Config firewalld¶
have a look at- https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-8
- https://www.certdepot.net/rhel7-get-started-firewalld/
- https://www.liquidweb.com/kb/an-introduction-to-firewalld/
Add a Port for TCP or UDP¶
You do have to specify TCP or UDP and to open a port for both. You will need to add rules for each protocol.
firewall-cmd --permanent --add-port=22/tcp
firewall-cmd --permanent --add-port=53/udp
Remove a Port for TCP or UDP¶
Using a slight variation on the above structure, you can remove a currently open port, effectively closing off that port.
firewall-cmd --permanent --remove-port=444/tcp
Add a Service¶
These services assume the default ports configured within the /etc/services configuration file; if you wish to use a service on a non-standard port, you will have to open the specific port, as in the example above.
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
Remove a Service¶
As above, you specify the remove-service option, and you can close off the port that is defined for that service.
firewall-cmd --permanent --remove-service=mysql
Whitelist an IP Address¶
To whitelist or allow access from an IP or range of IPs, you can tell the firewall to add a trusted source.
firewall-cmd --permanent --add-source=192.168.1.100
You can also allow a range of IPs using what is called CIDR notation. CIDR is outside the scope of this article but is a shorthand that can be used for noting ranges of IP addresses.
firewall-cmd --permanent --add-source=192.168.1.0/24
Remove a Whitelisted IP Address¶
To remove a whitelisted IP or IP range, you can use the --remove-source option.
firewall-cmd --permanent --remove-source=192.168.1.100
Block an IP Address¶
As the firewall-cmd tool is mostly used for opening or allowing access, rich rules are needed to block an IP. Rich rules are similar in form to the way iptables rules are written.
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"
You can again use CIDR notation also block a range of IP addresses.
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"
to forward a specific port (not yet working!)¶
firewall-cmd --zone=public --permanent --add-port=2222/tcp
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.122.80 --permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-all
Testing¶
you may consider http://portquiz.net/
http://portquiz.net:1234/
This example tests whether you are able to visit outbound port 1234. You simply change the port number to whatever you like. Also, the site gives some examples that could be used in a command line script:
wget -qO- portquiz.net:1234
Port 1234 test successful!
Your IP: 198.252.206.16
Von Jeremias Keihsler vor mehr als 2 Jahren aktualisiert · 4 Revisionen