防火墙

开启指定端口：

firewall-cmd --zone=public --add-port=端口号/tcp --permanent

关闭指定端口：

firewall-cmd --zone=public --remove-port=端口号/tcp --permanent

重新加载防火墙（立即生效）

firewall-cmd --reload

开启指定来源IP端口

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.154.0.113" port protocol="tcp" port="2379" accept"

关闭指定来源IP端口

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.154.0.113" port protocol="tcp" port="2379" refuse"

重启防火墙

systemctl restart firewalld.service

查看防火墙状态

systemctl status firewalld.service

开启防火墙

systemctl start firewalld.service

禁止开机启动

systemctl disable firewalld.service

开启开机启动

systemctl enable firewalld.service

查看已开放端口

firewall-cmd --list-ports

查看已开放指定来源IP端口

firewall-cmd --list-rich-rules

移除指定来源IP端口

firewall-cmd --permanent --remove-rich-rule 'rule family="ipv4" port protocol="tcp" port="443" reject'

禁止Docker绕过防火墙

vi /usr/lib/systemd/system/docker.service

ExecStart=/usr/bin/dockerd **--iptables=false** -H fd:// --containerd=/run/containerd/containerd.sock

systemctl daemon-reload

systemctl restart docker