firewalld

CentOS 7

# cd /usr/lib/firewalld/services/
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/

# systemctl start/stop/restart/status firewalld
# systemctl enable/disable firewalld

# firewall-cmd --list-all
# firewall-cmd --list-ports
# firewall-cmd --state
# firewall-cmd --complete-reload
# firewall-cmd --reload
# firewall-cmd --list-all
# firewall-cmd --info-service samba
# firewall-cmd --add-service=ftp --permanent samba
# firewall-cmd --remove-service=ftp --permanent samba

# firewall-cmd --list-all-zone
# firewall-cmd --get-default-zone
# firewall-cmd --get-active-zone
# firewall-cmd --delete-zone=syncthing --permanent

# firewall-cmd --zone=external --list-all
# firewall-cmd --zone=internal --change-interface=ens33 
# firewall-cmd --get-services

# firewall-cmd --zone=external --permanent --add-service=http
# firewall-cmd --zone=external --permanent --remove-service=http
# firewall-cmd --zone=internal --permanent --add-service={pop3,pop3s,http,https,dns,ftp,snmp,smtp,squid}

# firewall-cmd --zone=public --add-port=21964/tcp --permanent 
# firewall-cmd --zone=public --remove-port=21964/tcp --permanent 
# firewall-cmd --zone=public --add-port=2121-2221/tcp --permanent 
# firewall-cmd --zone=public --add-port={2121/tcp,2221/tcp} --permanent

# firewall-cmd --permanent --delete-zone=xrdp

Notes

Port forwarding and masquerading

# firewall-cmd --query-masquerade     # 检查是否允许伪装IP
# firewall-cmd --add-masquerade       # 允许防火墙伪装IP
# firewall-cmd --remove-masquerade    # 禁止防火墙伪装IP
# firewall-cmd --direct --permanent --add-rule ipv4 nat POSTROUTING 0 -o external -j MASQUERADE
# firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -i internal -o external -j ACCEPT
# firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -i external -o internal -m state --state RELATED,ESTABLISHED -j ACCEPT