How to use (firewald) 与 iptables对照版
Use (systemctl) to manager (firewalld)
To start,stop,restart (firewalld):
systemctl start firewalld
systemctl stop firewalld
systemctl restart firewalld
To check (firewalld) state:
systemctl status firewalld
you can also:
firewall-cmd --state
To make (firewalld) auto start, or not auto start on boot,
systemctl enable firewalld
systemctl disable firewalld
Disableing all traffic in case of emergency / 紧急禁止所有流量
To disable all traffic immediately
firewall-cmd --panic-on
It’s corresponding (iptables) command is:
iptables -t filter -I INPUT 1 -j REJECT
iptables -t filter -I OUTPUT 1 -J REJECT
To cancel disabling all traffic:
firewall-cmd --panic-off
It’s corresponding (iptables) command is:
iptables -t filter -D INPUT -j REJECT
iptables -t filter -D OUTPUT -j REJECT
To check whether (panic) mode is on or off:
firewall-cmd --query-panic
Use (service)
(service) is a set of port, for example, ‘http’ is 80, ‘https’ is 443. / service指的是一个或多个端口的集合,比如http是80端口,https是443端口。
Check service information
To check services that already allowed:
firewall-cmd --list-services
To get names of all predefined services:
firewall-cmd --get-services
To see the definition of a service, for example ‘ssh’:
firewall-cmd --info-service=ssh
To check whether a service is allowed or not, for example ‘ssh’:
firewall-cmd --query-service=ssh
Allow or disallow a service
To make a service to be allowed, for example ‘ssh’:
firewall-cmd --add-service=ssh
It’s corresponding (iptables) command is:
iptables -t filter -I INPUT 1 -p tcp --dport 22 -j ACCEPT
To make a service to be not allowed, for example ‘ssh’:
firewall-cmd --remove-service=ssh
It’s corresponding (iptables) command is:
iptables -t filter -D INPUT -p tcp --dport 22 -j ACCEPT
How to define a new service?
Suppose you want to define a new service, contains two ports 100 and 200.
First, add this new service, but with no detail:
firewall-cmd --new-service=MyNewService --permanent
it will create a file /etc/firewalld/services/MyNewService.xml .
You can edit MyNewService.xml, for example:
<?xml version="1.0" encoding="utf-8"?>
<service>
<port port="9999" protocol="tcp"/>
</service>
you need to restart (firewalld) before you can use your new service:
systemctl restart firewalld
or
firewall-cmd --reload
then check your new service:
firewall-cmd --info-service=MyNewService
Any time later you want to change the definition of your new service, just edit ‘MyNewService.xml’.
If you want to rename your new service, you just need to rename ‘MyNewService.xml’.
To delete your new service:
firewall-cmd --delete-service=MyNewService --permanent
If you want to learn more about how to write the XML file, you can see their help:
man 5 firewalld.service
Permanent change
By default, any change you make by ‘firewall-cmd’ will lost after you reboot your system, to make a change be permanent, you need to add an argument ‘–permanent’, and in many cases this argument is forced. for example:
firewall-cmd --add-service=ssh --permanent
To make the current whole (firewalld) setting be permanent, execute this:
firewall-cmd --runtime-to-permanent
Use prot
To allow incoming traffic whose destination port is 80, and protocol is ‘tcp‘:
firewall-cmd --add-port=80/tcp
It’s corresponding (iptables) command is:
iptables -t filter -I INPUT 1 -p tcp --dport 80 -j ACCEPT
To reject incoming traffic whose destination port is 80, and protocol is ‘tcp’:
firewall-cmd --remove-port=80/tcp
It’s corresponding (iptables) command is:
iptables -t filter -D INPUT -p tcp --dport 80 -j ACCEPT
To check whether a port is allowed or not, for example ’80/tcp’:
firewall-cmd --query-port=80/tcp
Use zone
A (zone) is a set of firewall settings. / zone是一些防壁设置的集合。
See zone information
To get the name of all zones:
firewall-cmd --get-zones
To see all zones with detail:
firewall-cmd --list-all-zones
To see a specified zone, for example ‘public’, with detail:
firewall-cmd --list-all --zone=public
or
firewall-cmd --info-zone=public
Change rules for a specifies zone
To change rules for a specified zone, for example ‘public’:
firewall-cmd --zone=public --add-port=80/tcp
this command will generate a new file /etc/firewalld/zones/MyNewZone.xml, you can edit this file directly.
You can execute ‘man 5 firewalld.zone’ to learn how to write XML file for a zone.
Default zone, active zone
System administrators assign a zone to a networking interface in its configurationfiles.
管理员在网卡的设置文件里为网卡指定一个zone。
If an interface is not assigned to a specific zone, it is assigned to the default zone.
如果一个网卡没有被指派zone,这个网卡会被分配一个默认的zone。
After each restart of the firewalld service, firewalld loads the settings for the default zone and makes it active.
每次firewalld服务重启后,firewalld加载默认zone的设置,并使默认zone成为活跃zone。
To see what the default zone is:
firewall-cmd --get-default-zone
To change the default zone, for example make the ‘work’ zone be the default zone:
firewall-cmd --set-default-zone=work
To see active zones and interfaces assigned to them:
firewall-cmd --get-active-zones
To assign an interface to a different zone, for example assign ‘eth0’ to the ‘work’ zone:
firewall-cmd --zone=work --change-interface=eth0
If you want to make this change be permanent:
firewall-cmd --zone=work --change-interface=eth0 --permanent
Zone target
Each zone has a ‘target’, it is a zone’s default behavior, for example, ‘public’ zone’s target is ‘default:
firewall-cmd --info-zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: wlan0
...
...
Target can be ‘default’, ‘ACCEPT’, ‘REJECT’, ‘DROP’.
To change the target of a zone, for example, change ‘public’ zone’s target to ‘DROP’:
firewall-cmd --zone=public --set-target=DROP --permanent
Use source
To accept all traffic that comes from 192.168.1.1:
firewall-cmd --add-source=192.168.1.1
you can also write a network segment:
firewall-cmd --add-source=192.168.1.0/24
It’s corresponding (iptables) command is:
iptables -t filter -I INPUT 1 --source 192.168.1.1 -j ACCEPT
iptables -t filter -I INPUT 1 --source 192.168.1.0/24 -j ACCEPT
To accept all traffic whose source port is 80/tcp:
firewall-cmd --add-source-port=80/tcp
It’s corresponding (iptables) command is:
iptables -t filter -I INPUT 1 -p tcp --sport 80 -j ACCEPT
To list all sources:
firewall-cmd --list-sources
firewall-cmd --list-source-ports
To remove a source:
firewall-cmd --remove-source=192.168.1.1
firewall-cmd --remove-source-port=80/tcp
Use protocol
To accept all TCP traffic:
firewall-cmd --add-protocol=tcp
It’s corresponding (iptables) command is :
iptables -t filter -I INPUT 1 -p tcp -j ACCEPT
You can refer to /etc/protocols to see all the protocols you can use.
