IP masquerading and port forwarding Firewalld supports two types of network address translation IP address masquerade
Port forwarding (Forward-port)
Address masquerade configuration Add address masquerading function for specified areas firewall-cmd [--permanent] [--zone= zone] --add-masquerade [--timeout seconds] //--timeout=seconds: Automatically delete this function after a period of time Remove address masquerading for a specified area firewall-cmd [--permanent] [--zone= zone] --remove-masquerade Check whether the address masquerading function is enabled in the specified area firewall-cmd [--permanent] [--zone=zone] --query-masquerade Port forwarding configuration List port forwarding configuration firewall-cmd [--permanent] [--zone=zone] --list-forward-ports Adding port forwarding rules firewall-cmd [--permanent] [--zone=zone] --add-forward-port=port=portid[-portid]:proto=protocol[:toport-portid[-portid]][:toaddr-address[/mask]][--timeout=seconds] Deleting a port forwarding rule firewall-cmd [--permanent] [--zone=zone] --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]] Query port forwarding rules firewall-cmd [--permanent] [--zone=zone] --query-forward-port-port-portid[-portid]:proto=protocol[:toport-portid[-portid]][:toaddr=address[/mask]] Firewalld direct rules Direct interface
Custom rule chains Firewalld automatically creates custom rule chains for zones where rules are configured
Allow inbound traffic to TCP/9000 port irewall-cmd --direct --add-rule ipv4 filter IN work_ allow 0 -p tcp --dport 9000 j ACCEPT
Query all direct rules firewall-cmd --direct --get-all-rules ipv4 filter IN_ work _allow 0 -p tcp --dport 9000 -j ACCEPT You can add the --permanent option to view the permanent configuration Firewalld rich language rules Rich language Expressive configuration language, no need to understand iptables syntax Used to express basic allow/deny rules, configure logging (for syslog and auditd), port forwarding, masquerading, and rate limiting rule [family="<rule family>"] [ source address="<address>" [invert "True"] ] [ destination address="<address>" [invert="True"] ] [ <element> ] [ log [prefix="<prefix text>"] [level="<log level>"] [limit value="rate/duration"] ] [ audit ] [ acceptlrejectldrop ] Understanding Rich Language Rules Commands Common options for firewall-cmd to process rich language rules
Configured rich language rule display mode firewall-cmd --list-all firewall-cmd --list-all-zones --list-rich-rules Rich language rules concrete grammar source, destination, element, service, port, protocol, icmp-block, masquerade, forward-port, log, audit, accept, reject, drop Deny all traffic from 192.168.8.101 firewall-cmd --permanent --zone=work --add-rich-rule='rule family=ipv4 source address=192.168.8.101/32 reject' When the ddress option is used with source or destination, family= ipv4 | ipv6 must be used. Accept TCP traffic from 192.168.1.0/24 subnet ports 8000-9000 firewall-cmd --permanent --one=work --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=8000-9000 protocol=tcp accept' Drop all icmp packets firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop' Accept http traffic from 192.168.8.1 and record the log firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.8.1/32 service name="http" log level=notice prefix= "NEW HTTP" limit value "3/s" accept' Access http at 192.168.8.1 and observe /var/log/messages Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT= MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131 LEN=52 TOS=0xOO PREC=0x00 TTL =64 ID=20582 DF PROTO=TCP SPT=65289 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT= MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131 LEN=52 TOS=0x0O PREC=0x0O TTL =64 ID=20590 DF PROTO=TCP SPT=65291 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 Apr 16 17:09:55 Server kernel: NEW HTTP IN=ens33 OUT= MAC=00:0c:29:69:01:c4:00:50:56:c0:00:08:08:00 SRC=192.168.8.1 DST=192.168.8.131 LEN=52 TOS=0x0O PREC=0x0O TTL =64 ID=20602 DF PROTO=TCP SPT=65292 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM. You may also be interested in:
|
<<: MySQL 5.6 root password modification tutorial
>>: Detailed explanation of how to use CMD command to operate MySql database
Preface We all know that MySQL query uses the sel...
Introduction to kubectl kubectl is a command line...
Table of contents Preface design accomplish summa...
Table of contents Vue monitor properties What is ...
In the past, when I needed the border length to b...
As shown below: 1. ssh -v -p [port number] [user ...
vertical-align attribute is mainly used to change...
Table of contents environment Virtual Machine Ver...
Table of contents Effect display Component Settin...
Preface: During database operation and maintenanc...
1. Download: http://www.oracle.com/technetwork/ja...
This article mainly introduces how some content i...
Copy code The code is as follows: <!DOCTYPE ht...
System: Ubuntu 16.04LTS 1\Download mysql-5.7.18-l...
Overview As for the current default network of Do...