1.查看Firewalls的运行状态 systemctl status firewall
2.开启Firewall防火墙 systemctl start firewalld
3.配置防火墙的规则,只需要配置zone为public的规则,
(1),添加可访问的端口, permanent参数意味重启后永久生效,如果不加这个参数,重启后不会生效
firewall-cmd --zone=public --add-port=80/tcp --permanent
(2),设置固定IP,访问MySQL服务
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=111.111.111.111 port port=3306 protocol=tcp accept'
(3),设置ssh服务,阿里云服务器的centOS7 默认开启了ssh这个服务,所以所有的IP都可以访问,如果需要设置固定IP访问,
可以在上面的命令基础上添加一条规则
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=111.111.111.111 port port=3306 protocol=tcp accept' --add-rich-rule 'rule family=ipv4 source address=111.111.111.111 port port=22 protocol=tcp accept'
在/etc/firewalld/zone/public.xml 文件中查看,<service name="ssh"/> 需要吧这句注释掉,rule下面配置的端口才会生效,否则,还是所有的IP都可以通过ssh登录。
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<!-- <service name="ssh"/> -->
<port protocol="tcp" port="80"/>
<rule family="ipv4">
<source address="111.111.111.111"/>
<port protocol="tcp" port="3306"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="111.111.111.112"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="111.111.111.111"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="111.111.111.111"/>
<port protocol="tcp" port="3306"/>
<accept/>
</rule>
</zone>
(4)也可以直接修改上面的配置文件,完成配置后,重启防火墙
systemctl restart firewalld