iProbe/Docs
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
Docs/防火墙/centos7使用firewalld-高级.txt
iProbe ba848e218d first commit
2022-10-18 16:59:37 +08:00

76 lines
2.9 KiB
Text
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

CentOS 7 firewall防火墙屏蔽除指定IP外的所有IP
允许192.168.1.10所有访问所有端口
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" accept' --permanent
移除192.168.1.10所有访问所有端口
firewall-cmd --zone=public --remove-rich-rule 'rule family="ipv4" source address="192.168.1.10" accept' --permanent
允许192.168.2.0/24(0-255)所有访问所有端口
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.2.0/24" accept' --permanent
允许192.168.1.10所有访问TCP协议的22端口
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject' --permanent
移除192.168.1.10所有访问TCP协议的22端口
firewall-cmd --zone=public --remove-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject' --permanent
1对特定ip 禁止访问shh服务 ip shh可以自己改别的 最后面的reject是禁止的意思也可以换成允许的英文
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.10.0/24" service name="ssh" reject"
2下面的是对特定ip允许访问8080端口你也可以自己改
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.0.4/24" port protocol="tcp" port="8080" accept"
防火墙重新载入(必须重新载入后才能生效)
firewall-cmd --reload
查看rich-rules富规则)
firewall-cmd --list-rich-rules
查看防火墙服务规则
firewall-cmd --list-services
查看 防火墙所有规则
firewall-cmd --list-all
查看防火墙所有区域的配置规则
firewall-cmd --list-all-zones
查看默认区域
firewall-cmd --get-default-zone
查看网络接口使用区域
firewall-cmd --get-active-zones
查看默认的可用服务
firewall-cmd --get-services
要启用或禁用HTTP服务
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --remove-service=http --permanent 
提示
可以根据自己的需求更改设置
accept 允许
reject 拒绝 drop 拒绝
--add-rich-rule 添加设置
--remove-rich-rule 移除设置
--permanent 永久生效, 需要重新载入后生效
其他参考
firewall-cmd --list-all-zones #查看所有的zone信息
firewall-cmd --get-default-zone #查看默认zone是哪一个
firewall-cmd --zone=internal --change-zone=p3p1 #临时修改接口p3p1所属的zone为internal
firewall-cmd --add-service=http #暂时开放http
firewall-cmd --permanent --add-service=http #永久开放http
firewall-cmd --zone=public --add-port=80/tcp --permanent #在public中永久开放80端口
firewall-cmd --permanent --zone=public --remove-service=ssh #从public zone中移除服务
firewall-cmd --reload #重新加载配置
systemctl restart firewalld #重启firewalld服务使配置生效/可查
Reference in a new issue View git blame Copy permalink