Detailed explanation of firewall rule setting and command of white list setting

  • 2021-07-10 21:12:16
  • OfStack

1. Set firewall rules

Example 1: Exposing Port 8080 to the External


firewall-cmd --permanent --add-port=8080/tcp

Example 2: Make port 3306 of mysql service accessible only to servers on the 192.168. 1.1/24 network segment


# Add rule 
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"

#reload Bring into effect 
firewall-cmd --reload

Example 3: Port Forwarding, which forwards access to Port 3306 of the local machine to Port 3306 of the 192.168. 1.1 server


#  Open camouflage IP
firewall-cmd --permanent --add-masquerade
#  Configure port forwarding 
firewall-cmd --permanent --add-forward-port=port=3306:proto=tcp:toaddr=192.168.1.2:toport=13306

Note: If the camouflage IP is not turned on, port forwarding will fail; Second, make sure that ports (3306) on the source server and (13306) on the destination server are open.

2. firewall Command

1. Start, stop and restart firewalld

STEP 1 Stop


systemctl stop firewalld.service 

Step 2 Start


systemctl start firewalld.service 

Step 3 Restart


systemctl restart firewalld.service

4. View status:


systemctl status firewalld 

5. Disable firewall startup


systemctl disable firewalld

6. Set the boot-enabled firewall:


systemctl enable firewalld.service

2. View firewall rules and status

1. View the default firewall status (notrunning when turned off, running when turned on)


firewall-cmd --state    

2. View firewall rules (only firewall policies in/etc/firewalld/zones/public. xml are shown)


# Add rule 
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"

#reload Bring into effect 
firewall-cmd --reload

0

3. View all firewall policies (that is, display all policies under/etc/firewalld/zones/)


# Add rule 
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"

#reload Bring into effect 
firewall-cmd --reload

1

4. Reload the configuration file


# Add rule 
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"

#reload Bring into effect 
firewall-cmd --reload

2

3. Configure firewalld-cmd


 View version:  firewall-cmd --version

 View Help:  firewall-cmd --help

 Display status:  firewall-cmd --state

 View all open ports:  firewall-cmd --zone=public --list-ports

 Update firewall rules:  firewall-cmd --reload

 View area information : firewall-cmd --get-active-zones

 View the area to which the specified interface belongs:  firewall-cmd --get-zone-of-interface=eth0

 Reject all packages: firewall-cmd --panic-on

 Cancel the rejection status:  firewall-cmd --panic-off

 See if you refuse:  firewall-cmd --query-panic

4. How do you open a port

1. Add (--permanent takes effect permanently, but it will not take effect after restarting without this parameter)


# Add rule 
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"

#reload Bring into effect 
firewall-cmd --reload

4

2. Reload (modify the rule to make it effective)


# Add rule 
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"

#reload Bring into effect 
firewall-cmd --reload

5

STEP 3 Check


# Add rule 
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"

#reload Bring into effect 
firewall-cmd --reload

6

4. Delete


# Add rule 
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"

#reload Bring into effect 
firewall-cmd --reload

7

Because the corresponding rules for ssh. xml are defined before/usr/lib/firewalld/services

5. systemctl is the main service management tool of CentOS7, which combines the functions of service and chkconfig in one body.


 Start 1 Services: systemctl start firewalld.service
 Shut down 1 Services: systemctl stop firewalld.service
 Restart 1 Services: systemctl restart firewalld.service
 Display 1 Status of services: systemctl status firewalld.service
 Enable at boot time 1 Services: systemctl enable firewalld.service
 Disable at boot time 1 Services: systemctl disable firewalld.service
 Check whether the service is booted: systemctl is-enabled firewalld.service
 View the list of started services: systemctl list-unit-files|grep enabled
 View the list of services that failed to start: systemctl --failed

Related articles: