RHEL7 CentOS7 的 firewall命令简单介绍

firewall 服务介绍

firewall 服务是 redhat7 和 centos7 系统默认安装好的防火墙服务，一个信任级别的概念来管理与之相关联的连接与接口。它支持 ipv4 与 ipv6，并支持网桥，采用 firewall-cmd (command) 或 firewall-config (gui) 来动态的管理 kernel netfilter 的临时或永久的接口规则，并实时生效而无需重启服务。

Firewall 能将不同的网络连接归类到不同的信任级别，Zone 提供了以下几个级别：

drop: 丢弃所有进入的包，而不给出任何响应 
block: 拒绝所有外部发起的连接，允许内部发起的连接 
public: 允许指定的进入连接 
external: 同上，对伪装的进入连接，一般用于路由转发 
dmz: 允许受限制的进入连接 
work: 允许受信任的计算机被限制的进入连接，类似 workgroup 
home: 同上，类似 homegroup 
internal: 同上，范围针对所有互联网用户 
trusted: 信任所有连接
```

　　

firewall 的安装和使用规则

1. 安装firewall 服务

yum install firewalld -y

　　

2. 安装firewall 图形操作界面

yum install firewall-config -y

3. firewall 服务的启动和关闭操作
启动firewall服务

systemctl start firewalld.service

开机启动firewall服务

systemctl enable firewalld.service

关闭firewall服务

systemctl stop firewalld.service

取消开机启动firewall服务

systemctl disable firewalld.service

重启firewall服务

systemctl restart firewalld.service

　　

4. firewall 服务的规则管理,使用firwwall-cmd命令

查看规则的具体使用方法

firewall-cmd --help

　　

查看firewall服务的运行状态

firwwall-cmd --state

　　

查看已被激活的 Zone 信息

firewall-cmd --get-active-zones

查看指定接口的 Zone 信息

firewall-cmd --get-zone-of-interface=ens160

查看指定级别的端口

firewall-cmd --zone=public --list-all

查看所有级别被允许的信息

firewall-cmd --get-service

查看所有 zones 级别中被允许的服务

firewall-cmd --get-service --permanent

5. firewall服务的规则管理

firewall-cmd --panic-on # 丢弃
firewall-cmd --panic-off # 取消丢弃
firewall-cmd --query-panic # 查看丢弃状态
firewall-cmd --reload # 更新规则，不重启服务
firewall-cmd --complete-reload # 更新规则，重启服务

　　

添加某接口至某信任等级

firewall-cmd --zone=public --add-interface=ens160 --permanent

设置 public 为默认的信任级别

firewall-cmd --set-default-zone=public

　　

6. firewall管理端口

列出 dmz 级别的被允许的进入端口

firewall-cmd --zone=dmz --list-ports

　　

允许 tcp 端口 8080 至 dmz 级别

firewall-cmd --zone=dmz --add-port=8080/tcp
firewall-cmd --reload

　　

允许某范围的 udp 端口至 public 级别，并永久生效

firewall-cmd --zone=public --add-port=5000-5020/udp --permanent

　　

7. firewall管理服务

添加 smtp 服务至 work zone

firewall-cmd --zone=work --add-service=smtp

　　

移除 work zone 中的 smtp 服务

firewall-cmd --zone=work --remove-service=smtp

　　

8. firewall 配置 ip 地址伪装

查看伪装

firewall-cmd --zone=external --query-masquerade

　　

打开伪装

firewall-cmd --zone=external --add-masquerade

　　

关闭伪装

firewall-cmd --zone=external --remove-masquerade

　　

9. firewall 端口转发

要打开端口转发，则需要先

firewall-cmd --zone=external --add-masquerade

　　

然后转发 tcp 22 端口至 3753

firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753

　　

转发 22 端口数据至另一个 ip为192.168.1.100 的相同端口上

firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.168.1.100

　　

转发 22 端口数据至另一 ip为192.168.1.100 的 2055 端口上

firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.168.1.100

firewall-cmd --help

```
[root@cinder01 ~]# firewall-cmd --help

Usage: firewall-cmd [OPTIONS...]

