centos7防火墙配置详细
一、条件防火墙是开启的
[root@ac ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: active (running) since Sun 2023-11-05 20:45:21 CST; 2min 8s ago Docs: man:firewalld(1) Main PID: 1267 (firewalld) CGroup: /system.slice/firewalld.service └─1267 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
1、查看防火墙的配置
[root@ac ~]# firewall-cmd --list-all public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
2、开放80端口
1 [root@ac ~]# firewall-cmd --permanent --add-port=80/tcp
[root@ac ~]# firewall-cmd --permanent --add-port=81/tcp
2 success 3 [root@ac ~]# firewall-cmd --reload #重新加载防火墙配置才会生效 4 success
[root@ac ~]# firewall-cmd --list-all public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client ssh ports: 80/tcp 81/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
3、移除以上规则
[root@ac ~]# firewall-cmd --permanent --remove-port=80/tcp
success
[root@ac ~]# firewall-cmd --permanent --remove-port=81/tcp
success
[root@ac ~]# firewall-cmd --reload success [root@ac ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
4、放通某个端口段
1 [root@ac ~]# firewall-cmd --permanent --zone=public --add-port=1000-2000/tcp 2 success 3 [root@ac ~]# firewall-cmd --reload 4 success 5 [root@ac ~]# firewall-cmd --list-all 6 public 7 target: default 8 icmp-block-inversion: no 9 interfaces: 10 sources: 11 services: dhcpv6-client ssh 12 ports: 1000-2000/tcp #已添加 13 protocols: 14 masquerade: no 15 forward-ports: 16 source-ports: 17 icmp-blocks: 18 rich rules:
5、放通某个IP访问,默认允许
1 [root@ac ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.200.105 accept' 2 success 3 [root@ac ~]# firewall-cmd --reload 4 success 5 [root@ac ~]# firewall-cmd --list-all 6 public 7 target: default 8 icmp-block-inversion: no 9 interfaces: 10 sources: 11 services: dhcpv6-client ssh 12 ports: 1000-2000/tcp 13 protocols: 14 masquerade: no 15 forward-ports: 16 source-ports: 17 icmp-blocks: 18 rich rules: 19 rule family="ipv4" source address="192.168.200.105" accept #已添加
6、禁止某个IP访问
1 [root@ac ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=10.0.0.42 drop' 2 [root@ac ~]# firewall-cmd --reload 3 success
1 [root@ac ~]# firewall-cmd --list-all 2 public 3 target: default 4 icmp-block-inversion: no 5 interfaces: 6 sources: 7 services: dhcpv6-client ssh 8 ports: 1000-2000/tcp 9 protocols: 10 masquerade: no 11 forward-ports: 12 source-ports: 13 icmp-blocks: 14 rich rules: 15 rule family="ipv4" source address="192.168.200.105" accept 16 rule family="ipv4" source address="10.0.0.42" drop #已拒绝该IP访问 17
7、放通某个IP访问某个端口
1 [root@ac ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.1.169 port protocol=tcp port=6379 accept' 2 success 3 [root@ac ~]# firewall-cmd --reload 4 success 5 [root@ac ~]# firewall-cmd --list-all 6 public 7 target: default 8 icmp-block-inversion: no 9 interfaces: 10 sources: 11 services: dhcpv6-client ssh 12 ports: 1000-2000/tcp 13 protocols: 14 masquerade: no 15 forward-ports: 16 source-ports: 17 icmp-blocks: 18 rich rules: 19 rule family="ipv4" source address="192.168.200.105" accept 20 rule family="ipv4" source address="10.0.0.42" drop 21 rule family="ipv4" source address="192.168.1.169" port port="6379" protocol="tcp" accept #已放通该IP的6379端口
#禁止指定IP访问本机8080端口
1 [root@ac ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="8080" reject' 2 success 3 [root@ac ~]# firewall-cmd --reload 4 success 5 [root@ac ~]# firewall-cmd --list-all 6 public 7 target: default 8 icmp-block-inversion: no 9 interfaces: 10 sources: 11 services: dhcpv6-client ssh 12 ports: 1000-2000/tcp 13 protocols: 14 masquerade: no 15 forward-ports: 16 source-ports: 17 icmp-blocks: 18 rich rules: 19 rule family="ipv4" source address="192.168.200.105" accept 20 rule family="ipv4" source address="10.0.0.42" drop 21 rule family="ipv4" source address="192.168.1.169" port port="6379" protocol="tcp" accept 22 rule family="ipv4" source address="192.168.1.1" port port="8080" protocol="tcp" reject #已添加
8、移除以上规则
1 [root@ac ~]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.169" port port="6379" protocol="tcp" accept' 2 success 3 [root@ac ~]# firewall-cmd --reload 4 success
1 [root@ac ~]# firewall-cmd --list-all 2 public 3 target: default 4 icmp-block-inversion: no 5 interfaces: 6 sources: 7 services: dhcpv6-client ssh 8 ports: 1000-2000/tcp 9 protocols: 10 masquerade: no 11 forward-ports: 12 source-ports: 13 icmp-blocks: 14 rich rules: #已删除192.168.1.169的6379端口 15 rule family="ipv4" source address="192.168.200.105" accept 16 rule family="ipv4" source address="10.0.0.42" drop 17 rule family="ipv4" source address="192.168.1.1" port port="8080" protocol="tcp" reject
1 [root@ac ~]# firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=10.0.0.42 drop' 2 success 3 [root@ac ~]# firewall-cmd --reload 4 success 5 [root@ac ~]# firewall-cmd --list-all 6 public 7 target: default 8 icmp-block-inversion: no 9 interfaces: 10 sources: 11 services: dhcpv6-client ssh 12 ports: 1000-2000/tcp 13 protocols: 14 masquerade: no 15 forward-ports: 16 source-ports: 17 icmp-blocks: 18 rich rules: 19 rule family="ipv4" source address="192.168.200.105" accept 20 rule family="ipv4" source address="192.168.1.1" port port="8080" protocol="tcp" reject
1 [root@ac ~]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="8080" reject' 2 success 3 [root@ac ~]# firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=192.168.200.105 accept' 4 success 5 [root@ac ~]# firewall-cmd --reload 6 success 7 [root@ac ~]# firewall-cmd --list-all 8 public 9 target: default 10 icmp-block-inversion: no 11 interfaces: 12 sources: 13 services: dhcpv6-client ssh 14 ports: 1000-2000/tcp 15 protocols: 16 masquerade: no 17 forward-ports: 18 source-ports: 19 icmp-blocks: 20 rich rules:
浙公网安备 33010602011771号