firewalld 設定

技術筆記

firewalld

sudo firewall-cmd --get-default-zone
sudo firewall-cmd --set-default-zone=internal
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --list-all-zones

換腳

firewal-cmd --permanent --zone=public --remove-interface=ens34
firewall-cmd --permanent --zone=internal --add-interface=ens34

Allow / Deney port

sudo firewall-cmd --zone=public --add-port=12345/tcp --permanent
sudo firewall-cmd --zone=public --remove-port=12345/tcp --permanent

Introduction to FirewallD on CentOS

src-nat

  • 先設定網卡的 zone
    sudo nmcli c mod eth1 connection.zone internal
    sudo nmcli c mod eth2 connection.zone external
    firewall-cmd --get-active-zone
    
  • 允許封包轉送
    sudo firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o [WAN] -j MASQUERADE  
    sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i [LAN] -o [WAN] -j ACCEPT  # -i 是 input, -o 是 output
    sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i [WAN] -o [LAN] -m state --state RELATED,ESTABLISHED -j ACCEPT  
    sudo firewall-cmd --reload
    

dst-nat

CentOS 7 使用 firewalld 架設 NAT

  • 做 masquerade
    sudo firewall-cmd --zone=external --add-masquerade --permanent  
    sudo firewall-cmd --zone=internal --add-masquerade --permanent  
    sudo firewall-cmd --reload
    
  • same server
    sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345 --permanent
    
  • different server
    sudo firewall-cmd --zone=external --add-masquerade --permanent
    sudo firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.456.78.9 --permanent
    
comments powered by Disqus

Related