centos7防火墙配置

一、在工作中远程连接经常通过堡垒机连接，不能直接开启防火墙。所以就需要写入配置文件中

编译配置文件   /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="22"/>
  <rule family="ipv4">
    <source address="172.21.0.16"/>
    <port protocol="tcp" port="3306"/>
    <accept/>
  </rule>
</zone>　　

注释：

#开启端口

  <port protocol="tcp" port="443"/>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="22"/>
  
#开启ip+端口 
  <rule family="ipv4">
    <source address="172.21.0.16"/>
    <port protocol="tcp" port="3306"/>
    <accept/>
  </rule>　

最后重启防火墙就可以了

systemctl restart firewalld.service

#查看规则
[root@VM_0_14_centos html]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 80/tcp 22/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="172.21.0.16" port port="3306" protocol="tcp" accept

 二、最主要的ssh端口用配置文件写其他规则就无所谓了！

命令直接写规则

#永久开启9090端口
firewall-cmd --zone=public --add-port=9090/tcp --permanent

#Postgresql端口设置。允许192.168.142.166访问5432端口

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.27.0.2" port protocol="tcp" port="1521" accept"