写在前面
现在很多云厂商提供的服务器都有安全组,在安全组里面可以轻松配置一些规则,比如开放特定的IP和端口,但是还是有些小厂并没有现成的可以在网页中操作的安全组。使用起来很不方便,一般服务器都有自带的防火墙,我们这里讲一下firewalld
查看防火墙状态
systemctl restart firewalld
输出如下:
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2025-11-25 14:53:29 CST; 5s ago
Docs: man:firewalld(1)
Main PID: 32075 (firewalld)
Tasks: 2
Memory: 21.5M
CGroup: /system.slice/firewalld.service
└─32075 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Nov 25 14:53:29 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall da.....
Nov 25 14:53:29 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Hint: Some lines were ellipsized, use -l to show in full.
启用防火墙
systemctl start firewalld
关闭防火墙
systemctl stop firewalld
查看防火墙现有规则
firewall-cmd --list-rich-rules
查看开放的端口
firewall-cmd --list-ports
输出:
rule family="ipv4" source address="39.113.47.109" port port="9000" protocol="tcp" accept
rule family="ipv4" source address="39.113.47.109" port port="39000" protocol="tcp" accept
rule family="ipv4" source address="192.33.11.195" port port="9000" protocol="tcp" accept
允许特定IP访问特定的端口
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.33.11.194" port port="9000" protocol="tcp" accept'
允许所有IP访问特定IP
firewall-cmd --permanent --add-port=30080/tcp
移除一个现有规则
firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="39.113.47.109" port port="39000" protocol="tcp" accept'
使配置生效
firewall-cmd --reload
解释
- --permanent: 表示永久生效,否则重启后规则会丢失。
- rule family="ipv4": 指定 IPv4 规则,如果是 IPv6 则使用 ipv6。
- source address="x.x.x.x": 指定允许的源 IP 地址。
- port port="3306" protocol="tcp": 指定允许访问的端口和协议。
- accept: 执行的动作是“接受”。