To remove a protocol:
firewall-cmd --remove-protocol=tcp
To check whether a protocol is added or not:
firewall-cmd --query-protocol=tcp
Port forwarding
Redirect a port to another port
The command proto is:
firewall-cmd --add-forward-port=port=<port-number>:proto=tcp|udp|sctp|dccp:toport=<port-number>
It’s reverse commmand proto is:
firewall-cmd --remove-forward-port=port=<port-number>:proto=tcp|udp:toport=<port-number>
For example, to redirect port 80 to 443:
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=443
It’s corresponding (iptables) command is:
iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -j DNAT --to-destination :443
To cancel the above command:
firewall-cmd --remove-forward-port=port=80:proto=tcp:toport=443
It’s corresponding (iptables) command is:
iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination :443
To redirect a port to another IP, the command proto is:
firewall-cmd --add-forward-port=port=<port-number>:proto=tcp|udp:toport=<port-number>:toaddr=<IP>:<port-number>
It’s reverse command proto is:
firewall-cmd --remove-forward-port=port=<port-number>:proto=tcp|udp:toport=<port-number>:toaddr=<IP>:<port-number>
For example, to redirect port 80 to 192.168.1.1:443
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=443:toaddr=192.168.1.1
It’s corresponding (iptables) command is:
iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:443
To cancel the above command:
firewall-cmd --remove-forward-port=port=80:proto=tcp:toport=443:toaddr=192.168.1.1
It’s corresponding (iptables) command is:
iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:443
Enable masquerade
firewall-cmd --add-masquerade
firewall-cmd --remove-masquerade
It’s corresponding (iptables) command is:
iptables -t nat -I POSTROUTING 1 -j MASQUERADE
iptables -t nat -D POSTROUTING -j MASQUERADE
ICMP
Why we need to block ICMP?
THe Internet Control Message Protocol (ICMP) is a protocol that is used by various network devices to send error messages and operational information indicating a connection problem, for example, that a requested service is not available.
互联网控制消息协议(ICMP)被众多网络设备用于发送错误消息和操作性信息以指示网络连接故障,比如,某个服务不可用。
ICMP differs from transport protocols such as TCP and UDP because it is not used to exchange data between systems.
ICMP协议不同于传输层协议TCP和UDP,因为它不用于系统间交换数据。
Unfortunately, it is possible to use the ICMP messages, especially echo-request and echo-reply, to reveal information about your network and misuse such information for various kinds of fraudulent activities. Therefore, firewalld enables blocking the ICMP requests to protect your network information.
但是,ICMP消息,尤其是echo-request和echo-reply,可被用于探测你的网络,用于恶意目地。所以,firewalld允许你禁止ICMP请求,保护你的网络信息。
To list all ICMP types:
firewall-cmd --get-icmptyps
The ICMP request can be used by IPv4, IPv6, or by both protocols. To see for which protocol the ICMP request is used:
firewall-cmd --info-icmptype=<icmptype>
To check whether a type of ICMP request is blocked or not:
firewall-cmd --query-icmptype=<icmptype>
To block a type of ICMP request:
firewall-cmd --add-icmp-block=<icmptype>
It’s corresponding (iptables) command is:
iptables -t filter -I INPUT 1 -p icmp -m icmp --icmp-type=<icmptyoe> -j REJECT
To unblock a type of ICMP request:
firewall-cmd --remove-icmp-block=<icmptype>
It’s corresponding (iptables) command is:
iptables -t filter -D INPUT -p icmp -m icmp --icmp-type=<icmptype> -j REJECT
The (direct) interface
(direct) is a mechanism, makes you write (firewalld) command in a (iptables) manner.
direct是一种让你用iptables风格写firewalld命令的机制。
These two commands has the same goal:
iptables -t filter -A INPUT_direct -p tcp --dport 80 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 80 -j ACCEPT
Notice, we use ‘INPUT_direct’ in the iptables command, but ‘INPUT’ in firewall-cmd, because firewall-cmd will automatically treat ‘INPUT’ as ‘INPUT_direct’.
The 0 in the firewall-cmd command means priority.
I don’t know how make (firewall-cmd) achieve the same effect that (iptables) can do:make a rule be the 1th rule.
我不知道怎样让firewall-cmd实现和iptables一样的效果:让一条规则成为第一条规则。
These two commands have the same goal:
iptables -t filter -D INPUT_direct -p tcp --dport 80 -j ACCEPT
firewall-cmd --direct --remove-rule ipv4 filter INPUT -p
To list rules using the (direct) interface:
firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
Rich rule
略
Lockdown
略
Log dennied packets
firewall-cmd --get-log-denied
firewall-cmd --set-log-denied
但是我不知道在哪看这个日志,Redhat文档没有说。我看了/var/log/firewalld,不是。