Firewall rules of CentOS 7
Introduction to firewall
What is the firewall we often say? The so-called firewall is a protective barrier composed of software and hardware equipment, which is constructed on the interface between internal network and external network, and between private network and public network. It is used to protect the security of server and network and reduce the possibility of being attacked. It is a combination of computer hardware and software to establish a security gateway between Internet and intranet.
Classification of firewall
Firewalls are divided into software and hardware firewalls:
- Software firewall: running on a specific computer, it needs the support of the computer operating system installed in advance by the customer. Generally speaking, this computer is the gateway of the whole network. Commonly known as "personal firewall". Like other software products, software firewall needs to be installed and configured on the computer before it can be used.
- Hardware firewall: traditional hardware firewalls generally have at least three ports, which are connected to the intranet, extranet and DMZ area. Some new hardware firewalls often expand the ports. Common four port firewalls generally use the fourth port as the configuration port and management port. Many firewalls can further expand the number of ports.
Differences between CentOS 6 and CentOS 7 firewalls
- CentOS 6 comes with iptables and CentOS 7 comes with firewall
- iptables is used to filter data packets. It belongs to the firewall of the network layer. The firewall can allow which services and port numbers are available. It belongs to a higher-level firewall.
- The configuration file of firewalld is in / etc/sysconfig/firewalld, and the configuration file of iptables is in / etc/sysconfig/iptables
Common commands and functions of iptables
Query firewall status
service iptables status
Turn off the firewall
service iptables stop
Turn on the firewall
service iptables start
Permanently turn off the firewall
chkconfig iptables off
Permanently close the firewall before opening it
chkconfig iptables on
Query rules of current iptables
iptables -L --line-numbers
Open port number
-A INPUT -p tcp --dport 3306 -j ACCEPT
Close port
-A INPUT -p tcp -dport 22 -j DROP
Common commands and functions of firewall
Turn on the firewall
[root@localhost ~]# systemctl start firewalld.service
Turn off the firewall
[root@localhost ~]# systemctl stop firewalld.service
View firewall status
[root@localhost ~]# systemctl status firewalld.service ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead)
Turn on the firewall and start it automatically
[root@localhost ~]# systemctl enable --now firewalld.service Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service. Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.
Permanently turn off the firewall
[root@localhost ~]# systemctl disable --now firewalld.service Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
View firewall version
[root@localhost ~]# firewall-cmd --version 0.8.0
View the open port number of firewall
// The following two commands are OK [root@localhost ~]# firewall-cmd --list-ports 3306/tcp [root@localhost ~]# firewall-cmd --permanent --zone=public --list-ports 3306/tcp
Check whether the firewall has opened a port number
[root@localhost ~]# Firewall CMD -- get zones / / view the zones block dmz drop external home internal public trusted work [root@localhost ~]# Firewall CMD -- zone = public -- Query port = 3306 / tcp / / zone means area, public means public, and the area defaults to the above nine areas, - query port means to check whether 3306 port number and tcp protocol support yes // yes means open. If no, it means not open
Introduction of nine regions
| Network area name | Default configuration |
|---|---|
| Block (limit) | Deny all network connections |
| DMZ (demilitarized zone) | Only ssh service connections are accepted |
| Drop (discard) | Any received network packets are discarded without any reply |
| External | The outgoing ipv4 network connection is disguised and forwarded through this area, and only ssh service connection is accepted |
| Home | For home network, only ssh, mdns, IPP client, samba client and DHCPv6 client service connections are accepted |
| Internal | It is used for internal network and only accepts ssh, mdns, IPP client, samba client and DHCPv6 client service connections |
| Public (public) | It is used in the public area and only accepts ssh or DHCPv6 client service connections. It is the default area of firewalld |
| Trusted | Trusted |
| Wark (work) | It is used in the workspace and only accepts ssh, IPP client or DHCPv6 client service connections |
View default area
[root@localhost ~]# firewall-cmd --get-default-zone public //default zone
Modify default area
[root@localhost ~]# Firewall CMD -- set default zone = work / / modify the default zone to work
List all zone configurations
[root@localhost ~]# firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: home target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: internal target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ssh ports: 3306/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: work target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
List active areas
[root@localhost ~]# firewall-cmd --get-active-zones public interfaces: ens160 // Interfaces are the names of the hardware and virtual network adapters in the system. All active interfaces will be assigned to the region, either the default region or a region specified by the user. However, an interface cannot be assigned to more than one area.
View the configuration information of an area
[root@localhost ~]# firewall-cmd --zone=public --list-all public (active) // Active area target: default // Default startup area icmp-block-inversion: no interfaces: ens160 // List associations on this area sources: // List the sources for this area. Now there is nothing here. If there is content here, they should be in this format services: cockpit dhcpv6-client ssh // List the services that are allowed to pass through this firewall. You can get a detailed list of firewall predefined services by running firewall CMD -- get services ports: 3306/tcp // List the target ports allowed to pass through this firewall protocols: // The protocol value can be a protocol ID number or a protocol name masquerade: no // Indicates whether IP camouflage is allowed in this area. If allowed, it will allow IP forwarding, which allows your computer to act as a router. forward-ports: // List ports for forwarding source-ports: // icmp-blocks: // Blacklist of blocked icmp traffic rich rules: // Advanced configuration that prioritizes processing in a region.
Open the specified port number
[root@localhost ~]# Firewall CMD -- add port = 3306 / TCP -- permanent / / write the port number / protocol to be added here, - permanent is permanently effective. If it is not written, it will become invalid after restart. // After opening, you need to reload it with the following command to make it take effect immediately [root@localhost ~]# firewall-cmd --reload
Check whether ftp service supports
[root@localhost ~]# firewall-cmd --query-service ftp no
Permanently open ftp service
[root@localhost ~]# firewall-cmd --add-service=ftp --permanent
Permanently remove ftp service
[root@localhost ~]# firewall-cmd --remove-service=ftp --permanent
Reject all packages
[root@localhost ~]# firewall-cmd --panic-on
Cancel reject status
[root@localhost ~]# firewall-cmd --panic-off
Check whether to reject
[root@localhost ~]# firewall-cmd --query-panic
Delete joined 3306 firewall rules
[root@localhost ~]# firewall-cmd --remove-port=3306/tcp --permanent success [root@localhost ~]# firewall-cmd --reload success [root@localhost ~]# firewall-cmd --query-port=3306/tcp no //Deleted successfully
View the area to which the specified interface belongs
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens160 public
Forward the 6666 port number of the server to the 8888 port number of another server
[root@localhost ~]# Firewall CMD -- add forward port = 6666: Porto = tcp: toaddr = IP address of another server: toport=8888 / / if udp protocol is used for communication, change tcp to udp. [root@localhost ~]# Firewall CMD -- reload / / reload firewall rules to take effect.