CenOS7 防火墙配置
文章目录
1. 查看firewall服务状态
systemctl status firewalld
➜ network systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2020-04-03 20:28:21 CST; 3h 27min ago
Docs: man:firewalld(1)
Main PID: 2543 (firewalld)
CGroup: /system.slice/firewalld.service
└─2543 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Apr 03 20:28:19 python systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 03 20:28:21 python systemd[1]: Started firewalld - dynamic firewall daemon.
2. 查看firewall的状态
firewall-cmd --state
➜ network firewall-cmd --state
running
3. 开启/关闭 /重启firewalld.service服务
- 开启 service firewalld start
- 关闭 service firewalld stop
- 重启 service firewalld restart
➜ network service firewalld start
Redirecting to /bin/systemctl start firewalld.service
➜ network service firewalld stop
Redirecting to /bin/systemctl stop firewalld.service
➜ network service firewalld restart
Redirecting to /bin/systemctl restart firewalld.service
4. 查看防火墙规则
firewall-cmd --list-all
➜ network firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client ftp
ports: 21/tcp 20/tcp 80/tcp 443/tcp 8899/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
5. 查询/开放/关闭端口
# 查询端口是否开放
firewall-cmd --query-port=8080/tcp
# 开放80端口
firewall-cmd --permanent --add-port=80/tcp
# 移除端口
firewall-cmd --permanent --remove-port=8080/tcp
# 重启防火墙(修改配置后要重启防火墙)
firewall-cmd --reload
# 参数解释
# firwall-cmd 是Linux提供的操作firewall的一个工具
# --permanent:表示设置为持久
# --add-port:标识添加的端口
# --remove-port: 标识移除端口
➜ network firewall-cmd --add-port=8899/tcp --permanent
success
➜ network firewall-cmd --reload
success
➜ network firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client ftp
ports: 21/tcp 20/tcp 80/tcp 443/tcp 8899/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 修改配置后要重启防火墙,否则可能不起效果
➜ network firewall-cmd --remove-port=8899/tcp --permanent
success
➜ network firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client ftp
ports: 21/tcp 20/tcp 80/tcp 443/tcp 8899/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
➜ network firewall-cmd --reload
success
➜ network firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client ftp
ports: 21/tcp 20/tcp 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: