CentOS 7 brings with it a new dynamic firewall interface deamon (firewalld) which allows for a fairly easy configuration of your firewall without having to learn iptables. The firewalld daemon provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. In reality firewall-cmd is just a front end for iptables and will indeed create and maintain the iptables rules required in your configuration. In a normal configration you would expect to have a local and remote interface, the local being the LAN and the remote either being behind a firewall or NAT'ed. The rules for each would of course be different and so you can create 'zones' with firewall-cmd for Internal and Public (or whatever you want to call them).
If your using a graphical interface then you can use the firewall-config tool but for the rest of us that live in the shell, the command line interface is fairly easy to use.
Let's assume you have two interfaces as
eno16777984 = LAN with a private address such as 10.1.1.10
eno33557248 = Public with a public IP such as 22.214.171.124
Now the magic with firewall-cmd is that once you've defined the zones (Internal and Public or whatever you want to call them)
firewallcmd --permanent --add-zone=Internal
firewallcmd --permanent --add-zone=Public
You can then assign some services to those with
firewall-cmd --permanent --zone=Internal --add-service=ssh
and that's assuming your SSH'ing into the box, you don't want to be locked out. So now let's assign the interfaces to the zones.
firewall-cmd --permanent --zone=Internal --add-interface=eno16777984
firewall-cmd --permanent --zone=Public --add-interface=eno33557248
and finally a restart of the firewall with
systemctl restart firewalld
Now you can go ahead an add more services (with --add-service=) or ports with (--add-port=) and setup the rules for your interfaces. If your curious as to how this is configuring iptables then just issue iptables -L to see the rules. You'll find for each zone you've got an IN and OUT, Permit and Deny and your rules are allocated to the correct tables.
One big tech tip here, for some reason, especially when your changing interfaces, IP's and the whathaveyou, firewalld can sometimes move interfaces between zones. Its rare, but not realising can be bad news especially if it moves the dirty interface into the Internal zone. To ensure your always aware of what zones are on what interfaces locate your .bashrc file (in your home directory - the one you land in when you login) and add a line on the end
You'll get output similar to
Every time you login so your always aware if an interface has vanished.
The full reference can be found on the RedHat Site and there's ample community resources too. If you get stuck and need some help then feel free to post in the GENSupport Forum and someone will help you out.