centos7 firewalld基本操作

firewalld

1.安装(centos7自带)
# yum install firewalld
2.firewalld-cmd 防火墙命令使用
2.1 :查看 firewall-cmd 状态
# systemctl start firewalld
# firewall-cmd --state
2.2: 查看已打开的所有端口
# firewall-cmd --list-port
2.3: 放行指定端口
# firewall-cmd --zone=public --add-port=80/tcp --permanent    //(--permanent 永久生效,没有此参数重启后失效)
# firewall-cmd --zone=public --add-port=20100-20150/tcp --permanent  //放行一段端口
# firewall-cmd --reload  //重新加载 firewall,修改配置后,必须重新加载才能生效
2.4: 关闭指定端口
# firewall-cmd --zone=public --remove-port=80/tcp --permanent  //(--permanent 表示永久生效,没有此参数重启后失效)
# firewall-cmd --reload  //重新加载 firewall,修改配置后,必须重新加载才能生效
或 # systemctl reload firewalld
3.public.xml 文件修改防火墙端口
3.1:firewall-cmd对端口的操作,如开放端口等信息,都放在"/etc/firewall/zones/public.xml"中记录
3.2:所以直接修改此文件也是可以的
# vi /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> 
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="443"/>
</zone>

# systemctl reload firewalld			//重新加载配置
# firewall-cmd --zone=public --list-ports   //查看
80/tcp 443/tcp 
4.对指定IP开放指定 端口/协议
4.1: 指定ip开放vrrp协议 (keepalived)
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.29.182" protocol value="vrrp" accept"
# firewall-cmd --reload
4.2:对指定ip开放指定端口
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.29.182" port protocol="tcp" port="3306" accept"
# firewall-cmd --reload
4.3: 查看
# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources: 
  services: dhcpv6-client ssh
  ports: 80/tcp 443/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="192.168.29.182" port port="3306" protocol="tcp" accept
	rule family="ipv4" source address="192.168.29.182" protocol value="vrrp" accept
4.3:删除某个规则
# firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.29.182" port protocol="tcp" port="3306" accept"
# firewall-cmd --reload
4.4:只允许某一IP远程连接
方法一:配置firewalld规则
# vi /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> 
  <service name="ssh"/>   //删除这一条规则,如果ssh端口不是22可忽略这一步
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="443"/>
</zone>

//对指定IP开放ssh的端口
# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.29.182" port protocol="tcp" port="22" accept"
# firewall-cmd --reload
方法二:修改/etc/ssh/sshd_config文件
//***仅允许192.168.29.182以root用户远程连接、192.168.29.39以普通用户user远程连接
# echo "AllowUsers root@192.168.29.182 user@192.168.29.39" >> /etc/ssh/sshd_config
# systemctl restart sshd  //重启sshd 生效
方法三:黑白名单 /etc/hosts.deny /etc/hosts.allow
//两个文件需结合使用,白名单hosts.allow的优先级高于黑名单hosts.deny
# echo "sshd:192.168.29.182" >>  /etc/hosts.allow   //允许某个IP连接
# echo "sshd:192.168.28." >>  /etc/hosts.allow   //允许192.168.28.0这个网段的所有ip连接
# echo "sshd:ALL" >>  /etc/hosts.deny	//拒绝掉所有
# systemctl restart sshd   //重启sshd 生效
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值