Centos 通过防火墙配置rich-rule实现IP和端口限制访问
在防火墙上开放指定端口443
firewall-cmd --zone=public --add-port=443/tcp --permanent #参数 --permanent 为永久生效 --zone= 为指定区域,可指定区域根据所安装应用不同会有区别
[root@localhost /]# firewall-cmd --permanent --zone=
block dmz docker drop external home internal public trusted work
查看防火墙是否打开指定端口443
firewall-cmd --zone=public --query-port=443/tcp #根据返回结果是yes或者no来判断指定端口是否打开
[root@localhost /]# firewall-cmd --zone=public --query-port=443/tcp
yes
[root@localhost /]# firewall-cmd --zone=public --query-port=8080/tcp
no
查看指定接口所在区域
firewall-cmd --get-zone-of-interface=ens224
[root@localhost /]# firewall-cmd --get-zone-of-interface=ens224
public
显示防火墙目前已放开的端口
firewall-cmd --list-all
[root@localhost /]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192 ens224
sources:
services: dhcpv6-client ssh
ports: 80/tcp 8009/tcp 9202/tcp 9001/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
在防火墙上开放指定IP的指定端口访问
1 firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="202.202.157.78" port protocol="tcp" port="6379" accept"
2 firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.255.2" port protocol="tcp" port="6379" accept"
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192 ens224
sources:
services: dhcpv6-client ssh
ports: 22/tcp 1521/tcp 9001/tcp 5672/tcp 15672/tcp 5500/tcp 9000/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="202.202.157.78" port port="6379" protocol="tcp" accept
rule family="ipv4" source address="192.168.255.2" port port="6379" protocol="tcp" accept
在防火墙上移除指定IP的指定端口访问
firewall-cmd --permanent --remove-rich-rule 'rule family="ipv4" source address="202.202.100.164" port port="6379" protocol="tcp" accept'
修改完后需要重新加载防火墙配置
firewall-cmd --reload
