RHEL7: Firewalld
1. To know if Firewalld is runnng.
$ systemctl status firewalld
or
$ firewall-cmd --state
* もし、IPv4のネットワークが、同一ホストの複数のインタフェースで、使用されているのであれば、フォワーディングの設定が必要になる。
$ cat /etc/sysctl.conf
net.ipv4.ip_forward=1 (sysctl -p を忘れずに)
2. To get the default zone.
$ firewall-cmd --get-default-zone
3. To get the list of zones where you've got network interfaces or sources assigned to.
$ firewall-cmd --get-active-zones
4. To get the list of all the available zones.
$ firewall-cmd --get-zones
5. To change the default zone permanently.
$ firewall-cmd --set-default-zone=<zone>
6. To assign <network interface> temporary to the internal zone.
$ firewall-cmd --zone=internal --change-inteface=<network interface>
7. To assign <network interface> permanently to the internal zone.
$ firewall-cmd --permanent --zone=internal --chnage-interface=<network interface>
- <internal.xml> is created in the /etc/firewalld/zones.
8. To know which zone is associated with <network interface>.
$ firewall-cmd --get-zone-of-interface=<network interface>
9. To get all the details about the public zone.
$ firewall-cmd --zone=public --list-all
10. To add a source to zone permanently.
$ firewall-cmd --permanent --zone=trusted --add-source=<network>
11. To get the list of the sources bound to a zone permanently.
$ firewall-cmd --permanent --zone=trusted --list-sources
12. To keep track of your configuration.
$ firewall-cmd --get-active-zones
13. To allow the http service permanently in the internal zone.
$ firewall-cmd --permanent --zone=internal --add-service=http
$ firewall-cmd --reload
- --remove-service=http: To deny the http service
- --complete-reload: Current connections are not stopped
14. To get the list of services in the default zone.
$ firewal-cmd --list-services
- To get the list of the services in a paticular zone: --zone=<zone name>
Firewalld で管理されるサービスは、/usr/lib/firewalld/services の中にあるxmlファイルに定義されているので、必要なサービスを追加したい場合は、そこにファイルを作成すれば、追加することができる。
例えば:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>HAProxy</short>
<description>HAProxy load-balancer</description>
<port protocol="tcp" port="80" />
</service>
$ cd /etc/firewalld/services
$ restorecon <file name>
$ chmod 640 <file name>
15. To allow the 443/tcp port temporary in the internal zone.
$ firewall-cmd --zone=internal --add-port=443/tcp
- --remove-port=443/tcp: To deny the port.
$ firewall-cmd --reload
16. To get the list of ports open in the internal zone.
$ firewall-cmd --zone=internal --list-ports
17. To set up masquerading on the external zone.
$ firewall-cmd --zone=external --add-masquerade
- To remove masquerading: --remove-masquerade
- To know if masquerading is active in a zone: --query-masquerade
18. To forward port 22 to port 3753.
$ firewall-cmd --zone=external --add-forward-port=port22:proto=tcp:toport=3753
- To remove port forwarding: --remove-forward-port
- To know if port forwarding is zctive in a zone: --query-forward-port
- To define the destination ip address:
$ firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753:toadd
19. To open the tcp port 9000 to by-pass the Firewalld interface.
$ firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT
$ firewall-cmd --reload
20. To display all the direct rules added.
$ firewall-cmd --direct --get-all-rules
関連リンク
https://fedorahosted.org/firewalld/
