Firewall rules of CentOS 7

Firewall rules of CentOS 7

Introduction to firewall

What is the firewall we often say? The so-called firewall is a protective barrier composed of software and hardware equipment, which is constructed on the interface between internal network and external network, and between private network and public network. It is used to protect the security of server and network and reduce the possibility of being attacked. It is a combination of computer hardware and software to establish a security gateway between Internet and intranet.

Classification of firewall

Firewalls are divided into software and hardware firewalls:

  1. Software firewall: running on a specific computer, it needs the support of the computer operating system installed in advance by the customer. Generally speaking, this computer is the gateway of the whole network. Commonly known as "personal firewall". Like other software products, software firewall needs to be installed and configured on the computer before it can be used.
  2. Hardware firewall: traditional hardware firewalls generally have at least three ports, which are connected to the intranet, extranet and DMZ area. Some new hardware firewalls often expand the ports. Common four port firewalls generally use the fourth port as the configuration port and management port. Many firewalls can further expand the number of ports.

Differences between CentOS 6 and CentOS 7 firewalls

  1. CentOS 6 comes with iptables and CentOS 7 comes with firewall
  2. iptables is used to filter data packets. It belongs to the firewall of the network layer. The firewall can allow which services and port numbers are available. It belongs to a higher-level firewall.
  3. The configuration file of firewalld is in / etc/sysconfig/firewalld, and the configuration file of iptables is in / etc/sysconfig/iptables

Common commands and functions of iptables

Query firewall status

service iptables status

Turn off the firewall

service iptables stop

Turn on the firewall

service iptables start

Permanently turn off the firewall

chkconfig iptables off

Permanently close the firewall before opening it

chkconfig iptables on

Query rules of current iptables

iptables -L --line-numbers

Open port number

-A INPUT -p tcp --dport 3306 -j ACCEPT

Close port

-A INPUT -p tcp -dport 22 -j DROP

Common commands and functions of firewall

Turn on the firewall

[root@localhost ~]# systemctl start firewalld.service

Turn off the firewall

[root@localhost ~]# systemctl stop firewalld.service

View firewall status

[root@localhost ~]# systemctl status firewalld.service 
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)

Turn on the firewall and start it automatically

[root@localhost ~]# systemctl enable --now firewalld.service
Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.

Permanently turn off the firewall

[root@localhost ~]# systemctl disable --now firewalld.service 
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

View firewall version

[root@localhost ~]# firewall-cmd --version 
0.8.0

View the open port number of firewall

// The following two commands are OK
[root@localhost ~]# firewall-cmd --list-ports 
3306/tcp
[root@localhost ~]# firewall-cmd --permanent --zone=public --list-ports 
3306/tcp

Check whether the firewall has opened a port number

[root@localhost ~]# Firewall CMD -- get zones / / view the zones
block dmz drop external home internal public trusted work

[root@localhost ~]# Firewall CMD -- zone = public -- Query port = 3306 / tcp / / zone means area, public means public, and the area defaults to the above nine areas, - query port means to check whether 3306 port number and tcp protocol support
yes  // yes means open. If no, it means not open

Introduction of nine regions

Network area nameDefault configuration
Block (limit)Deny all network connections
DMZ (demilitarized zone)Only ssh service connections are accepted
Drop (discard)Any received network packets are discarded without any reply
ExternalThe outgoing ipv4 network connection is disguised and forwarded through this area, and only ssh service connection is accepted
HomeFor home network, only ssh, mdns, IPP client, samba client and DHCPv6 client service connections are accepted
InternalIt is used for internal network and only accepts ssh, mdns, IPP client, samba client and DHCPv6 client service connections
Public (public)It is used in the public area and only accepts ssh or DHCPv6 client service connections. It is the default area of firewalld
TrustedTrusted
Wark (work)It is used in the workspace and only accepts ssh, IPP client or DHCPv6 client service connections

View default area

[root@localhost ~]# firewall-cmd --get-default-zone 
public  //default zone

Modify default area

[root@localhost ~]# Firewall CMD -- set default zone = work / / modify the default zone to work

List all zone configurations

[root@localhost ~]# firewall-cmd --list-all-zones 
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 3306/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

List active areas

[root@localhost ~]# firewall-cmd --get-active-zones 
public
  interfaces: ens160

// Interfaces are the names of the hardware and virtual network adapters in the system. All active interfaces will be assigned to the region, either the default region or a region specified by the user. However, an interface cannot be assigned to more than one area.

View the configuration information of an area

[root@localhost ~]# firewall-cmd --zone=public --list-all 
public (active)  // Active area
  target: default  // Default startup area
  icmp-block-inversion: no
  interfaces: ens160  // List associations on this area
  sources:   // List the sources for this area. Now there is nothing here. If there is content here, they should be in this format
  services: cockpit dhcpv6-client ssh  // List the services that are allowed to pass through this firewall. You can get a detailed list of firewall predefined services by running firewall CMD -- get services
  ports: 3306/tcp  // List the target ports allowed to pass through this firewall
  protocols: // The protocol value can be a protocol ID number or a protocol name
  masquerade: no  // Indicates whether IP camouflage is allowed in this area. If allowed, it will allow IP forwarding, which allows your computer to act as a router.
  forward-ports:   // List ports for forwarding
  source-ports:   // 
  icmp-blocks:   // Blacklist of blocked icmp traffic
  rich rules:  // Advanced configuration that prioritizes processing in a region.

Open the specified port number

[root@localhost ~]# Firewall CMD -- add port = 3306 / TCP -- permanent / / write the port number / protocol to be added here, - permanent is permanently effective. If it is not written, it will become invalid after restart.

// After opening, you need to reload it with the following command to make it take effect immediately
[root@localhost ~]# firewall-cmd --reload

Check whether ftp service supports

[root@localhost ~]# firewall-cmd --query-service ftp
no

Permanently open ftp service

[root@localhost ~]# firewall-cmd --add-service=ftp --permanent

Permanently remove ftp service

[root@localhost ~]# firewall-cmd --remove-service=ftp --permanent

Reject all packages

[root@localhost ~]# firewall-cmd --panic-on

Cancel reject status

[root@localhost ~]# firewall-cmd --panic-off 

Check whether to reject

[root@localhost ~]# firewall-cmd --query-panic

Delete joined 3306 firewall rules

[root@localhost ~]# firewall-cmd --remove-port=3306/tcp --permanent 
success

[root@localhost ~]# firewall-cmd --reload 
success

[root@localhost ~]# firewall-cmd --query-port=3306/tcp
no  //Deleted successfully

View the area to which the specified interface belongs

[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens160 
public

Forward the 6666 port number of the server to the 8888 port number of another server

[root@localhost ~]# Firewall CMD -- add forward port = 6666: Porto = tcp: toaddr = IP address of another server: toport=8888 / / if udp protocol is used for communication, change tcp to udp.

[root@localhost ~]# Firewall CMD -- reload / / reload firewall rules to take effect.

Tags: network

Posted by abax on Sun, 01 May 2022 21:29:36 +0300