Linux 防火墙相关命令
防火墙规则
[root@centos7 ~] systemctl start firewalld
[root@centos7 ~] systemctl stopfirewalld
[root@centos7 ~] systemctl status firewalld
![在这里插入图片描述](https://img-blog.csdnimg.cn/20210204105440642.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d1aGFvMjA0OA==,size_16,color_FFFFFF,t_70#pic_center)
![在这里插入图片描述](https://img-blog.csdnimg.cn/20210204110103852.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d1aGFvMjA0OA==,size_16,color_FFFFFF,t_70#pic_center)
- 加载,在做防火墙添加/删除/指定IP(端口)之后需要重新加载,提示success即为成功
[root@centos7 ~] firewall-cmd --reload
[root@centos7 ~] firewall-cmd --list-all
![在这里插入图片描述](https://img-blog.csdnimg.cn/20210204111529767.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d1aGFvMjA0OA==,size_16,color_FFFFFF,t_70#pic_center)
[root@centos7 ~] vim /etc/firewalld/zones/public.xml
![在这里插入图片描述](https://img-blog.csdnimg.cn/20210204111757628.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d1aGFvMjA0OA==,size_16,color_FFFFFF,t_70#pic_center)
[root@centos7 ~] firewall-cmd --zone=public --add-port=3306/tcp --permanent
success
[root@centos7 ~] firewall-cmd --reload
![在这里插入图片描述](https://img-blog.csdnimg.cn/20210204112307867.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d1aGFvMjA0OA==,size_16,color_FFFFFF,t_70#pic_center)
[root@centos7 ~] firewall-cmd --zone=public --remove-port=445/tcp --permanent
[root@centos7 ~] firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" accept'
![在这里插入图片描述](https://img-blog.csdnimg.cn/20210204112919460.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d1aGFvMjA0OA==,size_16,color_FFFFFF,t_70#pic_center)
[root@centos7 ~] firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="8002" accept'```
![在这里插入图片描述](https://img-blog.csdnimg.cn/20210204113153500.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d1aGFvMjA0OA==,size_16,color_FFFFFF,t_70#pic_center)
- **禁止IP访问所有的端口**
```bash
[root@centos7 ~] firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/0" reject"
![在这里插入图片描述](https://img-blog.csdnimg.cn/20210204113408157.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d1aGFvMjA0OA==,size_16,color_FFFFFF,t_70#pic_center)
[root@centos7 ~] firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="8002" reject'
![在这里插入图片描述](https://img-blog.csdnimg.cn/2021020411352421.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3d1aGFvMjA0OA==,size_16,color_FFFFFF,t_70#pic_center)
- 抓包分析
服务器防火墙禁用80端口,用客户端使用http访问80端口,服务器上抓包如下。依然有访问的包,但会回复包不可达。