Centos防火墙的配置

Selinux的三种模式:enforcing,passive,disable

临时更改模式:setengorce 1|0        1:enforcing,   0:passive

 

1 [root@Centos7-Server html]# 
2 [root@Centos7-Server html]# setenforce 0
3 [root@Centos7-Server html]# getenforce 
4 Permissive

 

 

1 [root@Centos7-Server html]# 
2 [root@Centos7-Server html]# setenforce 1
3 [root@Centos7-Server html]# getenforce
4 Enforcing
5 [root@Centos7-Server html]#

 

 

查询当前seLinux模式:getenforce

 

1 [root@Centos7-Server html]# 
2 [root@Centos7-Server html]# getenforce 
3 Enforcing
4 [root@Centos7-Server html]# 
5 [root@Centos7-Server html]#

 

 

 

selinux 的服务是firewalld。

防火墙的预定义区域:

public:只允许访问本机的某几种服务,如ping,dhcp,ssh等。

block:阻塞所有来访的请求

drop:将所有来访的请求数据包丢弃。

trusted:允许所有的访问请求。 

查看默认区域:

1 [root@Centos7-Server html]# firewall-cmd --get-default-zone 
2 public
3 [root@Centos7-Server html]#

 

修改默认区域:

1 [root@Centos7-Server html]# 
2 [root@Centos7-Server html]# firewall-cmd --set-default-zone=trusted
3 success
4 [root@Centos7-Server html]# firewall-cmd --get-default-zone 
5 trusted
6 [root@Centos7-Server html]#

 

查看区域详细信息:

 1 [root@Centos7-Server html]# 
 2 [root@Centos7-Server html]# firewall-cmd --zone=public --list-all
 3 public (active)
 4   target: default
 5   icmp-block-inversion: no
 6   interfaces: ens33
 7   sources: 
 8   services: ssh dhcpv6-client ftp http
 9   ports: 
10   protocols: 
11   masquerade: no
12   forward-ports: 
13   source-ports: 
14   icmp-blocks: 
15   rich rules: 
16     
17 [root@Centos7-Server html]#

 

向区域中添加服务:

 1 [root@Centos7-Server html]# 
 2 [root@Centos7-Server html]# firewall-cmd --zone=public --add-service=dns
 3 success
 4 [root@Centos7-Server html]# firewall-cmd --zone=public --list-all
 5 public (active)
 6   target: default
 7   icmp-block-inversion: no
 8   interfaces: ens33
 9   sources: 
10   services: ssh dhcpv6-client ftp http dns
11   ports: 
12   protocols: 
13   masquerade: no
14   forward-ports: 
15   source-ports: 
16   icmp-blocks: 
17   rich rules: 
18     
19 [root@Centos7-Server html]#

 重新加载防火墙的配置:

1 [root@Centos7-Server html]# 
2 [root@Centos7-Server html]# firewall-cmd --reload
3 success
4 [root@Centos7-Server html]# 
5 [root@Centos7-Server html]# 
6 [root@Centos7-Server html]# 
 1 [root@Centos7-Server html]# 
 2 [root@Centos7-Server html]# firewall-cmd --zone=public --list-all
 3 public (active)
 4   target: default
 5   icmp-block-inversion: no
 6   interfaces: ens33
 7   sources: 
 8   services: ssh dhcpv6-client
 9   ports: 
10   protocols: 
11   masquerade: no
12   forward-ports: 
13   source-ports: 
14   icmp-blocks: 
15   rich rules: 
16     
17 [root@Centos7-Server html]#

永久配置防火墙策略:--permanent这个选项的作用是永久配置防火墙,配置后需要重新加载防火墙配置文件才能生效。

 1 [root@Centos7-Server html]# 
 2 [root@Centos7-Server html]# firewall-cmd --permanent --zone=public --add-service=ftpsuccess
 3 [root@Centos7-Server html]# firewall-cmd --permanent --zone=public --add-service=http
 4 success
 5 [root@Centos7-Server html]# 
 6 [root@Centos7-Server html]# 
 7 [root@Centos7-Server html]# 
 8 [root@Centos7-Server html]# 
 9 [root@Centos7-Server html]# firewall-cmd --zone=public --list-all
10 public (active)
11   target: default
12   icmp-block-inversion: no
13   interfaces: ens33
14   sources: 
15   services: ssh dhcpv6-client
16   ports: 
17   protocols: 
18   masquerade: no
19   forward-ports: 
20   source-ports: 
21   icmp-blocks: 
22   rich rules: 
23     
24 [root@Centos7-Server html]# firewall-cmd --reload
25 success
26 [root@Centos7-Server html]# firewall-cmd --zone=public --list-all
27 public (active)
28   target: default
29   icmp-block-inversion: no
30   interfaces: ens33
31   sources: 
32   services: ssh dhcpv6-client ftp http
33   ports: 
34   protocols: 
35   masquerade: no
36   forward-ports: 
37   source-ports: 
38   icmp-blocks: 
39   rich rules: 
40     
41 [root@Centos7-Server html]#

端口重定向:

服务器将访问端口转换成另一个端口,如:192。168.0.50:5324 --》192.168.0.50:80通过5324端口访问网页。

 1 [root@Centos7-Server ~]# firewall-cmd --permanent --zone=public --add-forward-port=port=8010:proto=tcp:toport=80
 2 success
 3 [root@Centos7-Server ~]# 
 4 [root@Centos7-Server ~]# 
 5 [root@Centos7-Server ~]# 
 6 [root@Centos7-Server ~]# 
 7 [root@Centos7-Server ~]# firewall-cmd --reload 
 8 success
 9 [root@Centos7-Server ~]# 
10 [root@Centos7-Server ~]# 
11 [root@Centos7-Server ~]# 
12 [root@Centos7-Server ~]# 
13 [root@Centos7-Server ~]# 
14 [root@Centos7-Server ~]# 
15 [root@Centos7-Server ~]# firewall-cmd --zone=public --list-all
16 public (active)
17   target: default
18   icmp-block-inversion: no
19   interfaces: ens33
20   sources: 
21   services: ssh dhcpv6-client ftp http
22   ports: 
23   protocols: 
24   masquerade: no
25   forward-ports: port=8010:proto=tcp:toport=80:toaddr=
26   source-ports: 
27   icmp-blocks: 
28   rich rules: 
29     
30 [root@Centos7-Server ~]# 
31 [root@Centos7-Server ~]# 
32 [root@Centos7-Server ~]#

 

posted @ 2019-04-15 15:56  龙翔浅帝  阅读(388)  评论(0编辑  收藏  举报