本文已参与 ⌈新人创作礼⌋ 活动,一起开启掘金创作之路
命令:firewall-cmd防火墙
默认规则(约定):命令执行时,如果没有指定zone,则默认是public 【If zone is omitted, default zone will be used.】
用途:firewall-cmd - firewalld command line client
systemctl start firewalld.service 启动
systemctl stop firewalld.service 关闭
systemctl restart firewalld.service 重启
systemctl status firewalld.service 显示状态
systemctl enable firewalld.service 在开机时启用
systemctl disable firewalld.service 在开机时不启动
systemctl is-enabled firewalld.service 查看是否开机启动
常用参数:
--state状态
--reload重启,不断开现有连接(Reload firewall rules and keep state information)
--complete-reload重启,断开现有连接(state information is lost)
--runtime-to-permanentSave active runtime configuration and overwrite permanent configuration with it
--permanent永久生效(使服务或服务器重启后,仍生效)
--get-zones显示预定义的zones(Print predefined zones)
--get-default-zonePrint default zone for connections and interfaces.
--set-default-zone=
--get-active-zones
--get-servicesPrint predefined services 预定义的
--list-all列出所有信息,包含interfaces,services,port,protocols……
--list-all-zones
--list-services
--list-ports
--list-protocols
--info-zone=查看相关zone信息
--info-service=查看相关服务的信息
--add-service=增加服务
--remove-service=移除服务
--query-service查询服务是否开放
--add-port=增加端口
--remove-port=移除端口
--query-port=查询端口是否开放
[--zone=zone] --list-interfaces查看zone里包含的网卡,默认zone(default zone:public)
[--zone=zone] --add-interface=interface将某个网卡添加到某个zone
[--zone=zone] --query-interface=interface查看
[--zone=zone] --change-interface=interface改变
[--permanent] --remove-interface=interface移除
--timeout=timeval设定生效时长(默认单位秒s,可以使用分钟m,小时h)
举例: 1、将网卡ens38从默认zone添加到trusted zone
[root@test ~]# firewall-cmd --zone trusted --add-interface=ens38
The interface is under control of NetworkManager, setting zone to 'trusted'.
success
[root@test ~]# firewall-cmd --list-all --zone=trusted
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: ens38
2、显示活动的zone
[root@test ~]# firewall-cmd --get-active-zones
public
interfaces: ens33
trusted
interfaces: ens38
[root@test ~]#
3、将端口、服务添加到(移除) zone
[root@test ~]# firewall-cmd --zone=trusted --add-port=1234/tcp --permanent
success
[root@test ~]#
[root@test ~]# firewall-cmd --zone=trusted --add-service=ssh --permanent
success
验证添加结果
[root@test ~]# firewall-cmd --zone=trusted --list-all
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: ens38 ens33
sources:
services: ssh
ports: 1234/tcp
从zone中移除服务或者端口
[root@test ~]# firewall-cmd --zone=trusted --remove-service=ssh --permanent
success
[root@test ~]# firewall-cmd --zone=trusted --remove-port=1234/tcp --permanent
success
=============================================================
[--permanent] [--zone=zone] --add-port=portid[-portid]/protocol [--timeout=timeval]
Add the port for zone. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will
be active for the specified amount of time and will be removed automatically afterwards. timeval is either a number (of seconds) or number followed by one
of characters s (seconds), m (minutes), h (hours), for example 20m or 1h.
[--permanent] [--zone=zone] --add-service=service [--timeout=timeval]
[--permanent] [--zone=zone] --add-port=portid[-portid]/protocol [--timeout=timeval]
[--permanent] [--zone=zone] --add-protocol=protocol [--timeout=timeval]
[--permanent] [--zone=zone] --add-source-port=portid[-portid]/protocol [--timeout=timeval]
[--permanent] [--zone=zone] --add-icmp-block=icmptype [--timeout=timeval]
[--permanent] [--zone=zone] --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]] [--timeout=timeval]
[--permanent] [--zone=zone] --add-masquerade [--timeout=timeval]
[--permanent] [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
如上描述:可以指定rule生效时长,参数为--timeout= 默认单位为秒(s),可指定为小时h,分钟m;
声明:与--permanent参数冲突,不可同时使用;add 端口、服务等时均可使用timeout参数。
示例:
firewall-cmd --add-port=21212/tcp --timeout=10
firewall-cmd --list-all | grep 21212
rich规则相关命令:
firewall-cmd --list-rich-rules
firewall-cmd --add-rich-rule='rule'
firewall-cmd --remove-rich-rule='rule'
firewall-cmd --query-rich-rule='rule'
格式说明:
firewall-cmd --permanent --add-rich-rule='rule family="ipv4/ipv6" source address="host/net" destination address="host/net" icmp-type name="echo-request" drop'
++++++++++++++++++++++++++++++family=[ipv4/ipv6]
+++++++++++++++++++++++++++++++++++++++++++#source address (destination address) ="主机IP/网段" 例如:192.168.100.10 或 192.168.100.0/24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++Element:[port/service/protocol/……/icmp-type共计8种]
#添加rich规则
Element:port
firewall-cmd --permanent --add-rich-rule='rule port port="80" protocol="tcp" accept'
( firewall-cmd --permanent --add-port=80/tcp)
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" port protocol="tcp" port="80" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.100.0/24" destination address="192.168.100.88" port protocol="tcp" port="80" accept"
Element:icmp-type
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.100.10" destination address="192.168.100.88" icmp-type name="echo-request" drop'
Element:protocol
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" protocol value="udp" drop'
Element:service
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" service name="mysql" accept'
IP地址取反(非)
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source NOT address="192.168.100.0/24" destination not address="192.168.100.88" port port="80" protocol="tcp" accept
列出rich规则
[root@test html]# firewall-cmd --list-rich-rule
rule port port="3306" protocol="tcp" accept
rule family="ipv4" source NOT address="192.168.100.0/24" destination not address="192.168.100.88" port port="80" protocol="tcp" accept
rule family="ipv4" source NOT address="192.168.100.0/24" destination not address="192.168.100.88" port port="8080" protocol="tcp" accept
rule family="ipv4" service name="mysql" accept
查询rich规则
[root@test html]# firewall-cmd --query-rich-rule='rule port port="3306" protocol="tcp" accept'
yes/no
删除rich规则
firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" service name="mysql" accept'
