Centos 通过防火墙配置rich-rule实现IP和端口限制访问

在防火墙上开放指定端口443

 firewall-cmd --zone=public --add-port=443/tcp --permanent   #参数 --permanent 为永久生效 --zone= 为指定区域，可指定区域根据所安装应用不同会有区别

[root@localhost /]# firewall-cmd --permanent --zone=
block dmz docker drop external home internal public trusted work

 

查看防火墙是否打开指定端口443

 firewall-cmd --zone=public --query-port=443/tcp　　　　　　　　#根据返回结果是yes或者no来判断指定端口是否打开

[root@localhost /]# firewall-cmd --zone=public --query-port=443/tcp
yes
[root@localhost /]# firewall-cmd --zone=public --query-port=8080/tcp
no

 

查看指定接口所在区域

 firewall-cmd --get-zone-of-interface=ens224

[root@localhost /]# firewall-cmd --get-zone-of-interface=ens224
public

 

显示防火墙目前已放开的端口

 firewall-cmd --list-all

[root@localhost /]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192 ens224
sources:
services: dhcpv6-client ssh
ports: 80/tcp 8009/tcp 9202/tcp 9001/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

 

在防火墙上开放指定IP的指定端口访问

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="202.202.157.78" port protocol="tcp" port="6379" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.255.2" port protocol="tcp" port="6379" accept"

[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192 ens224
sources:
services: dhcpv6-client ssh
ports: 22/tcp 1521/tcp 9001/tcp 5672/tcp 15672/tcp 5500/tcp 9000/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="202.202.157.78" port port="6379" protocol="tcp" accept
rule family="ipv4" source address="192.168.255.2" port port="6379" protocol="tcp" accept

 

 在防火墙上移除指定IP的指定端口访问 

  firewall-cmd --permanent --remove-rich-rule 'rule family="ipv4" source address="202.202.100.164" port port="6379" protocol="tcp" accept' 

 

修改完后需要重新加载防火墙配置

  firewall-cmd --reload