This article is mainly about CentOS 7 firewall management using firewalld, which is a very powerful feature. If you are interested, read on! CentOS 7 series (part 4) Firewall permanent area and rich rules.

1. CentOS 7 Firewall Setup

Firewalld supports more complex "rich rules" that can set rules based on protocol, source address, destination address, and more. For example, allow HTTP access from 192.168.1.100:

firewall-cmd --list-all
firewall-cmd --list-services
firewall-cmd --list-ports
firewall-cmd --list-interfaces

2. Adding and Deleting Port Rules

To allow a specific port through firewall, use following command:，补救一下。

CentOS 7, by default, is with firewalld opened. To start it, use following commands:

systemctl start firewalld
systemctl enable firewalld.service

我傻了。 For Linux, CentOS 7 firewall basic usage details (1). Set firewall to start at boot: systemctl enable firewalld.service.

3. Firewall Management Commands

累并充实着。 Let's understand how to enable and disable firewalld. You can use following commands to manage firewalld service:

firewall-cmd --list-all
firewall-cmd --list-services
firewall-cmd --list-ports
firewall-cmd --list-interfaces

View version of firewall:

firewall-cmd --version

Launch firewall:

systemctl start firewalld

Enable firewall at startup:

systemctl enable firewalld

Stop firewall:

systemctl stop firewalld

Disable firewall:

systemctl disable firewalld

开搞。 Check firewall version:

firewall-cmd --version

Check firewall status. If it's running, you'll see "running"; orwise, it's "not running".

firewall-cmd --state

我始终觉得... Reload firewall configuration after adding rules:

firewall-cmd --reload

iptables -L -n

4. Firewall Configuration

There are two ways to set up firewall: using firewall command or directly modifying configuration file. It is recommended to use firewall command to set up firewall.

firewall-cmd --permanent --add-source=192.168.1.0/24
firewall-cmd --reload

躺平... To delete source IP rule, replace --add-source with --remove-source.

5. Apply Changes

After making changes to configuration, you need to restart firewall. To reload configuration, use following command:

firewall-cmd --reload

To check firewall status, use following command:

firewall-cmd --state

Check if firewall is running.

firewall-cmd --reload

Get list of supported zones:，干就完了！

firewall-cmd --get-zones

firewall-cmd --get-services

6. Common Firewall Use Cases

firewall-cmd --state # View  default firewall status (not running when closed, running when opened)
firewall-cmd --reload # Update  firewall

systemctl start firewalld    # Enable firewalld
systemctl stop firewalld     # Disable firewalld
systemctl restart firewalld  # Restart firewalld
systemctl status firewalld   # View firewalld status

简直了。 To enable firewalld to start automatically at system boot, use following command:

systemctl enable firewalld

How to Set Up Rules

3.1. Start Firewall Service

systemctl enable firewalld

3.2. Create a New Firewall Rule

3.4. Test

Example: Use Firewalld to set up firewall rules to limit access to nginx server's 8088 port, allowing only access from operations server with IP 192.168.2.100, and not making any restrictions on or ports.

systemctl enable firewalld

Firewalld Management

Firewalld provides two ways to manage firewall rules: using graphical tool firewall-config, or using command-line tool firewall-cmd. In this article, we mainly introduce how to use firewall-cmd command-line tool.

firewall-cmd --permanent --add-service=http  # Permanently allow HTTP service
firewall-cmd --permanent --add-service=ssh   # Permanently allow SSH service
firewall-cmd --reload                           # Reload firewall rules

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="80" accept'
firewall-cmd --reload

To delete a rich rule, replace --add-rich-rule with --remove-rich-rule.

firewall-cmd --permanent --add-port=80/tcp  # Permanently allow HTTP port (80/tcp)
firewall-cmd --permanent --add-port=22/tcp  # Permanently allow SSH port (22/tcp)
firewall-cmd --reload                           # Reload firewall rules

To delete a port rule, replace --add-port with --remove-port.

# Query all firewall rules.
iptables -L -n

Attention: CentOS 7 does not have netstat command by default, and you need to install net-tools tool, yum install -y net-tools.

4. Server Configuration Access Whitelist. Access whitelist can be set through two methods: command-line operation or modification of configuration file.

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

Opening SSH Port

firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload

Opening Custom Port

firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --reload

Deny All Inbound Connections, Only Allow Access from Specific IP

firewall-cmd --permanent --add-source=192.168.1.0/24
firewall-cmd --permanent --set-default-zone=drop
firewall-cmd --reload

In CentOS 7, firewalld is main tool for managing firewall rules. By using firewall-cmd command-line tool, you can easily add, delete, and view firewall rules. This article introduces basic usage of firewalld, including enabling/disabling services, managing port and service rules, setting source IP rules, and rich rules. Mastering se knowledge will help you better protect your CentOS 7 system.

---