firewall规则举例
#开放100-120 tcp端口
firewall-cmd --permanent --zone=public --add-port=100-120/tcp
firewall-cmd --reload
#关闭100-120 tcp端口
firewall-cmd --permanent --zone=public --remove-port=100-120/tcp
firewall-cmd --reload
#对某个ip开放某个端口
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.68.202" port protocol="tcp" port="111" accept"
firewall-cmd --reload
#对某个ip开放所有端口
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.68.202" accept"
firewall-cmd --reload
#关闭对某个ip开放的某个端口
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.68.202" port protocol="tcp" port="111" accept"
firewall-cmd --reload
#关闭对某个ip开放的所有端口
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.68.202" accept"
firewall-cmd --reload
#对某个ip段开放端口 192.168.68.1~192.168.68.255
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.68.0/24" port protocol="tcp" port="111" accept"
firewall-cmd --reload
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.68.0/24" accept"
firewall-cmd --reload
#关闭对某个ip段开放端口 192.168.68.1~192.168.68.255
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.68.0/24" port protocol="tcp" port="111" accept"
firewall-cmd --reload
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.68.0/24" accept"
firewall-cmd --reload
firewall实际应用
某系统出现了MySQL高危漏洞,因为该数据库已应用在生产环境,升级版本风险太高,需要对集群外的主机关闭3306端口
#开启防火墙
systemctl start firewalld
#firewalld开机启动
systemctl enable firewalld
#开放对外的端口
firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --reload
#对某个ip段开放产品的某几个服务端口(省事),或者对集群内几个ip开放
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.68.0/24" port protocol="tcp" port="111" accept"
firewall-cmd --reload
#只对某几个IP开放3306端口
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.68.202" port protocol="tcp" port="3306" accept"
firewall-cmd --reload