Linux防火墙管理

使用systemctl管理防火墙启动、关闭

1. 启动防火墙： systemctl start firewalld
2. 关闭防火墙： systemctl stop firewalld
3. 查看防火墙状态： systemctl status firewalld
4. 开机禁用防火墙： systemctl disable firewalld
5. 开机启用防火墙 ： systemctl enable firewalld

使用firewalld-cmd配置访问防火墙策略

1. 查看版本firewall-cmd --version

2. 查看帮助 firewall-cmd --help

3. 显示状态 firewall-cmd --state

4. 查看当前所有规则 firewall-cmd --list-all

5. 查看所有打开的端口 firewall-cmd --zone=public --list-ports

6. 更新防火墙规则 firewall-cmd --reload

7. 添加开放端口

firewall-cmd --zone=public --add-port=80/tcp --permanent (permanent永久生效，没有此参数重启后失效)

9. 查看端口是否开放firewall-cmd --zone=public --query-port=80/tcp

10. 删除开放端口 firewall-cmd --zone=public --remove-port=80/tcp --permanent

11. 批量开放一段TCP端口 firewall-cmd --permanent --add-port=9001-9100/tcp

12. 开放IP的访问 firewall-cmd --permanent --add-source=192.168.1.1

13. 开放整个源IP段的访问firewall-cmd --permanent --add-source=192.168.1.0/24

14. 移除IP访问firewall-cmd --permanent --remove-source=192.168.1.1

15. 允许指定IP访问本机80端口

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="80" accept'

16. 禁止指定IP访问本机80端口

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="80" reject'

17. 移除允许指定IP访问本机80端口规则

firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="80" accept'

firewalld配置文件修改

通过修改配置文件修改防火墙访问策略

开放端口

永久开放2个端口

firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --reload

在 /etc/firewalld/zones 下的 public.xml里：

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="8080"/>
</zone>

限制来源IP

限制只能接收来自 10.10.x.x段的IP，开放8000到9000之间的端口。

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.0.0/16" port protocol="tcp" port="8000-9000" accept'
firewall-cmd --reload

再看 /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="8080"/>
  
  <rule family="ipv4">
    <source address="10.10.0.0/16"/>
    <port protocol="tcp" port="8000-9000"/>
    <accept/>
  </rule>
  
  <rule family="ipv4">
    <source address="192.168.1.0/24"/>
    <port protocol="tcp" port="18000-19000"/>
    <accept/>
  </rule>

 # 单个端口限制
 <rule family="ipv4">
    <source address="192.168.20.228"/>
    <port protocol="tcp" port="18848"/>
    <accept/>
 </rule>
  
</zone>

所以，可以直接修改配置文件更改防火墙策略.

# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 80/tcp 22/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="10.10.0.0/16" port port="8000-9000" protocol="tcp" accept