#CentOS 7 防火防配置 firewall
auth:wangjing
date:2021-03-24
CentOS 7 / RedHat Enterpise Linux 7
未标明之处请参考 firewall-cmd --help
firewall file command
systemctl restart firewalld
systemctl status firewalld.service
显示防火墙白名单列表(基于配置文件)
firewall-cmd --list-all
# 增加IP/端口(基于配置文件)
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="14.66.66.58" port protocol="tcp" port="5000" accept"
# 移除IP/端口(基于配置文件)
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="14.66.66.75" port protocol="tcp" port="9100" accept"
text area
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.88.88.88" port protocol="tcp" port="8123" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="10.88.88.88" port protocol="tcp" port="8123" accept"
vim /etc/firewalld/zones/public.xml
<-->开放14.66.66.66的9111端口</-->
<rule family="ipv4">
<source address="14.66.66.66"/>
<port protocol="tcp" port="9111"/>
<accept/>
</rule>
端口段
<rule family="ipv4">
<source address="14.10.10.0/24"/>
<port protocol="tcp" port="1-65535"/>
<accept/>
</rule>
firewall configration command
永久生效,需要reload或restart
不加 “–permanent” 参数默认为临时生效
以下命令不会显示在配置文件中,只能使用 “–list-ports” 参数查询
# 开放端口列表
firewall-cmd --list-ports --permanent
# 增加端口
firewall-cmd --zone=public --add-port=1521/tcp --permanent
# 移除端口
firewall-cmd --zone=public --remove-port=8080/tcp --permanent
firewall-cmd --zone=public --remove-port=8081/tcp --permanent
firewall for services
# 已开放的服务
firewall-cmd --list-services
# 可操作服务列表
firewall-cmd --get-services
# 开放指定服务
firewall-cmd --enable service=ssh
# 移除指定服务
firewall-cmd --disable service=ssh
# 常用示例
firewall-cmd --add-service=mysql
firewall-cmd --add-service=http
firewall service disable / enable
# status
systemctl list-unit-files | grep firewalld.service
# enable
systemctl enable firewalld.service
# disable
systemctl disable firewalld.service
firewalld start / stop
# status
systemctl status firewalld.service
# start
systemctl start firewalld.service
# stop
systemctl stop firewalld.service
# reload
systemctl reload firewalld
# restart
systemctl restart firewalld
transpond
# 将80端口的流量转发至8080
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080
# 将80端口的流量转发至192.168.0.1的8080端口
firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1:toport=8080