De Wiki inetshell
Saltar a: navegación, buscar

Manual[editar]

https://www.rootusers.com/how-to-use-firewalld-rich-rules-and-zones-for-filtering-and-nat/

https://www.lisenet.com/2016/firewalld-rich-and-direct-rules-setup-rhel-7-server-as-a-router/

Port forwarding[editar]

https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos/

sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345


Permitir un puerto a una IP[editar]

https://www.admfactory.com/how-to-open-port-for-a-specific-ip-address-on-centos-7/

firewall-cmd --permanent --zone=public --add-rich-rule='
  rule family="ipv4"
  source address="10.10.99.10/32"
  port protocol="tcp" port="80" accept'

Bloqueo de conexiones salientes[editar]

https://serverfault.com/questions/618164/block-outgoing-connections-on-rhel7-centos7-with-firewalld

Allow established connections:
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow HTTP:
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT

Allow HTTPS:
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT

Allow for DNS queries:
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -j ACCEPT

Deny everything else:
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 2 -j DROP