General Options
-h, --help Prints a short help text and exists
-V, --version Print the version string of firewalld
-q, --quiet Do not print status messages

Status Options
--state Return and print firewalld state
--reload Reload firewall and keep state information
--complete-reload Reload firewall and lose state information
--runtime-to-permanent
Create permanent from runtime configuration

Log Denied Options
--get-log-denied Print the log denied value
--set-log-denied=<value>
Set log denied value
--get-ipset-types Print the supported ipset types

Permanent Options
--permanent Set an option permanently
Usable for options marked with [P]

Zone Options
--get-default-zone Print default zone for connections and interfaces
--set-default-zone=<zone>
Set default zone
--get-active-zones Print currently active zones
--get-zones Print predefined zones [P]
--get-services Print predefined services [P]
--get-icmptypes Print predefined icmptypes [P]
--get-zone-of-interface=<interface>
Print name of the zone the interface is bound to [P]
--get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
Print name of the zone the source is bound to [P]
--list-all-zones List everything added for or enabled in all zones [P]
--new-zone=<zone> Add a new zone [P only]
--new-zone-from-file=<filename> [--name=<zone>]
Add a new zone from file with optional name [P only]
--delete-zone=<zone> Delete an existing zone [P only]
--load-zone-defaults=<zone>
Load zone default settings [P only] [Z]
--zone=<zone> Use this zone to set or query options, else default zone
Usable for options marked with [Z]
--get-target Get the zone target [P only] [Z]
--set-target=<target>
Set the zone target [P only] [Z]
--info-zone=<zone> Print information about a zone
--path-zone=<zone> Print file path of a zone [P only]

IPSet Options
--get-ipset-types Print the supported ipset types
--new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]]..
Add a new ipset [P only]
--new-ipset-from-file=<filename> [--name=<ipset>]
Add a new ipset from file with optional name [P only]
--delete-ipset=<ipset>
Delete an existing ipset [P only]
--load-ipset-defaults=<ipset>
Load ipset default settings [P only]
--info-ipset=<ipset> Print information about an ipset
--path-ipset=<ipset> Print file path of an ipset [P only]
--get-ipsets Print predefined ipsets
--ipset=<ipset> --set-description=<description>
Set new description to ipset [P only]
--ipset=<ipset> --get-description
Print description for ipset [P only]
--ipset=<ipset> --set-short=<description>
Set new short description to ipset [P only]
--ipset=<ipset> --get-short
Print short description for ipset [P only]
--ipset=<ipset> --add-entry=<entry>
Add a new entry to an ipset [P]
--ipset=<ipset> --remove-entry=<entry>
Remove an entry from an ipset [P]
--ipset=<ipset> --query-entry=<entry>
Return whether ipset has an entry [P]
--ipset=<ipset> --get-entries
List entries of an ipset [P]
--ipset=<ipset> --add-entries-from-file=<entry>
Add a new entries to an ipset [P]
--ipset=<ipset> --remove-entries-from-file=<entry>
Remove entries from an ipset [P]

IcmpType Options
--new-icmptype=<icmptype>
Add a new icmptype [P only]
--new-icmptype-from-file=<filename> [--name=<icmptype>]
Add a new icmptype from file with optional name [P only]
--delete-icmptype=<icmptype>
Delete an existing icmptype [P only]
--load-icmptype-defaults=<icmptype>
Load icmptype default settings [P only]
--info-icmptype=<icmptype>
Print information about an icmptype
--path-icmptype=<icmptype>
Print file path of an icmptype [P only]
--icmptype=<icmptype> --set-description=<description>
Set new description to icmptype [P only]
--icmptype=<icmptype> --get-description
Print description for icmptype [P only]
--icmptype=<icmptype> --set-short=<description>
Set new short description to icmptype [P only]
--icmptype=<icmptype> --get-short
Print short description for icmptype [P only]
--icmptype=<icmptype> --add-destination=<ipv>
Enable destination for ipv in icmptype [P only]
--icmptype=<icmptype> --remove-destination=<ipv>
Disable destination for ipv in icmptype [P only]
--icmptype=<icmptype> --query-destination=<ipv>
Return whether destination ipv is enabled in icmptype [P only]
--icmptype=<icmptype> --get-destinations
List destinations in icmptype [P only]

