CentOS——CentOS7下Firewall防火墙配置用法详解 (转)

 

一份firewall配置文件

cat /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>

<rule family="ipv4">
  <source address="172.17.0.0/16"/>
  <accept/>
</rule>

<rule family="ipv4">
  <source address="192.168.1.0/24"/>
  <port protocol="tcp" port="6301-20000"/>
  <accept/>
</rule>

</zone>

以上配置为使用docker时,无法访问宿主ip问题解决方案。

其中  172.17.0.0/16 为docker网段,子网掩码255.255.0.0,用端口映射部署mongo分片集群时需要。

其中 192.168.1.0/24 为本地局域网网段,子网掩码255.255.255.0,用--net host 部署redis集群架构时需要。

配置生效方式

[root@bogon redis]# firewall-cmd --reload
success
[root@bogon redis]# 
[root@bogon redis]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="172.17.0.0/16" accept
    rule family="ipv4" source address="192.168.1.0/24" port port="6301-20000" protocol="tcp" accept
[root@bogon redis]# 

 

 

以下转自:https://www.cnblogs.com/tantanba/p/5944266.html

官方文档地址:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Introduction_to_firewalld1

 

修改防火墙配置文件之前,需要对之前防火墙做好备份

重启防火墙后,需要确认防火墙状态和防火墙规则是否加载,若重启失败或规则加载失败,则所有请求都会被防火墙拦截

 

1
2
3
4
5
6
7
8
9
10
systemctl status firewall   
    #查看firewall服务状态
firewall-cmd --state        
    #查看firewall的状态
firewall-cmd --list-all 
    #查看防火墙规则(只显示/etc/firewalld/zones/public.xml中防火墙策略)
firewall-cmd --list-all-zones 
    #查看所有的防火墙策略(即显示/etc/firewalld/zones/下的所有策略)
firewall-cmd --reload
    #重新加载配置文件

 

方法1、修改配置文件/etc/firewalld/zones/public.xml,重启或重新加载配置生效

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[root@nginx01 zones]# cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <rule family="ipv4">
    <source address="122.x.x.234"/>
    <port protocol="udp" port="514"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="123.x.x.14"/>
    <port protocol="tcp" port="10050-10051"/> ##可以开放端口地址范围"10050-10051",不单只限定一个端口
    <accept/>
  </rule>
 <rule family="ipv4">
    <source address="192.x.x.114"/>      ##放通指定ip,指定端口、协议
    <port protocol="tcp" port="80"/>
    <accept/>
  </rule>
<rule family="ipv4">                        ##放通任意ip访问服务器的9527端口
    <port protocol="tcp" port="9527"/>
    <accept/>
  </rule>
</zone>
 
 
firewall-cmd --reload
service firewalld restart    #使配置文件重新加载
posted @ 2021-05-18 18:48  会飞的斧头  阅读(416)  评论(0编辑  收藏  举报