configure port forwarding
firewall-cmd --permanent --add-forward-port=port=3306:proto=tcp:toaddr=192.168.1.2:toport=13306
Note: If the camouflage IP is not turned on, port forwarding will fail; Second, make sure that ports (3306) on the source server and (13306) on the destination server are open.
2. firewall Command
1. Start, stop and restart firewalld
STEP 1 Stop
systemctl stop firewalld.service
Step 2 Start
systemctl start firewalld.service
Step 3 Restart
systemctl restart firewalld.service
4. View status:
systemctl status firewalld
5. Disable firewall startup
systemctl disable firewalld
6. Set the boot-enabled firewall:
systemctl enable firewalld.service
2. View firewall rules and status
1. View the default firewall status (notrunning when turned off, running when turned on)
firewall-cmd --state
2. View firewall rules (only firewall policies in/etc/firewalld/zones/public. xml are shown)
# Add rule
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"
#reload Bring into effect
firewall-cmd --reload
0
3. View all firewall policies (that is, display all policies under/etc/firewalld/zones/)
# Add rule
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"
#reload Bring into effect
firewall-cmd --reload
1
4. Reload the configuration file
# Add rule
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"
#reload Bring into effect
firewall-cmd --reload
2
3. Configure firewalld-cmd
View version: firewall-cmd --version
View Help: firewall-cmd --help
Display status: firewall-cmd --state
View all open ports: firewall-cmd --zone=public --list-ports
Update firewall rules: firewall-cmd --reload
View area information : firewall-cmd --get-active-zones
View the area to which the specified interface belongs: firewall-cmd --get-zone-of-interface=eth0
Reject all packages: firewall-cmd --panic-on
Cancel the rejection status: firewall-cmd --panic-off
See if you refuse: firewall-cmd --query-panic
4. How do you open a port
1. Add (--permanent takes effect permanently, but it will not take effect after restarting without this parameter)
# Add rule
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"
#reload Bring into effect
firewall-cmd --reload
4
2. Reload (modify the rule to make it effective)
# Add rule
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"
#reload Bring into effect
firewall-cmd --reload
5
STEP 3 Check
# Add rule
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"
#reload Bring into effect
firewall-cmd --reload
6
4. Delete
# Add rule
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"
#reload Bring into effect
firewall-cmd --reload
7
Because the corresponding rules for ssh. xml are defined before/usr/lib/firewalld/services
5. systemctl is the main service management tool of CentOS7, which combines the functions of service and chkconfig in one body.
Start 1 Services: systemctl start firewalld.service
Shut down 1 Services: systemctl stop firewalld.service
Restart 1 Services: systemctl restart firewalld.service
Display 1 Status of services: systemctl status firewalld.service
Enable at boot time 1 Services: systemctl enable firewalld.service
Disable at boot time 1 Services: systemctl disable firewalld.service
Check whether the service is booted: systemctl is-enabled firewalld.service
View the list of started services: systemctl list-unit-files|grep enabled
View the list of services that failed to start: systemctl --failed