Centos7的firewalld配置
常用命令
# 查看版本
[root@osboxes java]# firewall-cmd --version
0.3.9
# 查看状态
[root@osboxes java]# systemctl status firewalld.service
OR
[root@osboxes java]# firewall-cmd --state
running
# 获取启用的zone
[root@osboxes java]# firewall-cmd --get-active-zones
public
interfaces: eno16777984
修改网卡的zone
firewall-cmd --permanent --zone=external --change-interface=eth0
firewall-cmd --permanent --zone=internal --change-interface=eth1
查看指定zone中开放的端口和服务
[root@osboxes java]# firewall-cmd --zone=public --list-all
public (default, active)
interfaces: eno16777984
sources:
services: dhcpv6-client mdns ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
查看系统中可用的服务
# 列出已配置好可用的服务, 位于 /usr/lib/firewalld/services/ 下
[root@osboxes java]# firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
# 强制列出包含用户设置在/etc/firewalld/services/, 但尚未loaded的服务
[root@osboxes java]# firewall-cmd --get-services --permanent
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
对指定的zone添加端口
# 不要忘记 --permanent
[root@osboxes java]# firewall-cmd --zone=public --add-port=8080/tcp --permanent
# OR 添加一个地址段
[root@osboxes java]# firewall-cmd --zone=public --add-port=5060-5061/udp --permanent
success
# 需要reload后才启用, 热加载
[root@osboxes java]# firewall-cmd --reload
# OR 冷加载
[root@osboxes java]# firewall-cmd --complete-reload
success
# 能看到新端口已经添加
[root@osboxes java]# firewall-cmd --zone=public --list-all
public (default, active)
interfaces: eno16777984
sources:
services: dhcpv6-client mdns ssh
ports: 8080/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
# 删除一个端口
firewall-cmd --permanent --zone=public --remove-port=8080/tcp
firewall-cmd --permanent --zone=public --remove-port=8080/udp
添加服务(默认端口)
firewall-cmd --zone=public --add-service=ftp --permanent
添加规则 rich rule
# 用service添加
firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=http accept'
# 用端口和协议添加
firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.16.1.0/24 port port="11211" protocol="tcp" accept'
# 端口区间, 并且持久化
firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.1.0.0/16 port port="1-65535" protocol="tcp" accept' --permanent
# 写入之后要reload才生效
firewall-cmd --reload
添加NAT
首先要加上ip forward
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
打开IP伪装
firewall-cmd --zone=external --add-masquerade --permanent
内网其他机器, 要把网关配置为当前服务器
#设置网关
route add default gw 192.168.100.1
#或修改/etc/sysconf/network/network-scripts/ifcfg-网卡名
添加端口转发
首先要打开IP伪装
firewall-cmd --zone=external --query-masquerade # 检查是否允许伪装IP
firewall-cmd --zone=external --add-masquerade # 允许防火墙伪装IP, 记得加上 --permanent
firewall-cmd --zone=external --remove-masquerade# 禁止防火墙伪装IP
配置端口转发, 转本机端口, 转他机端口. 未填toaddr则默认本机, 未填toport则使用相同端口
# 将80端口的流量转发至8080
firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080
# 将80端口的流量转发至
firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toaddr=192.168.1.0.1
# 将80端口的流量转发至192.168.0.1的8080端口
firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1:toport=8080