Service Options
--new-service=<service>
Add a new service [P only]
--new-service-from-file=<filename> [--name=<service>]
Add a new service from file with optional name [P only]
--delete-service=<service>
Delete an existing service [P only]
--load-service-defaults=<service>
Load icmptype default settings [P only]
--info-service=<service>
Print information about a service
--path-service=<service>
Print file path of a service [P only]
--service=<service> --set-description=<description>
Set new description to service [P only]
--service=<service> --get-description
Print description for service [P only]
--service=<service> --set-short=<description>
Set new short description to service [P only]
--service=<service> --get-short
Print short description for service [P only]
--service=<service> --add-port=<portid>[-<portid>]/<protocol>
Add a new port to service [P only]
--service=<service> --remove-port=<portid>[-<portid>]/<protocol>
Remove a port from service [P only]
--service=<service> --query-port=<portid>[-<portid>]/<protocol>
Return whether the port has been added for service [P only]
--service=<service> --get-ports
List ports of service [P only]
--service=<service> --add-protocol=<protocol>
Add a new protocol to service [P only]
--service=<service> --remove-protocol=<protocol>
Remove a protocol from service [P only]
--service=<service> --query-protocol=<protocol>
Return whether the protocol has been added for service [P only]
--service=<service> --get-protocols
List protocols of service [P only]
--service=<service> --add-source-port=<portid>[-<portid>]/<protocol>
Add a new source port to service [P only]
--service=<service> --remove-source-port=<portid>[-<portid>]/<protocol>
Remove a source port from service [P only]
--service=<service> --query-source-port=<portid>[-<portid>]/<protocol>
Return whether the source port has been added for service [P only]
--service=<service> --get-source-ports
List source ports of service [P only]
--service=<service> --add-module=<module>
Add a new module to service [P only]
--service=<service> --remove-module=<module>
Remove a module from service [P only]
--service=<service> --query-module=<module>
Return whether the module has been added for service [P only]
--service=<service> --get-modules
List modules of service [P only]
--service=<service> --set-destination=<ipv>:<address>[/<mask>]
Set destination for ipv to address in service [P only]
--service=<service> --remove-destination=<ipv>
Disable destination for ipv i service [P only]
--service=<service> --query-destination=<ipv>:<address>[/<mask>]
Return whether destination ipv is set for service [P only]
--service=<service> --get-destinations
List destinations in service [P only]

Options to Adapt and Query Zones
--list-all List everything added for or enabled in a zone [P] [Z]
--list-services List services added for a zone [P] [Z]
--timeout=<timeval> Enable an option for timeval time, where timeval is
a number followed by one of letters 's' or 'm' or 'h'
Usable for options marked with [T]
--set-description=<description>
Set new description to zone [P only] [Z]
--get-description Print description for zone [P only] [Z]
--set-short=<description>
Set new short description to zone [P only] [Z]
--get-short Print short description for zone [P only] [Z]
--add-service=<service>
Add a service for a zone [P] [Z] [T]
--remove-service=<service>
Remove a service from a zone [P] [Z]
--query-service=<service>
Return whether service has been added for a zone [P] [Z]
--list-ports List ports added for a zone [P] [Z]
--add-port=<portid>[-<portid>]/<protocol>
Add the port for a zone [P] [Z] [T]
--remove-port=<portid>[-<portid>]/<protocol>
Remove the port from a zone [P] [Z]
--query-port=<portid>[-<portid>]/<protocol>
Return whether the port has been added for zone [P] [Z]
--list-protocols List protocols added for a zone [P] [Z]
--add-protocol=<protocol>
Add the protocol for a zone [P] [Z] [T]
--remove-protocol=<protocol>
Remove the protocol from a zone [P] [Z]
--query-protocol=<protocol>
Return whether the protocol has been added for zone [P] [Z]
--list-source-ports List source ports added for a zone [P] [Z]
--add-source-port=<portid>[-<portid>]/<protocol>
Add the source port for a zone [P] [Z] [T]
--remove-source-port=<portid>[-<portid>]/<protocol>
Remove the source port from a zone [P] [Z]
--query-source-port=<portid>[-<portid>]/<protocol>
Return whether the source port has been added for zone [P] [Z]
--list-icmp-blocks List Internet ICMP type blocks added for a zone [P] [Z]
--add-icmp-block=<icmptype>
Add an ICMP block for a zone [P] [Z] [T]
--remove-icmp-block=<icmptype>
Remove the ICMP block from a zone [P] [Z]
--query-icmp-block=<icmptype>
Return whether an ICMP block has been added for a zone
[P] [Z]
--add-icmp-block-inversion
Enable inversion of icmp blocks for a zone [P] [Z]
--remove-icmp-block-inversion
Disable inversion of icmp blocks for a zone [P] [Z]
--query-icmp-block-inversion
Return whether inversion of icmp blocks has been enabled
for a zone [P] [Z]
--list-forward-ports List IPv4 forward ports added for a zone [P] [Z]
--add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Add the IPv4 forward port for a zone [P] [Z] [T]
--remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Remove the IPv4 forward port from a zone [P] [Z]
--query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Return whether the IPv4 forward port has been added for
a zone [P] [Z]
--add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T]
--remove-masquerade Disable IPv4 masquerade for a zone [P] [Z]
--query-masquerade Return whether IPv4 masquerading has been enabled for a
zone [P] [Z]
--list-rich-rules List rich language rules added for a zone [P] [Z]
--add-rich-rule=<rule>
Add rich language rule 'rule' for a zone [P] [Z] [T]
--remove-rich-rule=<rule>
Remove rich language rule 'rule' from a zone [P] [Z]
--query-rich-rule=<rule>
Return whether a rich language rule 'rule' has been
added for a zone [P] [Z]

