centos7防火墙配置详细
一、条件防火墙是开启的
[root@ac ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: active (running) since Sun 2023-11-05 20:45:21 CST; 2min 8s ago Docs: man:firewalld(1) Main PID: 1267 (firewalld) CGroup: /system.slice/firewalld.service └─1267 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
1、查看防火墙的配置
[root@ac ~]# firewall-cmd --list-all public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
2、开放80端口
1 [root@ac ~]# firewall-cmd --permanent --add-port=80/tcp
[root@ac ~]# firewall-cmd --permanent --add-port=81/tcp
2 success 3 [root@ac ~]# firewall-cmd --reload #重新加载防火墙配置才会生效 4 success
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | [root@ac ~]# firewall-cmd --list-allpublic target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client ssh ports: 80/tcp 81/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
3、移除以上规则
1 2 3 | <br><br>[root@ac ~]# firewall-cmd --permanent --remove-port=80/tcp<br>success<br>[root@ac ~]# firewall-cmd --permanent --remove-port=81/tcp<br>success<br><br><br>[root@ac ~]# firewall-cmd --reloadsuccess[root@ac ~]# firewall-cmd --list-all<br>public<br> target: default<br> icmp-block-inversion: no<br> interfaces: <br> sources: <br> services: dhcpv6-client ssh<br> ports: <br> protocols: <br> masquerade: no<br> forward-ports: <br> source-ports: <br> icmp-blocks: <br> rich rules: <br><br> |
4、放通某个端口段
1 [root@ac ~]# firewall-cmd --permanent --zone=public --add-port=1000-2000/tcp 2 success 3 [root@ac ~]# firewall-cmd --reload 4 success 5 [root@ac ~]# firewall-cmd --list-all 6 public 7 target: default 8 icmp-block-inversion: no 9 interfaces: 10 sources: 11 services: dhcpv6-client ssh 12 ports: 1000-2000/tcp #已添加 13 protocols: 14 masquerade: no 15 forward-ports: 16 source-ports: 17 icmp-blocks: 18 rich rules:
5、放通某个IP访问,默认允许
1 [root@ac ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.200.105 accept' 2 success 3 [root@ac ~]# firewall-cmd --reload 4 success 5 [root@ac ~]# firewall-cmd --list-all 6 public 7 target: default 8 icmp-block-inversion: no 9 interfaces: 10 sources: 11 services: dhcpv6-client ssh 12 ports: 1000-2000/tcp 13 protocols: 14 masquerade: no 15 forward-ports: 16 source-ports: 17 icmp-blocks: 18 rich rules: 19 rule family="ipv4" source address="192.168.200.105" accept #已添加
6、禁止某个IP访问
1 [root@ac ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=10.0.0.42 drop' 2 [root@ac ~]# firewall-cmd --reload 3 success
1 [root@ac ~]# firewall-cmd --list-all 2 public 3 target: default 4 icmp-block-inversion: no 5 interfaces: 6 sources: 7 services: dhcpv6-client ssh 8 ports: 1000-2000/tcp 9 protocols: 10 masquerade: no 11 forward-ports: 12 source-ports: 13 icmp-blocks: 14 rich rules: 15 rule family="ipv4" source address="192.168.200.105" accept 16 rule family="ipv4" source address="10.0.0.42" drop #已拒绝该IP访问 17
7、放通某个IP访问某个端口
1 [root@ac ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.1.169 port protocol=tcp port=6379 accept' 2 success 3 [root@ac ~]# firewall-cmd --reload 4 success 5 [root@ac ~]# firewall-cmd --list-all 6 public 7 target: default 8 icmp-block-inversion: no 9 interfaces: 10 sources: 11 services: dhcpv6-client ssh 12 ports: 1000-2000/tcp 13 protocols: 14 masquerade: no 15 forward-ports: 16 source-ports: 17 icmp-blocks: 18 rich rules: 19 rule family="ipv4" source address="192.168.200.105" accept 20 rule family="ipv4" source address="10.0.0.42" drop 21 rule family="ipv4" source address="192.168.1.169" port port="6379" protocol="tcp" accept #已放通该IP的6379端口
#禁止指定IP访问本机8080端口
1 [root@ac ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="8080" reject' 2 success 3 [root@ac ~]# firewall-cmd --reload 4 success 5 [root@ac ~]# firewall-cmd --list-all 6 public 7 target: default 8 icmp-block-inversion: no 9 interfaces: 10 sources: 11 services: dhcpv6-client ssh 12 ports: 1000-2000/tcp 13 protocols: 14 masquerade: no 15 forward-ports: 16 source-ports: 17 icmp-blocks: 18 rich rules: 19 rule family="ipv4" source address="192.168.200.105" accept 20 rule family="ipv4" source address="10.0.0.42" drop 21 rule family="ipv4" source address="192.168.1.169" port port="6379" protocol="tcp" accept 22 rule family="ipv4" source address="192.168.1.1" port port="8080" protocol="tcp" reject #已添加
8、移除以上规则
1 [root@ac ~]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.169" port port="6379" protocol="tcp" accept' 2 success 3 [root@ac ~]# firewall-cmd --reload 4 success
1 [root@ac ~]# firewall-cmd --list-all 2 public 3 target: default 4 icmp-block-inversion: no 5 interfaces: 6 sources: 7 services: dhcpv6-client ssh 8 ports: 1000-2000/tcp 9 protocols: 10 masquerade: no 11 forward-ports: 12 source-ports: 13 icmp-blocks: 14 rich rules: #已删除192.168.1.169的6379端口 15 rule family="ipv4" source address="192.168.200.105" accept 16 rule family="ipv4" source address="10.0.0.42" drop 17 rule family="ipv4" source address="192.168.1.1" port port="8080" protocol="tcp" reject
1 [root@ac ~]# firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=10.0.0.42 drop' 2 success 3 [root@ac ~]# firewall-cmd --reload 4 success 5 [root@ac ~]# firewall-cmd --list-all 6 public 7 target: default 8 icmp-block-inversion: no 9 interfaces: 10 sources: 11 services: dhcpv6-client ssh 12 ports: 1000-2000/tcp 13 protocols: 14 masquerade: no 15 forward-ports: 16 source-ports: 17 icmp-blocks: 18 rich rules: 19 rule family="ipv4" source address="192.168.200.105" accept 20 rule family="ipv4" source address="192.168.1.1" port port="8080" protocol="tcp" reject
1 [root@ac ~]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="8080" reject' 2 success 3 [root@ac ~]# firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=192.168.200.105 accept' 4 success 5 [root@ac ~]# firewall-cmd --reload 6 success 7 [root@ac ~]# firewall-cmd --list-all 8 public 9 target: default 10 icmp-block-inversion: no 11 interfaces: 12 sources: 13 services: dhcpv6-client ssh 14 ports: 1000-2000/tcp 15 protocols: 16 masquerade: no 17 forward-ports: 18 source-ports: 19 icmp-blocks: 20 rich rules:
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY