目录
一、查看firewall规则
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
二、配置允许访问规则
(一)配置文件添加
具体添加的内容:
[root@localhost zones]# vim /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="http"/>
<service name="ssh"/>
<rule family="ipv4">
<source address="10.10.10.10"/>
<port protocol="tcp" port="80"/>
<drop/>
</rule>
<rule family="ipv4">
<source address="10.10.10.11"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
</zone>
编辑文件保存后,要执行firewall-cmd --reload才生效。
(二)命令行添加
1. 开通所有源IP访问http服务
方法一:
[root@localhost conf]# firewall-cmd --permanent --add-port=80/tcp
[root@localhost conf]# firewall-cmd --reload
结果:
[root@localhost conf]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client ssh
ports: 80/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
方法二:
[root@localhost conf]# firewall-cmd --permanent --add-service=http
[root@localhost conf]# firewall-cmd --reload
结果:
[root@localhost conf]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client http ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
2. 开通访问http服务,并限制源IP访问
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp accept'
[root@localhost ~]# firewall-cmd --reload
参数说明:
family 对哪个协议;
source address 源地址;
accept 允许;
drop 拒绝;
三、配置禁止访问规则
禁止某个源IP访问:
[root@localhost conf]# firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp drop'
[root@localhost conf]# firewall-cmd --reload
结果:
[root@localhost conf]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client http ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.10.10.10" port port="80" protocol="tcp" drop
四、删除规则
删除访问规则命令:
firewall-cmd --permanent --remove-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp accept'
[root@localhost ~]# firewall-cmd --reload
五、备注
同一规则允许及拒绝时,效果为拒绝,不会跟iptables一样,没有先后顺序优先匹配,为全文匹配,拒绝大于允许。