firewall-cmd

New firewall software on Linux, a tool similar to iptables

Supplementary instructions

firewall-cmd is the character interface management tool of firewalld. firewalld is a major feature of centos7. It has two biggest advantages: it supports dynamic updates without restarting the service; the second is the addition of the "zone" concept of the firewall.

Firewalld has at least two major advantages over iptables:

1. firewalld can dynamically modify a single rule, unlike iptables, which must refresh all the rules before they can take effect.
2. Firewalld is much more user-friendly than iptables in use. Even if you don't understand "five tables and five chains" and don't understand the TCP/IP protocol, you can still achieve most of the functions.

firewalld itself does not have the function of a firewall. Instead, like iptables, it needs to be implemented through the kernel's netfilter. In other words, firewalld is the same as iptables. Their function is to maintain rules, and it is the kernel that actually uses the rules. netfilter, but the structures and usage methods of firewalld and iptables are different.

Command format

firewall-cmd [options ... ]

Options

General options

-h, --help # Display help information;
-V, --version #Display version information. (This option cannot be combined with other options);
-q, --quiet # Do not print status messages;

status options

--state # Display the status of firewalld;
--reload # Reload without interrupting service;
--complete-reload # Interrupt reloading of all connections;
--runtime-to-permanent # Save the current firewall rules permanently;
--check-config # Check the correctness of the configuration;

Log options

--get-log-denied # Get the log of rejected records;
--set-log-denied=<value> # Set the log to record the denial, which can only be one of 'all', 'unicast', 'broadcast', 'multicast', 'off';

Example

# Install firewalld
yum install firewalld firewall-config

systemctl start firewalld # start
systemctl stop firewalld # stop
systemctl enable firewalld # Enable automatic startup
systemctl disable firewalld # Disable automatic startup
systemctl status firewalld # or firewall-cmd --state to check the status

# Method to shut down the service
# You can also turn off the FirewallD firewall that you are not familiar with yet and use iptables. The command is as follows:

systemctl stop firewalld
systemctl disable firewalld
yum install iptables-services
systemctl start iptables
systemctl enable iptables

Configure firewalld

firewall-cmd --version # View version
firewall-cmd --help # View help

# View settings:
firewall-cmd --state # Display status
firewall-cmd --get-active-zones # View zone information
firewall-cmd --get-zone-of-interface=eth0 # View the zone to which the specified interface belongs
firewall-cmd --panic-on # Reject all packages
firewall-cmd --panic-off # Cancel the rejection status
firewall-cmd --query-panic # Check whether it is rejected

firewall-cmd --reload # Update firewall rules
firewall-cmd --complete-reload
# The difference between the two is that the first one does not need to disconnect, it is one of the firewalld features to dynamically add rules, the second one needs to disconnect, similar to restarting the service


#Add the interface to the zone, the default interfaces are public
firewall-cmd --zone=public --add-interface=eth0
# To take effect permanently, add --permanent and then reload the firewall
 
#Set the default interface area, which takes effect immediately without restarting
firewall-cmd --set-default-zone=public

# View all open ports:
firewall-cmd --zone=dmz --list-ports

# Add a port to the zone:
firewall-cmd --zone=dmz --add-port=8080/tcp
# To take effect permanently, the method is the same as above
 
# Open a service, which is similar to visualizing the port. The service needs to be added in the configuration file. There is a services folder under the /etc/firewalld directory. This will not be explained in detail. Please refer to the documentation for details.
firewall-cmd --zone=work --add-service=smtp
 
# Remove service
firewall-cmd --zone=work --remove-service=smtp

# Display the list of supported regions
firewall-cmd --get-zones

# Set as home area
firewall-cmd --set-default-zone=home

# View the current area
firewall-cmd --get-active-zones

# Set the interface of the current area
firewall-cmd --get-zone-of-interface=enp03s

# Show all public areas (public)
firewall-cmd --zone=public --list-all

# Temporarily modify the network interface (enp0s3) to the internal area (internal)
firewall-cmd --zone=internal --change-interface=enp03s

# Permanently modify the network interface enp03s to the internal area (internal)
firewall-cmd --permanent --zone=internal --change-interface=enp03s

Service management

# Display service list
The most important services such as Amanda, FTP, Samba and TFTP have been provided by FirewallD, which can be viewed using the following command:

firewall-cmd --get-services

# Allow SSH service to pass
firewall-cmd --new-service=ssh

# Disable SSH service from passing
firewall-cmd --delete-service=ssh

# Open TCP port 8080
firewall-cmd --enable ports=8080/tcp

# Temporarily allow the Samba service to pass for 600 seconds
firewall-cmd --enable service=samba --timeout=600

# Display current services
firewall-cmd --list-services

# Add HTTP service to internal zone (internal)
firewall-cmd --permanent --zone=internal --add-service=http
firewall-cmd --reload # Reload the firewall without changing the state

Port management

# Open 443/TCP port
firewall-cmd --add-port=443/tcp

# Permanently open port 3690/TCP
firewall-cmd --permanent --add-port=3690/tcp

# It seems that reload is required to open the port permanently, but it does not seem to be needed to open the port temporarily. If reload is used, the temporarily opened port will be invalid.
# Other services may also be like this, this has not been tested.
firewall-cmd --reload

