管理firewall
图形化工具firewall-config
命令行工具firewall-cmd
# firewall-cmd --add-service=ftp //暂时添加ftp服务
# firewall-cmd --permanent --add-service=ftp //永久添加ftp服务
# firewall-cmd --permanent --remove-service=ftp //永久删除ftp
# systemctl restart firewalld
//检验设定是否生效
# iptables -L -n | grep 21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW
//检查防火墙状态
# firewall-cmd --state
# firewall-cmd --list-all
public (default)
interfaces:
sources:
services: dhcpv6-client ftp ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
//查询防火墙中的服务
# firewall-cmd --get-service
//查询服务的状态
# firewall-cmd --query-service samba
//自行加入要开放的 Port
# firewall-cmd --add-port=3128/tcp
管理富规则
[root@iZtoz99sjuwqcnZ ~]# firewall-cmd --permanent --add-rich-rule=
[root@iZtoz99sjuwqcnZ ~]# firewall-cmd --permanent --remove-rich-rule=
[root@iZtoz99sjuwqcnZ ~]# firewall-cmd --permanent --query-rich-rule=
[root@iZtoz99sjuwqcnZ ~]# fire
禁用服务
all-cmd –list-rich-rules
[root@localhost 桌面]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="192.168.0.0/24" service name="http" drop
禁用端口
[root@localhost 桌面]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="192.168.0.0/24" port port="80" protocol="tcp" drop
伪装和端口转发
[root@localhost 桌面]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="192.168.0.0/24" forward-port port="8080" protocol="tcp" to-port="80" to-addr="192.168.0.25"