CentOS——CentOS7下Firewall防火墙配置用法详解 (转)
一份firewall配置文件
cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <rule family="ipv4"> <source address="172.17.0.0/16"/> <accept/> </rule> <rule family="ipv4"> <source address="192.168.1.0/24"/> <port protocol="tcp" port="6301-20000"/> <accept/> </rule> </zone>
以上配置为使用docker时,无法访问宿主ip问题解决方案。
其中 172.17.0.0/16 为docker网段,子网掩码255.255.0.0,用端口映射部署mongo分片集群时需要。
其中 192.168.1.0/24 为本地局域网网段,子网掩码255.255.255.0,用--net host 部署redis集群架构时需要。
配置生效方式
[root@bogon redis]# firewall-cmd --reload success [root@bogon redis]# [root@bogon redis]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="172.17.0.0/16" accept rule family="ipv4" source address="192.168.1.0/24" port port="6301-20000" protocol="tcp" accept [root@bogon redis]#
以下转自:https://www.cnblogs.com/tantanba/p/5944266.html
修改防火墙配置文件之前,需要对之前防火墙做好备份
重启防火墙后,需要确认防火墙状态和防火墙规则是否加载,若重启失败或规则加载失败,则所有请求都会被防火墙拦截
1
2
3
4
5
6
7
8
9
10
|
systemctl status firewall #查看firewall服务状态 firewall-cmd --state #查看firewall的状态 firewall-cmd --list-all #查看防火墙规则(只显示/etc/firewalld/zones/ public .xml中防火墙策略) firewall-cmd --list-all-zones #查看所有的防火墙策略(即显示/etc/firewalld/zones/下的所有策略) firewall-cmd --reload #重新加载配置文件 |
方法1、修改配置文件/etc/firewalld/zones/public.xml,重启或重新加载配置生效
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
[root@nginx01 zones]# cat public .xml <?xml version= "1.0" encoding= "utf-8" ?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <rule family= "ipv4" > <source address= "122.x.x.234" /> <port protocol= "udp" port= "514" /> <accept/> </rule> <rule family= "ipv4" > <source address= "123.x.x.14" /> <port protocol= "tcp" port= "10050-10051" /> ##可以开放端口地址范围 "10050-10051" ,不单只限定一个端口 <accept/> </rule> <rule family= "ipv4" > <source address= "192.x.x.114" /> ##放通指定ip,指定端口、协议 <port protocol= "tcp" port= "80" /> <accept/> </rule> <rule family= "ipv4" > ##放通任意ip访问服务器的 9527 端口 <port protocol= "tcp" port= "9527" /> <accept/> </rule> </zone> firewall-cmd --reload service firewalld restart #使配置文件重新加载 |