This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ===== Firewall systemd ===== Algunos apuntes sobre como usar el firewall de systemd. ==== Deshabilitarlo ==== <code> # systemctl disable firewalld # systemctl stop firewalld </code> ==== Habilitarlo ==== <code> # systemctl enable firewalld # systemctl start firewalld </code> ==== Show rules ==== <code> firewall-cmd --list-all # Default zone firewall-cmd --list-all-zones # List all zones </code> ==== Open ports ==== <code> firewall-cmd --permanent --add-port=3306/tcp </code> ==== Usar iptables ==== <code> # systemctl disable firewalld # systemctl stop firewalld # yum install iptables-services # systemctl start iptables # systemctl start ip6tables # systemctl enable iptables # systemctl enable ip6tables </code> ==== Validar el estado del servicio ==== <code> sudo systemctl status firewalld </code> ==== Obtain all open ports with netstat ==== * TCP: <code> sudo netstat -tupln | grep LISTEN | grep -v tcp6 | awk "{print \$4}" | awk -F: "{print \$2}" | sort |uniq > /home/emonge/testportstcp sudo netstat -tupln | grep LISTEN | grep tcp6 | awk "{print \$4}"| grep ":::" | awk -F: "{print \$4}" | sort |uniq >> /home/emonge/testportstcp sudo netstat -tupln | grep LISTEN | grep tcp6 | awk "{print \$4}"| grep "::1:" | awk -F: "{print \$4}" | sort |uniq >> /home/emonge/testportstcp sudo netstat -tupln | grep LISTEN | grep tcp6 | awk "{print \$4}"| grep -v "::1:" | grep -v ":::" | awk -F: "{print \$6}" | sort |uniq >> /home/emonge/testportstcp sudo netstat -tupln | grep LISTEN | grep tcp6 | awk "{print \$4}"| grep "\."| awk -F: "{print \$2}" | sort | uniq >> /home/emonge/testportstcp sudo cat /home/emonge/testportstcp | sort |uniq </code> * UDP <code> sudo netstat -tupln | grep LISTEN | grep -v udp6 | awk "{print \$4}" | awk -F: "{print \$2}" | sort |uniq > /home/emonge/testportsudp sudo netstat -tupln | grep LISTEN | grep udp6 | awk "{print \$4}"| grep ":::" | awk -F: "{print \$4}" | sort |uniq >> /home/emonge/testportstcp sudo netstat -tupln | grep LISTEN | grep tcp6 | awk "{print \$4}"| grep "::1:" | awk -F: "{print \$4}" | sort |uniq >> /home/emonge/testportsudp sudo netstat -tupln | grep LISTEN | grep udp6 | awk "{print \$4}"| grep -v "::1:" | grep -v ":::" | awk -F: "{print \$6}" | sort |uniq >> /home/emonge/testportsudp sudo netstat -tupln | grep LISTEN | grep udp6 | awk "{print \$4}"| grep "\."| awk -F: "{print \$2}" | sort | uniq >> /home/emonge/testportsudp sudo cat /home/emonge/testportsudp | sort |uniq </code> ==== Use above to open ports ==== <code> sudo systemctl start firewalld sudo systemctl enable firewalld for i in $(cat /home/emonge/testportstcp|sort |uniq); do sudo firewall-cmd --permanent --add-port=$i/tcp;done for i in $(cat /home/emonge/testportsudp|sort |uniq); do sudo firewall-cmd --permanent --add-port=$i/udp;done sudo firewall-cmd --reload </code> ==== Referencias ==== * https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html