下午接到任务,要求给单机数据库配置一下firewall,稍稍了解下就配置完成,还是较为简单的,dba第一次干这事,记录下,为了防止配置错误导致我无法远程ssh,特别加了10分钟后关闭firewalld,
注意一点:和iptables不一样地方: 不需要对lo网卡做单独的设置
以下IP需要连数据库:
172.16.51.62
172.16.51.63
172.16.51.64
172.16.51.69
172.16.55.14
172.16.55.5
以下IP需要访问数据库服务器ssh:
172.16.51.62
172.16.51.63
172.16.51.64
172.16.51.69
#cat /opt/firewall.sh
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='172.16.51.62' port protocol='tcp' port='1521' accept"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='172.16.51.63' port protocol='tcp' port='1521' accept"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='172.16.51.64' port protocol='tcp' port='1521' accept"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='172.16.51.69' port protocol='tcp' port='1521' accept"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='172.16.55.14' port protocol='tcp' port='1521' accept"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='172.16.55.5' port protocol='tcp' port='1521' accept"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='172.16.51.62' port protocol='tcp' port='22' accept"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='172.16.51.63' port protocol='tcp' port='22' accept"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='172.16.51.64' port protocol='tcp' port='22' accept"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='172.16.51.69' port protocol='tcp' port='22' accept"
firewall-cmd --reload
firewall-cmd --list-all
sleep 600
systemctl stop firewalld
#sh /opt/firewall.sh
执行后满足要求,等10分钟后直接systemctl start firewalld 结束事件
20231024日更新,使用zone
#!/bin/bash
#程序说明:对于服务器入口做限制,对出口不做严格限制。
echo "Adding the firewall white list, please wait..."
#################################################################################
# 清除原来设置的规则
/usr/bin/mv /etc/firewalld/zones/public.xml /etc/firewalld/zones/public.xml.`date +%Y%m%d`
#################################################################################
# 预设规则:使用public区域
systemctl start firewalld
firewall-cmd --set-default-zone=public
firewall-cmd --permanent --zone=public --remove-service=ssh
#firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
#################################################################################
# 允许本地回环接口(即运行本机访问本机)
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="127.0.0.1/32" accept"
#######################需要对外网开放的端口写在这##################################
# 允许FTP(根据需要开启)
#firewall-cmd --permanent --add-port=21/tcp --zone=public
#firewall-cmd --permanent --add-service=ftp --zone=public
#firewall-cmd --permanent --zone=public --add-rich-rule='rule service name=ftp limit value=1/m accept'
# 允许SSH
#firewall-cmd --permanent --add-service=ssh --zone=public
# 允许DNS
firewall-cmd --permanent --add-port=53/udp --zone=public
# 开放web服务器端口
#firewall-cmd --permanent --add-service=http --zone=public
#firewall-cmd --permanent --add-port=80/tcp --zone=public
#firewall-cmd --permanent --add-port=443/tcp --zone=public
# 开放管理控制台端口
#firewall-cmd --permanent --add-port=7001/tcp --zone=public
#批量开放端口
#firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=7900-7905 protocol=tcp accept'
###################################################################################
# 允许ping,允许icmp包通过
firewall-cmd --permanent --add-protocol=icmp --zone=public
#######################需要开放访问权限服务白名单地址写在这########################
#对以下服务器开放所有端口访问权限
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.100.131" accept"
firewall-cmd --permanent --z