Options to Handle Bindings of Interfaces
--list-interfaces List interfaces that are bound to a zone [P] [Z]
--add-interface=<interface>
Bind the <interface> to a zone [P] [Z]
--change-interface=<interface>
Change zone the <interface> is bound to [Z]
--query-interface=<interface>
Query whether <interface> is bound to a zone [P] [Z]
--remove-interface=<interface>
Remove binding of <interface> from a zone [P] [Z]

Options to Handle Bindings of Sources
--list-sources List sources that are bound to a zone [P] [Z]
--add-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
Bind the source to a zone [P] [Z]
--change-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
Change zone the source is bound to [Z]
--query-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
Query whether the source is bound to a zone [P] [Z]
--remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
Remove binding of the source from a zone [P] [Z]

Direct Options
--direct First option for all direct options
--get-all-chains
Get all chains [P]
--get-chains {ipv4|ipv6|eb} <table>
Get all chains added to the table [P]
--add-chain {ipv4|ipv6|eb} <table> <chain>
Add a new chain to the table [P]
--remove-chain {ipv4|ipv6|eb} <table> <chain>
Remove the chain from the table [P]
--query-chain {ipv4|ipv6|eb} <table> <chain>
Return whether the chain has been added to the table [P]
--get-all-rules
Get all rules [P]
--get-rules {ipv4|ipv6|eb} <table> <chain>
Get all rules added to chain in table [P]
--add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
Add rule to chain in table [P]
--remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
Remove rule with priority from chain in table [P]
--remove-rules {ipv4|ipv6|eb} <table> <chain>
Remove rules from chain in table [P]
--query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
Return whether a rule with priority has been added to
chain in table [P]
--passthrough {ipv4|ipv6|eb} <arg>...
Pass a command through (untracked by firewalld)
--get-all-passthroughs
Get all tracked passthrough rules [P]
--get-passthroughs {ipv4|ipv6|eb} <arg>...
Get tracked passthrough rules [P]
--add-passthrough {ipv4|ipv6|eb} <arg>...
Add a new tracked passthrough rule [P]
--remove-passthrough {ipv4|ipv6|eb} <arg>...
Remove a tracked passthrough rule [P]
--query-passthrough {ipv4|ipv6|eb} <arg>...
Return whether the tracked passthrough rule has been
added [P]

Lockdown Options
--lockdown-on Enable lockdown.
--lockdown-off Disable lockdown.
--query-lockdown Query whether lockdown is enabled

Lockdown Whitelist Options
--list-lockdown-whitelist-commands
List all command lines that are on the whitelist [P]
--add-lockdown-whitelist-command=<command>
Add the command to the whitelist [P]
--remove-lockdown-whitelist-command=<command>
Remove the command from the whitelist [P]
--query-lockdown-whitelist-command=<command>
Query whether the command is on the whitelist [P]
--list-lockdown-whitelist-contexts
List all contexts that are on the whitelist [P]
--add-lockdown-whitelist-context=<context>
Add the context context to the whitelist [P]
--remove-lockdown-whitelist-context=<context>
Remove the context from the whitelist [P]
--query-lockdown-whitelist-context=<context>
Query whether the context is on the whitelist [P]
--list-lockdown-whitelist-uids
List all user ids that are on the whitelist [P]
--add-lockdown-whitelist-uid=<uid>
Add the user id uid to the whitelist [P]
--remove-lockdown-whitelist-uid=<uid>
Remove the user id uid from the whitelist [P]
--query-lockdown-whitelist-uid=<uid>
Query whether the user id uid is on the whitelist [P]
--list-lockdown-whitelist-users
List all user names that are on the whitelist [P]
--add-lockdown-whitelist-user=<user>
Add the user name user to the whitelist [P]
--remove-lockdown-whitelist-user=<user>
Remove the user name user from the whitelist [P]
--query-lockdown-whitelist-user=<user>
Query whether the user name user is on the whitelist [P]

Panic Options
--panic-on Enable panic mode
--panic-off Disable panic mode
--query-panic Query whether panic mode is enabled

[root@cinder01 ~]# 
```

　　

部分参考：http://blog.csdn.net/gbenson/article/details/50056713