环境
- OS:Red Hat Enterprise Linux Server release 7.6 (Maipo)
关闭和启动防火墙服务
关闭防火墙服务
systemctl stop firewalld
开启防火墙服务
systemctl start firewalld
查看防火墙服务状态
systemctl status firewalld
重启防火墙服务
systemctl restart firewalld
查看防火墙的状态
firewall-cmd --state
[root@node01 ~]#systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@node01 ~]#systemctl start firewalld
[root@node01 ~]#systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2021-01-18 10:39:26 CST; 2s ago
Docs: man:firewalld(1)
Main PID: 16654 (firewalld)
Tasks: 2
Memory: 25.8M
CGroup: /system.slice/firewalld.service
└─16654 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Jan 18 10:39:25 node01 systemd[1]: Starting firewalld - dynamic firewall daemon...
Jan 18 10:39:26 node01 systemd[1]: Started firewalld - dynamic firewall daemon.
[root@node01 ~]#systemctl stop firewalld
[root@node01 ~]#systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead) since Mon 2021-01-18 10:39:35 CST; 1s ago
Docs: man:firewalld(1)
Process: 16654 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 16654 (code=exited, status=0/SUCCESS)
Jan 18 10:39:25 node01 systemd[1]: Starting firewalld - dynamic firewall daemon...
Jan 18 10:39:26 node01 systemd[1]: Started firewalld - dynamic firewall daemon.
Jan 18 10:39:34 node01 systemd[1]: Stopping firewalld - dynamic firewall daemon...
Jan 18 10:39:35 node01 systemd[1]: Stopped firewalld - dynamic firewall daemon.
[root@node01 ~]#firewall-cmd --state
running
列出配置的防火墙
[root@node01 ~]#firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
查看某服务是否开启
# firewall-cmd --query-service ftp
no
# firewall-cmd --query-service ssh
yes
# firewall-cmd --query-service http
no
开启关闭服务端口
暂时开放 ftp 服务
firewall-cmd --add-service=ftp
永久开放ssh服务端口
firewall-cmd --add-service=ftp --permanent
永久关闭
firewall-cmd --remove-service=ftp --permanent
success
#firewall-cmd --reload 重新加载
#firewall-cmd --list-all
设置特殊端口开放
#firewall-cmd --add-port=2222/tcp
#firewall-cmd --list-all
[root@shzb-ics-node01 ~]#firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 2222/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
控制IP段访问
#firewall-cmd --list-all 查看 默认是允许所有的访问
#firewall-cmd --permanent --remove-service=ssh 禁掉
#firewall-cmd --permanent --add-rich-rule ‘rule service name=ssh family=ipv4 source address=192.168.1.0/24 accept’ 允许访问
#firewall-cmd --permanent --add-rich-rule ‘rule service name=ssh family=ipv4 source address=192.168.2.0/24 reject’ 拒绝访问
#firewall-cmd --reload 重新加载
#firewall-cmd --list-all
#firewall-cmd --permanent --remove-rich-rule ‘rule service name=ssh family=ipv4 source address=192.168.1.0/24 accept’ 删除策略