在CentOS 7.9中,firewalld是默认的防火墙管理工具,它提供了一种灵活的方式来定义和控制网络流量的访问规则。以下是常用的firewalld命令及其使用方式:
sudo systemctl start firewalld
:启动防火墙sudo systemctl stop firewalld
:停止防火墙sudo systemctl enable firewalld
:开机自启sudo systemctl disable firewalld
:禁用开机自启sudo firewall-cmd --state
:检查运行状态sudo firewall-cmd --reload
:重载配置(不中断现有连接)sudo firewall-cmd --complete-reload
:完全重载(中断连接)sudo firewall-cmd --get-default-zone
:查看默认区域sudo firewall-cmd --set-default-zone=public
:设置默认区域sudo firewall-cmd --get-active-zones
:查看活动区域sudo firewall-cmd --list-all-zones
:列出所有区域规则sudo firewall-cmd --zone=public --list-all
:查看指定区域规则sudo firewall-cmd --zone=public --change-interface=eth0
:绑定接口到区域sudo firewall-cmd --list-services
:查看允许的服务sudo firewall-cmd --add-service=http
:临时允许 HTTPsudo firewall-cmd --add-service=http --permanent
:永久允许 HTTPsudo firewall-cmd --remove-service=http
:移除 HTTP 规则sudo firewall-cmd --list-ports
:查看开放的端口sudo firewall-cmd --add-port=8080/tcp
:临时开放 8080/TCPsudo firewall-cmd --add-port=20000-65535/tcp --permanent
:永久开放端口范围sudo firewall-cmd --remove-port=8080/tcp
:关闭端口sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port port="22" protocol="tcp" accept'
:允许某IP访问SSH例如,屏蔽端口和放行指定IP和端口的步骤如下:
屏蔽端口:
sudo firewall-cmd --permanent --zone=public --set-target=drop
sudo firewall-cmd --permanent --zone=public --remove-service=ssh
sudo firewall-cmd --permanent --zone=public --add-rich-rule="rule family='ipv4' source address='172.16.5.222' port protocol='tcp' port='22' accept"
sudo firewall-cmd --permanent --zone=public --add-rich-rule="rule family='ipv4' source address='172.16.5.222' port protocol='tcp' port='3306' accept"
sudo firewall-cmd --reload
放行指定IP和端口:
sudo firewall-cmd --add-port=443/tcp --permanent
sudo firewall-cmd --reload
sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='172.16.110.55' accept"
sudo firewall-cmd --reload
希望这些信息对你有所帮助!