CentOS 7 firewall policy configuration necessary for operation and maintenance beginners

1. Preface:

All distributions above CentOS 7 try to bring their own firewalld firewall, and firewalld brings iptables firewall. The reason is that the firewall policy of iptables is handled by the netfilter network filter at the kernel level, while firewalld is handled by the nftables packet filtering framework at the kernel level. Compared with iptables firewall, firewalld supports dynamic update technology and adds the concept of zone. In short, firewalld prepares several sets of firewall policy sets (policy templates) in advance. Users can select appropriate policy sets according to different production scenarios, so as to realize rapid switching between firewall policies.

2. Operation and configuration:

a. Service operation:

instructions	Explain in detail
systemctl start firewalld	Start firewall
systemctl restart firewalld	service iptables restart
systemctl stop firewalld	Stop firewall
systemctl status firewalld	Firewall running status

b. Profile description:

configuration file	Explain in detail
/usr/lib/firewalld	Store default files
/etc/firewalld	Store user-defined data, such as servuce and rule
server	Defined rules
zones	Storage area rules
firewalld.conf	Default configuration file, default area: public, which corresponds to public in the zones directory xml

3. Basic command:

The first thing to note here is that if the -- permanent parameter is not taken when executing the command, the configuration will take effect immediately, but the configuration will not be stored, which is equivalent to restarting the server and will be lost. If you bring it, the configuration will be stored in the configuration file. However, this kind of configuration is only stored in the file, but it will not take effect in real time. You need to execute the firewall CMD -- reload command to reload the configuration before it takes effect.
a. Reload firewall configuration

firewall-cmd --reload

b. View firewall running status

firewall-cmd --state

c. View the default locale settings

firewall-cmd --list-all

d. Emergency command: (use with caution)

instructions	Explain in detail
firewall-cmd --panic-on	#Reject all traffic, disconnect the remote connection immediately, and only the local user can log in
firewall-cmd --panic-off	#Cancel the emergency mode, but you need to restart firewalld before you can remotely ssh
firewall-cmd --query-panic	#Check whether it is emergency mode

e. Service addition and modification:

instructions	Explain in detail
firewall-cmd --add-service=	#Add service
firewall-cmd --remove-service=	#Remove service

f. Add port

instructions	Explain in detail
firewall-cmd --add-portl=/	#Add port / protocol (tcp/UDP)
firewall-cmd --remove-port=/	#Remove port / protocol (tcp/udp)
firewall-cmd --list-ports	#View open ports

For example, permanently open port 80:

firewall-cmd --zone=public --add-port=80/tcp --permanent   
Return:( succes)
firewall-cmd --reload   

Command meaning:

instructions	Explain in detail
–zone	#Scope
–add-port=80/tcp	#Add a port in the format of port / communication protocol
–permanent	#It will take effect permanently. It will become invalid after restart without this parameter
firewall-cmd --add-protocol=< >	#Allow protocol (for example: icmp, i.e. allow Ping) firewall CMD -- remove protocol = < > # cancel protocol
firewall-cmd --list-protocols	#View allowed agreements

4.IP pointing restriction configuration:

a. Allow the specified ip to access all traffic:

firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" accept"

Example: # allowed from 192.168 2.1 all flows

firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.2.1" accept" 

b. Allow specified protocols for specified ip:

firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" protocol value="<protocol>" accept"

Example: # 192.168 is allowed 2.208 icmp Protocol of the host, that is, 192.168.208 is allowed 2.208 host access

firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.2.208" protocol value="icmp" accept"

c. Allow the specified ip to access the specified service:

firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" service name="<service name>" accept"

Example: # 192.168 is allowed 2.208 host access ssh service

firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.2.208" service name="ssh" accept"    

d. Allow specified ip access port:

firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" port protocol="<port protocol>" port="<port>" accept"    

Example: # 192.168 is allowed 2.1 host access port 22

firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.2.1" port protocol="tcp" port="22" accept"   

e. Change the specified ip to network segment:
Example: 192.168 is allowed Host access port 22 of 2.0/24 network segment:

firewall-cmd --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.2.0/24" port protocol="tcp" port="22" accept"

f. Prohibit specifying ip / network segments:
For example: # prohibit 192.168 Host access port 22 of 2.0/24 network segment

firewall-cmd --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.2.0/24" port protocol="tcp" port="22" reject"

5. Common instructions of firewall:

a. Specify port opening and deletion:
New port opening:

firewall-cmd --zone=public --add-port=80/tcp --permanent     
firewall-cmd --reload   

Delete 80 port open:

firewall-cmd --zone=public --remove-port=80/tcp --permanent     
firewall-cmd --reload   

b. View open ports:

instructions	Explain in detail
netstat -ntlp	View all ports
firewall-cmd --list-ports	View open ports
firewall-cmd --list-all	View all port policy settings (ip specified access)

c. Query whether the firewall is enabled on the port:
Example: query tcp port 3939
firewall-cmd --query-port=3939/tcp

ps: the server firewall must be turned on. You cannot turn off the firewall directly because it is cumbersome or easy.