How to use (firewald) 与 iptables 对照版
Use (systemctl) to manager (firewalld)
To start,stop,restart (firewalld):
systemctl start firewalld
systemctl stop firewalld
systemctl restart firewalld
To check (firewalld) state:
systemctl status firewalld
you can also:
firewall-cmd --state
To make (firewalld) auto start, or not auto start on boot,
systemctl enable firewalld
systemctl disable firewalld
Disableing all traffic in case of emergency / 紧急禁止所有流量
To disable all traffic immediately
firewall-cmd --panic-on
It’s corresponding (iptables) command is:
iptables -t filter -I INPUT 1 -j REJECT
iptables -t filter -I OUTPUT 1 -J REJECT
To cancel disabling all traffic:
firewall-cmd --panic-off
It’s corresponding (iptables) command is:
iptables -t filter -D INPUT -j REJECT
iptables -t filter -D OUTPUT -j REJECT
To check whether (panic) mode is on or off:
firewall-cmd --query-panic
Use (service)
(service) is a set of port, for example, ‘http’ is 80, ‘https’ is 443. / service 指的是一个或多个端口的汇合,比方 http 是 80 端口,https 是 443 端口。
Check service information
To check services that already allowed:
firewall-cmd --list-services
To get names of all predefined services:
firewall-cmd --get-services
To see the definition of a service, for example ‘ssh’:
firewall-cmd --info-service=ssh
To check whether a service is allowed or not, for example ‘ssh’:
firewall-cmd --query-service=ssh
Allow or disallow a service
To make a service to be allowed, for example ‘ssh’:
firewall-cmd --add-service=ssh
It’s corresponding (iptables) command is:
iptables -t filter -I INPUT 1 -p tcp --dport 22 -j ACCEPT
To make a service to be not allowed, for example ‘ssh’:
firewall-cmd --remove-service=ssh
It’s corresponding (iptables) command is:
iptables -t filter -D INPUT -p tcp --dport 22 -j ACCEPT
How to define a new service?
Suppose you want to define a new service, contains two ports 100 and 200.
First, add this new service, but with no detail:
firewall-cmd --new-service=MyNewService --permanent
it will create a file /etc/firewalld/services/MyNewService.xml .
You can edit MyNewService.xml, for example:
<?xml version="1.0" encoding="utf-8"?>
<service>
<port port="9999" protocol="tcp"/>
</service>
you need to restart (firewalld) before you can use your new service:
systemctl restart firewalld
or
firewall-cmd --reload
then check your new service:
firewall-cmd --info-service=MyNewService
Any time later you want to change the definition of your new service, just edit ‘MyNewService.xml’.
If you want to rename your new service, you just need to rename ‘MyNewService.xml’.
To delete your new service:
firewall-cmd --delete-service=MyNewService --permanent
If you want to learn more about how to write the XML file, you can see their help:
man 5 firewalld.service
Permanent change
By default, any change you make by ‘firewall-cmd’ will lost after you reboot your system, to make a change be permanent, you need to add an argument ‘–permanent’, and in many cases this argument is forced. for example:
firewall-cmd --add-service=ssh --permanent
To make the current whole (firewalld) setting be permanent, execute this:
firewall-cmd --runtime-to-permanent
Use prot
To allow incoming traffic whose destination port is 80, and protocol is ‘tcp’:
firewall-cmd --add-port=80/tcp
It’s corresponding (iptables) command is:
iptables -t filter -I INPUT 1 -p tcp --dport 80 -j ACCEPT
To reject incoming traffic whose destination port is 80, and protocol is ‘tcp’:
firewall-cmd --remove-port=80/tcp
It’s corresponding (iptables) command is:
iptables -t filter -D INPUT -p tcp --dport 80 -j ACCEPT
To check whether a port is allowed or not, for example ’80/tcp’:
firewall-cmd --query-port=80/tcp
Use zone
A (zone) is a set of firewall settings. / zone 是一些防壁设置的汇合。
See zone information
To get the name of all zones:
firewall-cmd --get-zones
To see all zones with detail:
firewall-cmd --list-all-zones
To see a specified zone, for example ‘public’, with detail:
firewall-cmd --list-all --zone=public
or
firewall-cmd --info-zone=public
Change rules for a specifies zone
To change rules for a specified zone, for example ‘public’:
firewall-cmd --zone=public --add-port=80/tcp
this command will generate a new file /etc/firewalld/zones/MyNewZone.xml, you can edit this file directly.
