centos7防火墙配置详细

 

一、条件防火墙是开启的

[root@ac ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Sun 2023-11-05 20:45:21 CST; 2min 8s ago
     Docs: man:firewalld(1)
 Main PID: 1267 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─1267 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

 



1、查看防火墙的配置

[root@ac ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules: 

2、开放80端口
1 [root@ac ~]# firewall-cmd --permanent --add-port=80/tcp
[root@ac ~]# firewall-cmd --permanent --add-port=81/tcp
2 success 3 [root@ac ~]# firewall-cmd --reload      #重新加载防火墙配置才会生效 4 success

[root@ac ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 80/tcp 81/tcp      
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

 3、移除以上规则



[root@ac ~]# firewall-cmd --permanent --remove-port=80/tcp
success
[root@ac ~]# firewall-cmd --permanent --remove-port=81/tcp
success


[root@ac ~]# firewall-cmd --reload success [root@ac ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

 4、放通某个端口段

 1 [root@ac ~]# firewall-cmd --permanent --zone=public --add-port=1000-2000/tcp
 2 success
 3 [root@ac ~]# firewall-cmd --reload
 4 success
 5 [root@ac ~]# firewall-cmd --list-all
 6 public
 7   target: default
 8   icmp-block-inversion: no
 9   interfaces: 
10   sources: 
11   services: dhcpv6-client ssh
12   ports: 1000-2000/tcp      #已添加
13   protocols: 
14   masquerade: no
15   forward-ports: 
16   source-ports: 
17   icmp-blocks: 
18   rich rules: 

5、放通某个IP访问,默认允许

 1 [root@ac ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.200.105 accept'
 2 success
 3 [root@ac ~]# firewall-cmd --reload
 4 success
 5 [root@ac ~]# firewall-cmd --list-all
 6 public
 7   target: default
 8   icmp-block-inversion: no
 9   interfaces: 
10   sources: 
11   services: dhcpv6-client ssh
12   ports: 1000-2000/tcp
13   protocols: 
14   masquerade: no
15   forward-ports: 
16   source-ports: 
17   icmp-blocks: 
18   rich rules: 
19     rule family="ipv4" source address="192.168.200.105" accept    #已添加

6、禁止某个IP访问

1 [root@ac ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=10.0.0.42 drop'
2 [root@ac ~]# firewall-cmd --reload
3 success

 

 1 [root@ac ~]# firewall-cmd --list-all
 2 public
 3   target: default
 4   icmp-block-inversion: no
 5   interfaces: 
 6   sources: 
 7   services: dhcpv6-client ssh
 8   ports: 1000-2000/tcp
 9   protocols: 
10   masquerade: no
11   forward-ports: 
12   source-ports: 
13   icmp-blocks: 
14   rich rules: 
15     rule family="ipv4" source address="192.168.200.105" accept
16     rule family="ipv4" source address="10.0.0.42" drop      #已拒绝该IP访问
17     

 

7、放通某个IP访问某个端口
 1 [root@ac ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.1.169 port protocol=tcp port=6379 accept'
 2 success
 3 [root@ac ~]# firewall-cmd --reload
 4 success
 5 [root@ac ~]# firewall-cmd --list-all
 6 public
 7   target: default
 8   icmp-block-inversion: no
 9   interfaces: 
10   sources: 
11   services: dhcpv6-client ssh
12   ports: 1000-2000/tcp
13   protocols: 
14   masquerade: no
15   forward-ports: 
16   source-ports: 
17   icmp-blocks: 
18   rich rules: 
19     rule family="ipv4" source address="192.168.200.105" accept
20     rule family="ipv4" source address="10.0.0.42" drop
21     rule family="ipv4" source address="192.168.1.169" port port="6379" protocol="tcp" accept  #已放通该IP的6379端口

#禁止指定IP访问本机8080端口

 1 [root@ac ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="8080" reject'
 2 success
 3 [root@ac ~]# firewall-cmd --reload
 4 success
 5 [root@ac ~]# firewall-cmd --list-all
 6 public
 7   target: default
 8   icmp-block-inversion: no
 9   interfaces: 
10   sources: 
11   services: dhcpv6-client ssh
12   ports: 1000-2000/tcp
13   protocols: 
14   masquerade: no
15   forward-ports: 
16   source-ports: 
17   icmp-blocks: 
18   rich rules: 
19     rule family="ipv4" source address="192.168.200.105" accept
20     rule family="ipv4" source address="10.0.0.42" drop
21     rule family="ipv4" source address="192.168.1.169" port port="6379" protocol="tcp" accept
22     rule family="ipv4" source address="192.168.1.1" port port="8080" protocol="tcp" reject    #已添加

8、移除以上规则

1 [root@ac ~]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.169" port port="6379" protocol="tcp" accept'
2 success
3 [root@ac ~]# firewall-cmd --reload
4 success
 1 [root@ac ~]# firewall-cmd --list-all
 2 public
 3   target: default
 4   icmp-block-inversion: no
 5   interfaces: 
 6   sources: 
 7   services: dhcpv6-client ssh
 8   ports: 1000-2000/tcp                                          
 9   protocols: 
10   masquerade: no  
11   forward-ports: 
12   source-ports: 
13   icmp-blocks: 
14   rich rules:                                         #已删除192.168.1.169的6379端口
15     rule family="ipv4" source address="192.168.200.105" accept
16     rule family="ipv4" source address="10.0.0.42" drop
17     rule family="ipv4" source address="192.168.1.1" port port="8080" protocol="tcp" reject

 

 1 [root@ac ~]# firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=10.0.0.42 drop'
 2 success
 3 [root@ac ~]# firewall-cmd --reload
 4 success
 5 [root@ac ~]# firewall-cmd --list-all
 6 public
 7   target: default
 8   icmp-block-inversion: no
 9   interfaces: 
10   sources: 
11   services: dhcpv6-client ssh
12   ports: 1000-2000/tcp
13   protocols: 
14   masquerade: no
15   forward-ports: 
16   source-ports: 
17   icmp-blocks: 
18   rich rules: 
19     rule family="ipv4" source address="192.168.200.105" accept
20     rule family="ipv4" source address="192.168.1.1" port port="8080" protocol="tcp" reject
 1 [root@ac ~]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="8080" reject'
 2 success
 3 [root@ac ~]# firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=192.168.200.105 accept'
 4 success
 5 [root@ac ~]# firewall-cmd --reload
 6 success
 7 [root@ac ~]# firewall-cmd --list-all
 8 public
 9   target: default
10   icmp-block-inversion: no
11   interfaces: 
12   sources: 
13   services: dhcpv6-client ssh
14   ports: 1000-2000/tcp
15   protocols: 
16   masquerade: no
17   forward-ports: 
18   source-ports: 
19   icmp-blocks: 
20   rich rules: 

 

 



posted @ 2023-11-05 13:33  你好我叫阿成  阅读(447)  评论(0)    收藏  举报