linux防火墙配置

1、Centos6:

iptables -P OUTPUT ACCEPT 

iptables -P FORWARD ACCEPT

iptables -A INPUT -s 192.168.200.178 -p all -j ACCEPT 

iptables -A INPUT -s 192.168.200.195 -p all -j ACCEPT

iptables -A INPUT -s 192.168.200.180 -p all -j ACCEPT

iptables -A INPUT -s 172.16.17.71 -p all -j ACCEPT

iptables -A INPUT -s 172.16.17.72 -p all -j ACCEPT

iptables -A INPUT -s 172.16.21.6 -p all -j ACCEPT

iptables -A INPUT -s 2.0.1.0/16 -p all -j ACCEPT

 

iptables -P INPUT DROP 最后一步

 

 

2、Centos7配置:

#!/bin/bash

systemctl start firewalldsystemctl start firewalldsystemctl stop firewalld
systemctl status firewalld
systemctl start firewalld


--测试环境
firewall-cmd --set-default-zone=drop

firewall-cmd --permanent --zone=drop --add-service=https
firewall-cmd --permanent --zone=drop --add-service=http
firewall-cmd --permanent --zone=drop --add-service=ssh
firewall-cmd --permanent --zone=drop --add-protocol=icmp
firewall-cmd --permanent --zone=drop --add-masquerade
firewall-cmd --permanent --zone=drop --add-port=22/tcp


firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.4.9" accept"
firewall-cmd --reload

 

 

#!/bin/bash

systemctl start firewalldsystemctl start firewalldsystemctl stop firewalld
systemctl status firewalld
systemctl start firewalld

 

--正式环境   192.168.133.40、192.168.133.41、192.168.133.42

firewall-cmd --set-default-zone=drop

firewall-cmd --permanent --zone=drop --add-service=https
firewall-cmd --permanent --zone=drop --add-service=http
firewall-cmd --permanent --zone=drop --add-service=ssh
firewall-cmd --permanent --zone=drop --add-protocol=icmp
firewall-cmd --permanent --zone=drop --add-masquerade
firewall-cmd --permanent --zone=drop --add-port=22/tcp


firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.39" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.40" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.41" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.42" accept"


firewall-cmd --reload

firewall-cmd --list-all

 

停止防火墙:

systemctl stop firewalld

 

--正式环境   192.168.133.39 --待执行

firewall-cmd --set-default-zone=drop

firewall-cmd --permanent --zone=drop --add-service=https
firewall-cmd --permanent --zone=drop --add-service=http
firewall-cmd --permanent --zone=drop --add-service=ssh
firewall-cmd --permanent --zone=drop --add-protocol=icmp
firewall-cmd --permanent --zone=drop --add-masquerade
firewall-cmd --permanent --zone=drop --add-port=22/tcp

firewall-cmd --permanent --zone=drop --add-port=8888/tcp

firewall-cmd --permanent --zone=drop --add-port=8889/tcp


firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.39" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.40" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.41" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.42" accept"


firewall-cmd --reload

firewall-cmd --list-all

 

停止防火墙:

systemctl stop firewalld

 

删除:

firewall-cmd --permanent --zone=drop --remove-service=https
firewall-cmd --permanent --zone=drop --remove-service=http
firewall-cmd --permanent --zone=drop --remove-service=ssh
firewall-cmd --permanent --zone=drop --remove-protocol=icmp
firewall-cmd --permanent --zone=drop --remove-masquerade
firewall-cmd --permanent --zone=drop --remove-port=22/tcp


firewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="192.168.133.39" accept"
firewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="192.168.133.40" accept"
firewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="192.168.133.41" accept"
firewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="192.168.133.42" accept"

 

firewall-cmd --reload

firewall-cmd --list-all

 

--正式环境   8004  仅172.22.40.1 开启

firewall-cmd --set-default-zone=drop

firewall-cmd --permanent --zone=drop --add-service=https
firewall-cmd --permanent --zone=drop --add-service=http
firewall-cmd --permanent --zone=drop --add-service=ssh
firewall-cmd --permanent --zone=drop --add-protocol=icmp
firewall-cmd --permanent --zone=drop --add-masquerade
firewall-cmd --permanent --zone=drop --add-port=22/tcp
firewall-cmd --permanent --zone=drop --add-port=8080/tcp
firewall-cmd --permanent --zone=drop --add-port=8081/tcp
firewall-cmd --permanent --zone=drop --add-port=8082/tcp

firewall-cmd --permanent --zone=drop --add-port=8004/tcp


firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="172.22.40.1" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="172.22.40.2" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="172.22.40.3" accept"


firewall-cmd --reload

firewall-cmd --list-all

删除操作:

firewall-cmd --permanent --zone=drop --remove-service=https
firewall-cmd --permanent --zone=drop --remove-service=http
firewall-cmd --permanent --zone=drop --remove-service=ssh
firewall-cmd --permanent --zone=drop --remove-protocol=icmp
firewall-cmd --permanent --zone=drop --remove-masquerade
firewall-cmd --permanent --zone=drop --remove-port=22/tcp
firewall-cmd --permanent --zone=drop --remove-port=8080/tcp
firewall-cmd --permanent --zone=drop --remove-port=8081/tcp
firewall-cmd --permanent --zone=drop --remove-port=8082/tcp

firewall-cmd --permanent --zone=drop --remove-port=8083/tcp --暂定

firewall-cmd --permanent --zone=drop --remove-port=8084/tcp --暂定

firewall-cmd --permanent --zone=drop --remove-port=8004/tcp


firewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="172.22.40.1" accept"
firewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="172.22.40.2" accept"
firewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="172.22.40.3" accept"


firewall-cmd --reload

firewall-cmd --list-all

 

---JiNan 防火墙配置

firewall-cmd --set-default-zone=drop

firewall-cmd --permanent --zone=drop --add-service=https
firewall-cmd --permanent --zone=drop --add-service=http
firewall-cmd --permanent --zone=drop --add-service=ssh
firewall-cmd --permanent --zone=drop --add-protocol=icmp
firewall-cmd --permanent --zone=drop --add-masquerade
firewall-cmd --permanent --zone=drop --add-port=22/tcp

firewall-cmd --permanent --zone=drop --add-port=22022/tcp

 

firewall-cmd --permanent --zone=drop --add-port=8081/tcp

firewall-cmd --permanent --zone=drop --add-port=8082/tcp

firewall-cmd --permanent --zone=drop --add-port=8080/tcp

firewall-cmd --permanent --zone=drop --add-port=3396/tcp

firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="11.17.11.211" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="11.17.11.212" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="11.17.11.213" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="11.17.11.214" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="11.17.11.215" accept"

 

 

--手动修改配置文件

systemctl status firewalld

cd /etc/firewalld/zones

vi drop.xml

<port port="22023" protocol="tcp"/>

systemctl start firewalld

firewall-cmd --list-all

systemctl status firewalld

 

drop.xml 例子:

<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
<short>Drop</short>
<description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
<service name="https"/>
<service name="http"/>
<service name="ssh"/>
<port port="22" protocol="tcp"/>
<port port="23" protocol="tcp"/>
<port port="22022" protocol="tcp"/>
<port port="22023" protocol="tcp"/>
<protocol value="icmp"/>
<masquerade/>
</zone>

 

posted on 2021-08-19 08:54  四海骄阳  阅读(429)  评论(0编辑  收藏  举报

导航