linux防火墙配置
1、Centos6:
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -s 192.168.200.178 -p all -j ACCEPT
iptables -A INPUT -s 192.168.200.195 -p all -j ACCEPT
iptables -A INPUT -s 192.168.200.180 -p all -j ACCEPT
iptables -A INPUT -s 172.16.17.71 -p all -j ACCEPT
iptables -A INPUT -s 172.16.17.72 -p all -j ACCEPT
iptables -A INPUT -s 172.16.21.6 -p all -j ACCEPT
iptables -A INPUT -s 2.0.1.0/16 -p all -j ACCEPT
iptables -P INPUT DROP 最后一步
2、Centos7配置:
#!/bin/bash
systemctl start firewalldsystemctl start firewalldsystemctl stop firewalld
systemctl status firewalld
systemctl start firewalld
--测试环境
firewall-cmd --set-default-zone=drop
firewall-cmd --permanent --zone=drop --add-service=https
firewall-cmd --permanent --zone=drop --add-service=http
firewall-cmd --permanent --zone=drop --add-service=ssh
firewall-cmd --permanent --zone=drop --add-protocol=icmp
firewall-cmd --permanent --zone=drop --add-masquerade
firewall-cmd --permanent --zone=drop --add-port=22/tcp
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.4.9" accept"
firewall-cmd --reload
#!/bin/bash
systemctl start firewalldsystemctl start firewalldsystemctl stop firewalld
systemctl status firewalld
systemctl start firewalld
--正式环境 192.168.133.40、192.168.133.41、192.168.133.42
firewall-cmd --set-default-zone=drop
firewall-cmd --permanent --zone=drop --add-service=https
firewall-cmd --permanent --zone=drop --add-service=http
firewall-cmd --permanent --zone=drop --add-service=ssh
firewall-cmd --permanent --zone=drop --add-protocol=icmp
firewall-cmd --permanent --zone=drop --add-masquerade
firewall-cmd --permanent --zone=drop --add-port=22/tcp
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.39" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.40" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.41" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.42" accept"
firewall-cmd --reload
firewall-cmd --list-all
停止防火墙:
systemctl stop firewalld
--正式环境 192.168.133.39 --待执行
firewall-cmd --set-default-zone=drop
firewall-cmd --permanent --zone=drop --add-service=https
firewall-cmd --permanent --zone=drop --add-service=http
firewall-cmd --permanent --zone=drop --add-service=ssh
firewall-cmd --permanent --zone=drop --add-protocol=icmp
firewall-cmd --permanent --zone=drop --add-masquerade
firewall-cmd --permanent --zone=drop --add-port=22/tcp
firewall-cmd --permanent --zone=drop --add-port=8888/tcp
firewall-cmd --permanent --zone=drop --add-port=8889/tcp
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.39" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.40" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.41" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.133.42" accept"
firewall-cmd --reload
firewall-cmd --list-all
停止防火墙:
systemctl stop firewalld
删除:
firewall-cmd --permanent --zone=drop --remove-service=https
firewall-cmd --permanent --zone=drop --remove-service=http
firewall-cmd --permanent --zone=drop --remove-service=ssh
firewall-cmd --permanent --zone=drop --remove-protocol=icmp
firewall-cmd --permanent --zone=drop --remove-masquerade
firewall-cmd --permanent --zone=drop --remove-port=22/tcp
firewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="192.168.133.39" accept"
firewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="192.168.133.40" accept"
firewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="192.168.133.41" accept"
firewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="192.168.133.42" accept"
firewall-cmd --reload
firewall-cmd --list-all
--正式环境 8004 仅172.22.40.1 开启
firewall-cmd --set-default-zone=drop
firewall-cmd --permanent --zone=drop --add-service=https
firewall-cmd --permanent --zone=drop --add-service=http