You can execute ‘man 5 firewalld.zone’ to learn how to write XML file for a zone.
Default zone, active zone
System administrators assign a zone to a networking interface in its configurationfiles.
管理员在网卡的设置文件里为网卡指定一个 zone。
If an interface is not assigned to a specific zone, it is assigned to the default zone.
如果一个网卡没有被指派 zone,这个网卡会被调配一个默认的 zone。
After each restart of the firewalld service, firewalld loads the settings for the default zone and makes it active.
每次 firewalld 服务重启后,firewalld 加载默认 zone 的设置,并使默认 zone 成为沉闷 zone。
To see what the default zone is:
firewall-cmd --get-default-zone
To change the default zone, for example make the ‘work’ zone be the default zone:
firewall-cmd --set-default-zone=work
To see active zones and interfaces assigned to them:
firewall-cmd --get-active-zones
To assign an interface to a different zone, for example assign ‘eth0’ to the ‘work’ zone:
firewall-cmd --zone=work --change-interface=eth0
If you want to make this change be permanent:
firewall-cmd --zone=work --change-interface=eth0 --permanent
Zone target
Each zone has a ‘target’, it is a zone’s default behavior, for example, ‘public’ zone’s target is ‘default:
firewall-cmd --info-zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: wlan0
...
...
Target can be ‘default’, ‘ACCEPT’, ‘REJECT’, ‘DROP’.
To change the target of a zone, for example, change ‘public’ zone’s target to ‘DROP’:
firewall-cmd --zone=public --set-target=DROP --permanent
Use source
To accept all traffic that comes from 192.168.1.1:
firewall-cmd --add-source=192.168.1.1
you can also write a network segment:
firewall-cmd --add-source=192.168.1.0/24
It’s corresponding (iptables) command is:
iptables -t filter -I INPUT 1 --source 192.168.1.1 -j ACCEPT
iptables -t filter -I INPUT 1 --source 192.168.1.0/24 -j ACCEPT
To accept all traffic whose source port is 80/tcp:
firewall-cmd --add-source-port=80/tcp
It’s corresponding (iptables) command is:
iptables -t filter -I INPUT 1 -p tcp --sport 80 -j ACCEPT
To list all sources:
firewall-cmd --list-sources
firewall-cmd --list-source-ports
To remove a source:
firewall-cmd --remove-source=192.168.1.1
firewall-cmd --remove-source-port=80/tcp
Use protocol
To accept all TCP traffic:
firewall-cmd --add-protocol=tcp
It’s corresponding (iptables) command is :
iptables -t filter -I INPUT 1 -p tcp -j ACCEPT
You can refer to /etc/protocols to see all the protocols you can use.