# Check the firewall and the added ports can also be seen
firewall-cmd --list-all

direct mode

# FirewallD includes a direct mode that can be used to complete some tasks, such as opening port 9999 of the TCP protocol

firewall-cmd --direct -add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT
firewall-cmd --reload

Customized service management

Options

(With [P only] at the end, it means that this option cannot be used with other options except (--permanent)!)
--new-service=<service name> Create a new custom service [P only]
--new-service-from-file=<file name> [--name=<service name>]
                       Read configuration from file to create a new custom service [P only]
--delete-service=<service name>
                       Delete an existing service [P only]
--load-service-defaults=<service name>
                       Load icmptype default settings [P only]
--info-service=<service name>
                       Show information about this service
--path-service=<service name>
                       Displays the relative path of the service's files [P only]
--service=<service name> --set-description=<description>
                       Set description information for this service [P only]
--service=<service name> --get-description
                       Display the description information of the service [P only]
--service=<service name> --set-short=<description>
                       Set a short description for the service [P only]
--service=<service name> --get-short
                       Show a short description of the service [P only]
                      
--service=<service name> --add-port=<port number>[-<port number>]/<protocol>
                       Add a new port (port segment) to the service [P only]
                      
--service=<service name> --remove-port=<port number>[-<port number>]/<protocol>
                       Remove a port (port segment) from this service [P only]
                      
--service=<service name> --query-port=<port number>[-<port number>]/<protocol>
                       Query whether a certain port (port segment) has been added to the service [P only]
                      
--service=<service name> --get-ports
                       Display all ports added by this service [P only]
                      
--service=<service name> --add-protocol=<protocol>
                       Add a protocol for this service [P only]
                      
--service=<service name> --remove-protocol=<protocol>
                       Remove a protocol from this service [P only]
                      
--service=<service name> --query-protocol=<protocol>
                       Query whether the service has added a certain protocol [P only]
                      
--service=<service name> --get-protocols
                       Show all protocols added by this service [P only]
                      
--service=<service name> --add-source-port=<port number>[-<port number>]/<protocol>
                       Add a new source port (port segment) to the service [P only]
                      
--service=<service name> --remove-source-port=<port number>[-<port number>]/<protocol>
                       Remove the source port (port segment) from this service [P only]
                      
--service=<service name> --query-source-port=<port number>[-<port number>]/<protocol>
                       Query whether a source port (port segment) has been added to the service [P only]
                      
--service=<service name> --get-source-ports
                       Display all source ports of this service [P only]
                      
--service=<service name> --add-module=<module>
                       Add a module for this service [P only]
--service=<service name> --remove-module=<module>
                       Remove a module for this service [P only]
--service=<service name> --query-module=<module>
                       Query whether a module has been added to the service [P only]
--service=<service name> --get-modules
                       Show all modules added by this service [P only]
--service=<service name> --set-destination=<ipv>:<address>[/<mask>]
                       Set destination for ipv to address in service [P only]
--service=<service name> --remove-destination=<ipv>
                       Disable destination for ipv i service [P only]
--service=<service name> --query-destination=<ipv>:<address>[/<mask>]
                       Return whether destination ipv is set for service [P only]
--service=<service name> --get-destinations
                       List destinations in service [P only]

Control Port/Service

There are two ways to control the opening of ports, one is to specify the port number and the other is to specify the service name. Although opening the http service means opening port 80, it still cannot be closed by the port number. That is to say, if it is opened by specifying the service name, it must be closed by specifying the service name; if it is opened by specifying the port number, it must be closed by the specified port number. Another thing to note is that when specifying the port, you must specify the protocol, tcp or udp. After knowing this, you don't need to turn off the firewall first every time, and you can make the firewall truly effective.

firewall-cmd --add-service=mysql # Open mysql port
firewall-cmd --remove-service=http # Block http port
firewall-cmd --list-services # View open services
firewall-cmd --add-port=3306/tcp # Open access to 3306 through tcp
firewall-cmd --remove-port=80tcp # Block access to 3306 via tcp
firewall-cmd --add-port=233/udp # Open access to 233 through udp
firewall-cmd --list-ports # View open ports

Disguise IP

firewall-cmd --query-masquerade # Check whether masquerading IP is allowed
firewall-cmd --add-masquerade # Allow firewall to masquerade IP
firewall-cmd --remove-masquerade# Disable firewall masquerade IP

Port Forwarding

Port forwarding can forward traffic to the specified port at the specified address when the specified address accesses the specified port. If the IP is not specified as the forwarding destination, it will default to the local machine. If the IP is specified but no port is specified, the source port will be used by default. If port forwarding cannot be used after configuring it, you can check the following two issues:

1. For example, if I forward port 80 to port 8080, first check whether the local port 80 and the target port 8080 are open and listening.
2. Secondly, check whether camouflage IP is allowed. If not, enable camouflage IP.

firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 # Forward port 80 traffic to 8080
firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1 # Forward port 80 traffic to 192.168.0.1
firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1:toport=8080 # Forward port 80 traffic to port 8080 of 192.168.0.1

1. When we want to hide a certain port, we can block access to that port on the firewall, then open an irregular port, and then configure port forwarding on the firewall to forward the traffic.
2. Port forwarding can also be used for traffic distribution. A firewall drags many machines running different services, and then uses the firewall to forward traffic from different ports to different machines.