www.cnblogs.com/ruiyqinrui

开源、架构、Linux C/C++/python AI BI 运维开发自动化运维。 春风桃李花 秋雨梧桐叶。“力尽不知热 但惜夏日长”。夏不惜,秋不获。@ruiY--秦瑞

python爬虫,C编程,嵌入式开发.hadoop大数据,桉树,onenebula云计算架构.linux运维及驱动开发.
  博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理
oenstack firewalld ufw

firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="0.0.0.0" port port="22" protocol="tcp" reject '



所有计算
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.15" port protocol="tcp" port="111"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.15" port protocol="tcp" port="5900"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.15" port protocol="tcp" port="5901"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.15" port protocol="tcp" port="5902"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.15" port protocol="tcp" port="5903"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.15" port protocol="tcp" port="5904"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.15" port protocol="tcp" port="5905"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.15" port protocol="tcp" port="5906"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.15" port protocol="tcp" port="8022"  accept" --zone=internal



ubuntu14
ufw delete allow ssh
ufw allow proto tcp from 10.34.1.15 to any port 22





CentOS7

计算节点
systemctl start firewalld.service
firewall-cmd --zone=internal --change-interface=em1 --permanent
firewall-cmd --zone=trusted --change-interface=em2 --permanent
firewall-cmd --remove-service=ssh --permanent
firewall-cmd --set-default-zone=internal
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.15" port protocol="tcp" port="22"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.15" port protocol="tcp" port="1-65535"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.15" port protocol="udp" port="1-65535"  accept"



控制节点
systemctl start firewalld.service
firewall-cmd --zone=internal --change-interface=em1 --permanent
firewall-cmd --zone=trusted --change-interface=em2 --permanent
firewall-cmd --remove-service=ssh --permanent
firewall-cmd --set-default-zone=internal
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.15" port protocol="tcp" port="22"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.16" port protocol="tcp" port="1-65535"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.17" port protocol="tcp" port="1-65535"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.16" port protocol="udp" port="1-65535"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.17" port protocol="udp" port="1-65535"  accept"

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.83" port protocol="tcp" port="80"  accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.34.1.83" port protocol="tcp" port="6080"  accept"



ufw allow proto tcp from 10.34.1.2 to any port 3306
ufw allow proto tcp from 10.34.1.2 to any port 2379
ufw allow proto tcp from 10.34.1.2 to any port 11211
ufw allow proto tcp from 10.34.1.2 to any port 5900
ufw allow proto tcp from 10.34.1.2 to any port 5901
ufw allow proto tcp from 10.34.1.2 to any port 5902
ufw allow proto tcp from 10.34.1.2 to any port 5903
ufw allow proto tcp from 10.34.1.2 to any port 5903



ufw allow proto tcp from 10.34.1.2 to any port 3306
ufw allow proto tcp from 10.34.1.2 to any port 2379
ufw allow proto tcp from 10.34.1.2 to any port 11211

ufw allow proto tcp from 10.34.1.5 to any port 3306
ufw allow proto tcp from 10.34.1.5 to any port 2379
ufw allow proto tcp from 10.34.1.5 to any port 11211

ufw allow proto tcp from 10.34.1.9 to any port 3306
ufw allow proto tcp from 10.34.1.9 to any port 2379
ufw allow proto tcp from 10.34.1.9 to any port 11211

ufw allow proto tcp from 10.34.1.9 to any port 5672
ufw allow proto tcp from 10.34.1.9 to any port 2380
ufw allow proto tcp from 10.34.1.9 to any port 4369



ufw allow proto tcp from 10.34.1.15 to any port 22


ufw allow proto udp from 10.34.1.2 to any port 123

ufw allow proto tcp from 10.34.1.2 to any port 5672



ufw allow proto tcp from 10.34.1.10 to any port 5901
ufw allow proto tcp from 10.34.1.10 to any port 5902
ufw allow proto tcp from 10.34.1.10 to any port 5903
ufw allow proto tcp from 10.34.1.10 to any port 5904
ufw allow proto tcp from 10.34.1.10 to any port 5905
ufw allow proto tcp from 10.34.1.10 to any port 5906
ufw allow proto tcp from 10.34.1.10 to any port 5907
ufw allow proto tcp from 10.34.1.10 to any port 5908
ufw allow proto tcp from 10.34.1.10 to any port 5909


ufw allow from 10.34.1.10
ufw allow proto tcp from 10.34.1.15 to any port 22

ufw default allow routed

 /etc/sysctl.conf

net.ipv4.icmp_echo_ignore_all=1

posted on 2021-01-10 00:52  秦瑞It行程实录  阅读(103)  评论(0编辑  收藏  举报
www.cnblogs.com/ruiyqinrui