Bootstrap

linux的firewalld防火墙规则配置

目录

一、查看firewall规则

二、配置允许访问规则

(一)配置文件添加

(二)命令行添加

1. 开通所有源IP访问http服务

2. 开通访问http服务,并限制源IP访问

三、配置禁止访问规则

四、删除规则

五、备注


一、查看firewall规则

[root@localhost ~]# firewall-cmd --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp0s3

  sources:

  services: dhcpv6-client ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  sourceports:

  icmp-blocks:

  rich rules:

二、配置允许访问规则

(一)配置文件添加

        具体添加的内容:

[root@localhost zones]#  vim /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>

<zone>

  <short>Public</short>

  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

  <service name="dhcpv6-client"/>

  <service name="http"/>

  <service name="ssh"/>

  <rule family="ipv4">

    <source address="10.10.10.10"/>

    <port protocol="tcp" port="80"/>

    <drop/>

  </rule>

  <rule family="ipv4">

    <source address="10.10.10.11"/>

    <port protocol="tcp" port="22"/>

    <accept/>

  </rule>

</zone>

        编辑文件保存后,要执行firewall-cmd --reload才生效。

(二)命令行添加

1. 开通所有源IP访问http服务

        方法一:

[root@localhost conf]# firewall-cmd --permanent --add-port=80/tcp

[root@localhost conf]# firewall-cmd --reload

        结果:

[root@localhost conf]# firewall-cmd --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp0s3

  sources:

  services: dhcpv6-client ssh

  ports: 80/tcp

  protocols:

  masquerade: no

  forward-ports:

  sourceports:

  icmp-blocks:

  rich rules:

        方法二:

[root@localhost conf]# firewall-cmd --permanent --add-service=http

[root@localhost conf]# firewall-cmd --reload

        结果:

[root@localhost conf]# firewall-cmd --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp0s3

  sources:

  services: dhcpv6-client http ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  sourceports:

  icmp-blocks:

  rich rules:

2. 开通访问http服务,并限制源IP访问

firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp accept'

[root@localhost ~]# firewall-cmd --reload

        参数说明:

                family 对哪个协议;

                source address 源地址; 

                accept 允许;

                drop 拒绝;

三、配置禁止访问规则

        禁止某个源IP访问:

[root@localhost conf]# firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp drop'

[root@localhost conf]# firewall-cmd --reload

        结果:

[root@localhost conf]# firewall-cmd --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp0s3

  sources:

  services: dhcpv6-client http ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  sourceports:

  icmp-blocks:

  rich rules:

        rule family="ipv4" source address="10.10.10.10" port port="80" protocol="tcp" drop

四、删除规则

        删除访问规则命令:

firewall-cmd --permanent --remove-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp accept'

[root@localhost ~]# firewall-cmd --reload

五、备注

        同一规则允许及拒绝时,效果为拒绝,不会跟iptables一样,没有先后顺序优先匹配,为全文匹配,拒绝大于允许。

;