Centos防火墙基本指令
systemctl status firewalld.service
systemctl start firewalld.service
systemctl stop firewalld.service
systemctl restart firewalld.service
systemctl enable/disable firewalld.service
systemctl is-enabled firewalld.service
查看防火墙所有信息:firewall-cmd --list-all
查看已激活的Zone信息: firewall-cmd --get-active-zones
查看指定接口所属区域:firewall-cmd --get-zone-of-interface=eth0
拒绝所有包:firewall-cmd --panic-on
取消拒绝状态:firewall-cmd --panic-off
查看是否拒绝:firewall-cmd --query-panic
firewall-cmd --zone=public --query-port=3306/tcp
firewall-cmd --zone=public --add-port=3306/tcp --permanent
firewall-cmd --zone=public --remove-port=3306/tcp --permanent
命令含义:
–zone
drop: 丢弃所有进入的包,而不给出任何响应
block: 拒绝所有外部发起的连接,允许内部发起的连接
public: 允许指定的进入连接
external: 同上,对伪装的进入连接,一般用于路由转发
dmz: 允许受限制的进入连接
work: 允许受信任的计算机被限制的进入连接,类似 workgroup
home: 同上,类似 homegroup
internal: 同上,范围针对所有互联网用户
trusted: 信任所有连接
–add-port=3306/tcp
–permanent
firewall-cmd --reload 并不中断用户连接,即不丢失状态信息
https服务为例 return yes or no
查询
firewall-cmd --zone=work --query-service=https
添加
firewall-cmd --zone=work --add-service=https
移除
firewall-cmd --zone=work --remove-service=https
查询
firewall-cmd --zone=external --query-masquerade
添加
firewall-cmd --zone=external --add-masquerade
移除
firewall-cmd --zone=external --remove-masquerade
开启ip地址伪装是实现端口转发的前提条件:
将tcp的3306端口转发到2598
firewall-cmd --zone=external --add-forward-port=3306:porto=tcp:toport=2598
转发端口数据至另一个IP的相同端口:
firewall-cmd --zone=external --add-forward-port=3306:porto=tcp:toaddr=192.168.10.20
转发端口数据至另一个IP的 2500端口:
firewall-cmd --zone=external --add-forward-port=3306:porto=tcp:toport=2500:toaddr=192.168.10.20
IP封禁
添加add-rich-rule / 移除remove-rich-rule
单个IP
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='111.111.111.111' reject"
IP段
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='111.111.111.0/24' reject"
允许单个IP的某个端口
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address=192.168.10.2 port port=80 protocol=tcp accept"
查看屏蔽结果
firewall-cmd --list-rich-rules