CentOS firewall operation command

Operation commands of CentOS7 firewall


yum install firewalld
  1. Basic use of firewalld
systemctl start firewalld

View status:

 systemctl status firewalld 

Disable, disable startup:

 systemctl disable firewalld

Stop operation:

systemctl stop firewalld
  1. Configure firewalld CMD
    View version:
 firewall-cmd --version

View help:

firewall-cmd --help

Display status:

firewall-cmd --state

View all open ports:

 firewall-cmd --zone=public --list-ports

Update firewall rules:

firewall-cmd --reload

Update firewall rules and restart the service:

 firewall-cmd --completely-reload

To view the activated Zone information:

firewall-cmd --get-active-zones

View the area to which the specified interface belongs:

firewall-cmd --get-zone-of-interface=eth0

Reject all packages:

firewall-cmd --panic-on

Cancel reject status:

firewall-cmd --panic-off

Check whether to reject:

firewall-cmd --query-panic
  1. The trust level is specified by the value of Zone
    drop: discards all incoming packets without giving any response
    block: reject all externally initiated connections and allow internally initiated connections
    public: allow the specified to enter the connection
    external: the same as above. For masquerade incoming connections, they are generally used for routing and forwarding
    dmz: allow restricted access connections
    work: allow trusted computers to enter the connection restricted, similar to workgroup
    home: same as above, similar to homegroup
    internal: same as above. The scope is for all Internet users
    trusted: trust all connections
  2. firewall opening and closing ports
    The following refers to the operations under the public zone. For different zones, just change the value behind the zone
    add to:
firewall-cmd --zone=public --add-port=80/tcp --permanent    #(-- permanent takes effect permanently. It will become invalid after restarting without this parameter)


firewall-cmd --reload


firewall-cmd --zone=public --query-port=80/tcp


firewall-cmd --zone=public --remove-port=80/tcp --permanent
  1. management service
    Take the smtp service as an example and add it to the work zone
    add to:
firewall-cmd --zone=work --add-service=smtp


firewall-cmd --zone=work --query-service=smtp


firewall-cmd --zone=work --remove-service=smtp
  1. Configure IP address camouflage
firewall-cmd --zone=external --query-masquerade


firewall-cmd --zone=external --add-masquerade


firewall-cmd --zone=external --remove-masquerade
  1. Port forwarding
    To open port forwarding, you first need to open the IP address camouflage firewall CMD -- zone = external -- add masquerade

Forward TCP port 22 to 3753:
firewall-cmd --zone=external --add-forward-port=22:porto=tcp:toport=3753
Forward port data to the same port of another IP:
firewall-cmd --zone=external --add-forward-port=22:porto=tcp:toaddr=
Forward port data to port 3753 of another IP:
firewall-cmd --zone=external --add-forward-port=22:porto=tcp:: toport=3753:toaddr=

  1. systemctl is the main tool in the service management tool of CentOS7. It integrates the functions of service and chkconfig.

Start a service:

systemctl start firewalld.service

Shut down a service:

systemctl stop firewalld.service

Restart a service:

systemctl restart firewalld.service`

Displays the status of a service:

systemctl status firewalld.service

Enable a service at boot time:

systemctl enable firewalld.service

Disable a service at power on:

systemctl disable firewalld.service

Check whether the service is started:

systemctl is-enabled firewalld.service

To view a list of started services:

systemctl list-unit-files|grep enabled

To view the list of services that failed to start:

systemctl --failed

Tags: Linux

Posted by pbs on Tue, 19 Apr 2022 08:09:15 +0930