# CentOS 7

## Nội dung
- cấu hình mạng
- disable ipv6
- firewall

## Cấu hình mạng

## Disable IPv6

## Firewall
- Sử dụng dịch vụ `firewalld`, phía dưới chạy `iptables`
- Kiểm tra dịch vụ có chạy không?

```
systemctl status firewalld
```

- Trạng thái của firweall:

```
# firewall-cmd --state
```

- Show default zone

```
# firewall-cmd --get-default-zone
public
```

- Show active zones

```
# firewall-cmd --get-active-zones
internal
interfaces: enp0s8
external
interfaces: enp0s17
```

- Show rules

```
# firewall-cmd --list-all
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'internal,external' (see --get-active-
zones)
You most likely need to use --zone=internal option.

public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
 masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
```

- Show all zones

```
# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
```

- Có thể thêm `--zone=<name>` để lấy thông tin theo zone

- Show all zones

```
# firewall-cmd --list-all-zones

public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

...
```

- thêm `zone=<name>` vào trong file network config để mô tả cụ thể interfaces và

zone

- show services

```
# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-
rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector
ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch
freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client
ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-
target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls
managesieve mdns mosh mountd ms-wbt mssql mysql nfs nfs3 nrpe ntp openvpn ovirt-
imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3
pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-
bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp
snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-
client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh
xmpp-client xmpp-local xmpp-server

```

+ Tệp tin config cho service ở đây `/usr/lib/firewalld/services`, định dạng

xml
+ `man firewalld.service` để xem mô tả về file service
+ Ví dụ
```xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>My Service</short> <!-- optional, is used to give an icmptype a more
readable name -->
<description>description</description> <!-- optional -->
<port port="137" protocol="tcp"/> <!-- port or port-port (port range), protocol:
tcp, udp, sctp, dccp -->
<protcol value="igmp"/> <!-- /ect/protocols -->
<module name="nf_conntrack_netbios_ns"/>
<destination ipv4="224.0.0.251" ipv6="ff02::fb"/>
<source-port port="" protocol=""> <!-- source port -->
</service>
```

- list services by zone

```
# firewall-cmd --zone=public --list-services
ssh dhcpv6-client
```