Firewall firewall learning summary of RHEL Linux 7
This paper introduces firewall configuration tool firewalld under RHEL 7. Before RHEL 7, we generally used iptables firewall management tools. In fact, neither iptables nor firewalld are real firewalls. They are just firewall management tools used to define firewall policies. In other words, they are just a kind of service or program. Iptables service will assign the configured firewall policy to the Netfilter network filter at the kernel level, while the firewalld service will handle the configured firewall policy by the nftables packet filtering framework at the kernel level.
Firewalld (dynamic firewall manager of Linux systems) is the default firewall configuration management tool under rhle 7. It has two management methods based on cli (firewalld CMD) and GUI (firewalld config). Compared with the traditional firewall management and configuration tool, firewalld supports dynamic update technology and adds the concept of zone. In short, the zone is firewalld. Several sets of firewall policy sets (policy templates) are prepared in advance. Users can select appropriate policy sets according to different production scenarios, so as to realize the fast switching between firewall policies. It has support for IP V4 and IP V6 firewall settings.
Everything in the firewall is associated with one or more zones. The following describes each zone:
Any packets that flow into the network are discarded and no response is made. Only outgoing network connections are allowed. Even if some services (such as HTTP) are opened, the data of these services is not allowed to pass through.
Any incoming network connection is rejected, and ICMP host prohibited message of IPv4 or icmp6 ADM prohibited message of IPv6 is returned Message. Only network connections initiated by the system are allowed.
All network connections are acceptable. Allow all network connections, even if no services are open, the traffic using this zone will still pass through (green light all the way)
When used in public areas, you cannot believe that other computers in the network will not cause harm to your computer. You can only receive selected connections.
In particular, external networks with camouflage enabled for routers. You cannot trust other calculations from the network, that they do not harm your computer, and that you can only receive selected connections.
DMZ (demilitarized zone)
It is used to allow computers in DMZ to be limited to external network access, and only selected services are allowed to pass through.
For the workspace. You can basically believe that other computers in the network will not harm your computer. Only selected services are allowed to pass through.
For home networking. You can basically trust other computers in the network without harming your computer. Only the selected services are allowed to pass through.
For internal network. You can basically trust other computers in your network to not threaten your computer. Only selected services are allowed to pass through.
Check firewall tools
If you want to determine whether RHEL 7 uses iptables or firewalld, you can use the command to determine
In the case of iptables:
There is no iptables
# systemctl status iptables.service
Unit iptables.service could not be found.
Of course, the easiest way to do this is to use the following command
View firewall status
# systemctl status firewalld
# firewall-cmd –state
Start the firewall service:
# systemctl start firewalld
# systemctl start firewalld.service
Restart the firewall service:
# systemctl restart firewalld.service
# systemctl restart firewalld
Turn off the firewall:
systemctl stop firewalld
Disable & enable firewall:
Enable & disable firewall at power on
Firewall CMD help information
# firewall-cmd –help
Firewall CMD has two modes: runtime and permanent. The original state will be restored after temporary reload or server restart, while permanent setting will not. The parameter — permanent indicates the permanent setting. If the parameter — permanent is specified, it means permanent.
1: List the current zones
[[email protected] ~]# firewall-cmd –get-zones
block dmz drop external home internal public trusted work
[[email protected] ~]#
2: View the currently active area (zone)
[[email protected] ~]# firewall-cmd –get-active-zones
[[email protected] ~]#
3: View current default zone
[[email protected] ~]# firewall-cmd –get-default-zone
4: Set the current default region
[[email protected] ~]# firewall-cmd –set-default-zone=public
Warning: ZONE_ALREADY_SET: public
5: Check out the services that firewalld supports.
6: Check the services that will be activated after the next reload.
7: Lists the ports that are open to the zone
[[email protected] ~]# firewall-cmd –zone=public –list-ports
8123/tcp 8124/tcp 8217/tcp 80/tcp 443/tcp 3306/tcp 10050/tcp
8: Lists the settings information for the specified area
9: Open the specific port number of the specified area
For example, we need to open port number 8123
# firewall-cmd –zone=public –add-port=8123/tcp –permanent
# firewall-cmd –reload #Update firewall rules
–add-port=8123/tcp #Add a port in the format of port / communication protocol
–permanent #It is permanently effective. It will be invalid after restart without this parameter
Note: is there a difference between the — reload option
In addition, we also need to pay attention to the difference between — reload and — complete reload
# firewall-cmd –reload
# firewall-cmd –complete-reload
The difference between the two is that the first does not need to be disconnected, that is, one of the firewalld features adds rules dynamically, and the second one needs to be disconnected, similar to restarting a service
How to open more than one port at a time? There are two methods, which are summarized as follows:
Method 1: use shell script to add multiple ports in a loop.
Method 2: if the port is an interval segment, you can use the following command:
10: Remove open ports
firewall-cmd –zone= public –remove-port=80/tcp –permanent
Remove the port number of an interval segment:
# firewall-cmd –zone=public –remove-port=6001-6020/tcp –permanent
# firewall-cmd –reload
11: See which services can be opened.
# firewall-cmd –get-services
12: Opening up a service
# firewall-cmd –add-service=zabbix-agent –permanent
# firewall-cmd –zone=public –add-service=zabbix-agent –permanent
13: Shut down a service
# firewall-cmd –remove-service=zabbix-agent –permanent
# firewall-cmd –reload
14: See which services are currently open
# firewall-cmd –list-services
# firewall-cmd –zone=public –list-services
Query whether a service is open
# firewall-cmd –query-service ftp
# firewall-cmd –query-service ssh
15： Some unusual emergency orders
16: Set some IP to allow access to a service
Firewall configuration file
Here are some default files. Such as default region and public service. Avoid modifying them because they are overwritten every time the firewall package is updated
User defined data is stored here
The firewall command is very rich and flexible. Due to its length and experience, it is impossible to cover all aspects. Here we just summarize some common and simple commands. In the follow-up work encountered some special needs, in the continuous learning and improvement.