masquerade
firewall-cmd --zone=external --query-masquerade
firewall-cmd --zone=external --add-masquerade
external port forward
firewall-cmd --zone=external --list-all
firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2222:toaddr=192.168.0.11
Lockdown
# vi /etc/firewalld/firewalld.conf
Lockdown=yes
# firewall-cmd --reload
# firewall-cmd --query-lockdown
# firewall-cmd --lockdown-on
# firewall-cmd --lockdown-off
Block IP
# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.41" accept'
# firewall-cmd --list-all
# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.0.41" accept'
# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.41" reject'
# firewall-cmd --list-all
# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.0.41"reject'
fail2ban-firewalld
yum install fail2ban fail2ban-firewalld fail2ban-systemd
systemctl enable fail2ban
systemctl start fail2ban.service
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local
#backend = auto
backend = systemd
#banaction = iptables-multiport
banaction = firewallcmd-ipset
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5
bantime = 300
#action = firewallcmd-ipset
[sshd-ddos]
enabled = true
port = ssh
logpath = %(sshd_log)s