To remove a protocol:
firewall-cmd --remove-protocol=tcp
To check whether a protocol is added or not:
firewall-cmd --query-protocol=tcp
Port forwarding
Redirect a port to another port
The command proto is:
firewall-cmd --add-forward-port=port=<port-number>:proto=tcp|udp|sctp|dccp:toport=<port-number>
It’s reverse commmand proto is:
firewall-cmd --remove-forward-port=port=<port-number>:proto=tcp|udp:toport=<port-number>
For example, to redirect port 80 to 443:
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=443
It’s corresponding (iptables) command is:
iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -j DNAT --to-destination :443
To cancel the above command:
firewall-cmd --remove-forward-port=port=80:proto=tcp:toport=443
It’s corresponding (iptables) command is:
iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination :443
To redirect a port to another IP, the command proto is:
firewall-cmd --add-forward-port=port=<port-number>:proto=tcp|udp:toport=<port-number>:toaddr=<IP>:<port-number>
It’s reverse command proto is:
firewall-cmd --remove-forward-port=port=<port-number>:proto=tcp|udp:toport=<port-number>:toaddr=<IP>:<port-number>
For example, to redirect port 80 to 192.168.1.1:443
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=443:toaddr=192.168.1.1
It’s corresponding (iptables) command is:
iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:443
To cancel the above command:
firewall-cmd --remove-forward-port=port=80:proto=tcp:toport=443:toaddr=192.168.1.1
It’s corresponding (iptables) command is:
iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:443
Enable masquerade
firewall-cmd --add-masquerade
firewall-cmd --remove-masquerade
It’s corresponding (iptables) command is:
iptables -t nat -I POSTROUTING 1 -j MASQUERADE
iptables -t nat -D POSTROUTING -j MASQUERADE
ICMP
Why we need to block ICMP?
THe Internet Control Message Protocol (ICMP) is a protocol that is used by various network devices to send error messages and operational information indicating a connection problem, for example, that a requested service is not available.
互联网管制音讯协定 (ICMP) 被泛滥网络设备用于发送谬误音讯和操作性信息以批示网络连接故障,比方,某个服务不可用。
ICMP differs from transport protocols such as TCP and UDP because it is not used to exchange data between systems.
ICMP 协定不同于传输层协定 TCP 和 UDP,因为它不用于零碎间替换数据。
Unfortunately, it is possible to use the ICMP messages, especially echo-request and echo-reply, to reveal information about your network and misuse such information for various kinds of fraudulent activities. Therefore, firewalld enables blocking the ICMP requests to protect your network information.
然而,ICMP 音讯,尤其是 echo-request 和 echo-reply,可被用于探测你的网络,用于歹意目地。所以,firewalld 容许你禁止 ICMP 申请,爱护你的网络信息。
To list all ICMP types:
firewall-cmd --get-icmptyps
The ICMP request can be used by IPv4, IPv6, or by both protocols. To see for which protocol the ICMP request is used:
firewall-cmd --info-icmptype=<icmptype>
To check whether a type of ICMP request is blocked or not:
firewall-cmd --query-icmptype=<icmptype>
To block a type of ICMP request:
firewall-cmd --add-icmp-block=<icmptype>
It’s corresponding (iptables) command is:
iptables -t filter -I INPUT 1 -p icmp -m icmp --icmp-type=<icmptyoe> -j REJECT
To unblock a type of ICMP request:
firewall-cmd --remove-icmp-block=<icmptype>
It’s corresponding (iptables) command is:
iptables -t filter -D INPUT -p icmp -m icmp --icmp-type=<icmptype> -j REJECT
The (direct) interface
(direct) is a mechanism, makes you write (firewalld) command in a (iptables) manner.
direct 是一种让你用 iptables 格调写 firewalld 命令的机制。
These two commands has the same goal:
iptables -t filter -A INPUT_direct -p tcp --dport 80 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 80 -j ACCEPT
Notice, we use ‘INPUT_direct’ in the iptables command, but ‘INPUT’ in firewall-cmd, because firewall-cmd will automatically treat ‘INPUT’ as ‘INPUT_direct’.
The 0 in the firewall-cmd command means priority.
I don’t know how make (firewall-cmd) achieve the same effect that (iptables) can do:make a rule be the 1th rule.
我不晓得怎么让 firewall-cmd 实现和 iptables 一样的成果:让一条规定成为第一条规定。
These two commands have the same goal:
iptables -t filter -D INPUT_direct -p tcp --dport 80 -j ACCEPT
firewall-cmd --direct --remove-rule ipv4 filter INPUT -p
To list rules using the (direct) interface:
firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
Rich rule
略
Lockdown
略
Log dennied packets
firewall-cmd --get-log-denied
firewall-cmd --set-log-denied
然而我不晓得在哪看这个日志,Redhat 文档没有说。我看了 /var/log/firewalld,不是。