firewall-cmd --permanent --zone=drop --add-service=ssh
firewall-cmd --permanent --zone=drop --add-protocol=icmp
firewall-cmd --permanent --zone=drop --add-masquerade
firewall-cmd --permanent --zone=drop --add-port=22/tcp
firewall-cmd --permanent --zone=drop --add-port=8080/tcp
firewall-cmd --permanent --zone=drop --add-port=8081/tcp
firewall-cmd --permanent --zone=drop --add-port=8082/tcp
firewall-cmd --permanent --zone=drop --add-port=8004/tcp
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="172.22.40.1" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="172.22.40.2" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="172.22.40.3" accept"
firewall-cmd --reload
firewall-cmd --list-all
删除操作:
firewall-cmd --permanent --zone=drop --remove-service=https
firewall-cmd --permanent --zone=drop --remove-service=http
firewall-cmd --permanent --zone=drop --remove-service=ssh
firewall-cmd --permanent --zone=drop --remove-protocol=icmp
firewall-cmd --permanent --zone=drop --remove-masquerade
firewall-cmd --permanent --zone=drop --remove-port=22/tcp
firewall-cmd --permanent --zone=drop --remove-port=8080/tcp
firewall-cmd --permanent --zone=drop --remove-port=8081/tcp
firewall-cmd --permanent --zone=drop --remove-port=8082/tcp
firewall-cmd --permanent --zone=drop --remove-port=8083/tcp --暂定
firewall-cmd --permanent --zone=drop --remove-port=8084/tcp --暂定
firewall-cmd --permanent --zone=drop --remove-port=8004/tcp
firewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="172.22.40.1" accept"
firewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="172.22.40.2" accept"
firewall-cmd --permanent --zone=drop --remove-rich-rule="rule family="ipv4" source address="172.22.40.3" accept"
firewall-cmd --reload
firewall-cmd --list-all
---JiNan 防火墙配置
firewall-cmd --set-default-zone=drop
firewall-cmd --permanent --zone=drop --add-service=https
firewall-cmd --permanent --zone=drop --add-service=http
firewall-cmd --permanent --zone=drop --add-service=ssh
firewall-cmd --permanent --zone=drop --add-protocol=icmp
firewall-cmd --permanent --zone=drop --add-masquerade
firewall-cmd --permanent --zone=drop --add-port=22/tcp
firewall-cmd --permanent --zone=drop --add-port=22022/tcp
firewall-cmd --permanent --zone=drop --add-port=8081/tcp
firewall-cmd --permanent --zone=drop --add-port=8082/tcp
firewall-cmd --permanent --zone=drop --add-port=8080/tcp
firewall-cmd --permanent --zone=drop --add-port=3396/tcp
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="11.17.11.211" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="11.17.11.212" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="11.17.11.213" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="11.17.11.214" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="11.17.11.215" accept"
--手动修改配置文件
systemctl status firewalld
cd /etc/firewalld/zones
vi drop.xml
<port port="22023" protocol="tcp"/>
systemctl start firewalld
firewall-cmd --list-all
systemctl status firewalld
drop.xml 例子:
<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
<short>Drop</short>
<description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
<service name="https"/>
<service name="http"/>
<service name="ssh"/>
<port port="22" protocol="tcp"/>
<port port="23" protocol="tcp"/>
<port port="22022" protocol="tcp"/>
<port port="22023" protocol="tcp"/>
<protocol value="icmp"/>
<masquerade/>
</zone>
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· [.NET]调用本地 Deepseek 模型
· 一个费力不讨好的项目,让我损失了近一半的绩效!
· .NET Core 托管堆内存泄露/CPU异常的常见思路
· PostgreSQL 和 SQL Server 在统计信息维护中的关键差异
· C++代码改造为UTF-8编码问题的总结
· 一个费力不讨好的项目,让我损失了近一半的绩效!
· 实操Deepseek接入个人知识库
· CSnakes vs Python.NET:高效嵌入与灵活互通的跨语言方案对比
· 【.NET】调用本地 Deepseek 模型
· Plotly.NET 一个为 .NET 打造的强大开源交互式图表库