centos 7 防火墙配置和白名单问题
查看防火墙状态:
systemctl status firewalld
开启防火墙并设置开机自启
systemctl start firewalld
systemctl enable firewalld
开放 22端口:
firewall-cmd --zone=public --add-port=22/tcp --permanent 重新载入一下: firewall-cmd --reload 查看下是否生效: firewall-cmd --zone=public --query-port=22/tcp 查看开放的端口: firewall-cmd --zone=public --list-ports 批量开放端口: firewall-cmd --zone=public --add-port=100-500/tcp --permanent 查看是否生效 firewall-cmd --zone=public --list-rich-rules
2. 插入代码:
#!/bin/bash # enable the firewall service service firewalld start # config firewall to permit ip range:172.16.17.1-70, port:1521 firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.0/26" port protocol="tcp" port="1521" accept' # permit 172.16.17.63, since it is broadcast address in above ip range. firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.63" port protocol="tcp" port="1521" accept' # permit 172.16.17.64-70 one by one firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.64" port protocol="tcp" port="1521" accept' firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.65" port protocol="tcp" port="1521" accept' firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.66" port protocol="tcp" port="1521" accept' firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.67" port protocol="tcp" port="1521" accept' firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.68" port protocol="tcp" port="1521" accept' firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.69" port protocol="tcp" port="1521" accept' firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.70" port protocol="tcp" port="1521" accept' # reload for taking effect this time firewall-cmd --reload
3. 查看文件,修改规则
vi /etc/firewalld/zones/public.xml
常用命令:
systemctl start firewalld #启动
systemctl stop firewalld #停止
systemctl status firewalld #查看状态
systemctl disable firewalld #开机禁用
systemctl enable firewalld #开机启动
开放或关闭端口:
firewall-cmd --zone=public --add-port=80/tcp --permanent #开放80/tcp端口 (--permanent永久生效,没有此参数重启后失效)
firewall-cmd --zone=public --query-port=80/tcp #查看80/tcp端口
firewall-cmd --zone=public --remove-port=80/tcp --permanent #关闭80/tcp端口
批量开放或关闭端口:
firewall-cmd --zone=public --add-port=40000-45000/tcp --permanent #批量开放端口,打开从40000到45000之间的所有端口
firewall-cmd --zone=public --list-ports #查看系统所有开放的端口
firewall-cmd --zone=public --remove-port=40000-45000/tcp --permanent #批量关闭端口,关闭从40000到45000之间的所有端口