https://calee0219.github.io/tag/firewalld/FirewalldHugoBlox Kit (https://hugoblox.com)en-us©Mon, 09 Aug 2021 07:48:37 +0800https://calee0219.github.io/media/icon_hu_da05098ef60dc2e7.pnghttps://calee0219.github.io/tag/firewalld/https://calee0219.github.io/blog/note_firewalld/Mon, 09 Aug 2021 07:48:37 +0800https://calee0219.github.io/blog/note_firewalld/<h2 id="firewalld">firewalld</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo firewall-cmd --get-default-zone </span></span><span class="line"><span class="cl">sudo firewall-cmd --set-default-zone<span class="o">=</span>internal </span></span><span class="line"><span class="cl">sudo firewall-cmd --get-active-zones </span></span><span class="line"><span class="cl">sudo firewall-cmd --list-all-zones </span></span></code></pre></div><h3 id="換腳">換腳</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">firewal-cmd --permanent --zone<span class="o">=</span>public --remove-interface<span class="o">=</span>ens34 </span></span><span class="line"><span class="cl">firewall-cmd --permanent --zone<span class="o">=</span>internal --add-interface<span class="o">=</span>ens34 </span></span></code></pre></div><h3 id="allow--deney-port">Allow / Deney port</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo firewall-cmd --zone=public --add-port=12345/tcp --permanent </span></span><span class="line"><span class="cl">sudo firewall-cmd --zone=public --remove-port=12345/tcp --permanent </span></span></code></pre></div><p> </p> <h3 id="src-nat">src-nat</h3> <ul> <li>先設定網卡的 zone <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo nmcli c mod eth1 connection.zone internal </span></span><span class="line"><span class="cl">sudo nmcli c mod eth2 connection.zone external </span></span><span class="line"><span class="cl">firewall-cmd --get-active-zone </span></span></code></pre></div></li> <li>允許封包轉送 <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">sudo</span> <span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">direct</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">rule</span> <span class="n">ipv4</span> <span class="n">nat</span> <span class="n">POSTROUTING</span> <span class="mi">0</span> <span class="o">-</span><span class="n">o</span> <span class="p">[</span><span class="n">WAN</span><span class="p">]</span> <span class="o">-</span><span class="n">j</span> <span class="n">MASQUERADE</span> </span></span><span class="line"><span class="cl"><span class="n">sudo</span> <span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">direct</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">rule</span> <span class="n">ipv4</span> <span class="n">filter</span> <span class="n">FORWARD</span> <span class="mi">0</span> <span class="o">-</span><span class="n">i</span> <span class="p">[</span><span class="n">LAN</span><span class="p">]</span> <span class="o">-</span><span class="n">o</span> <span class="p">[</span><span class="n">WAN</span><span class="p">]</span> <span class="o">-</span><span class="n">j</span> <span class="n">ACCEPT</span> <span class="c1"># -i 是 input, -o 是 output</span> </span></span><span class="line"><span class="cl"><span class="n">sudo</span> <span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">direct</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">rule</span> <span class="n">ipv4</span> <span class="n">filter</span> <span class="n">FORWARD</span> <span class="mi">0</span> <span class="o">-</span><span class="n">i</span> <span class="p">[</span><span class="n">WAN</span><span class="p">]</span> <span class="o">-</span><span class="n">o</span> <span class="p">[</span><span class="n">LAN</span><span class="p">]</span> <span class="o">-</span><span class="n">m</span> <span class="n">state</span> <span class="o">--</span><span class="n">state</span> <span class="n">RELATED</span><span class="p">,</span><span class="n">ESTABLISHED</span> <span class="o">-</span><span class="n">j</span> <span class="n">ACCEPT</span> </span></span><span class="line"><span class="cl"><span class="n">sudo</span> <span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">reload</span> </span></span></code></pre></div></li> </ul> <h3 id="dst-nat">dst-nat</h3> <p> </p> <ul> <li>做 masquerade <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">sudo</span> <span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">zone</span><span class="o">=</span><span class="n">external</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">masquerade</span> <span class="o">--</span><span class="n">permanent</span> </span></span><span class="line"><span class="cl"><span class="n">sudo</span> <span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">zone</span><span class="o">=</span><span class="n">internal</span> <span class="o">--</span><span class="n">add</span><span class="o">-</span><span class="n">masquerade</span> <span class="o">--</span><span class="n">permanent</span> </span></span><span class="line"><span class="cl"><span class="n">sudo</span> <span class="n">firewall</span><span class="o">-</span><span class="n">cmd</span> <span class="o">--</span><span class="n">reload</span> </span></span></code></pre></div></li> <li>same server <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo firewall-cmd --zone=&#34;public&#34; --add-forward-port=port=80:proto=tcp:toport=12345 --permanent </span></span></code></pre></div></li> <li>different server <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">sudo firewall-cmd --zone=external --add-masquerade --permanent </span></span><span class="line"><span class="cl">sudo firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.456.78.9 --permanent </span></span></code></pre></div></li> </ul>