0
0

linux的firewalld防火墙规则配置

一、查看firewall规则

[root@localhost ~]# firewall-cmd --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp0s3

  sources:

  services: dhcpv6-client ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  sourceports:

  icmp-blocks:

  rich rules:

二、配置允许访问规则

(一)配置文件添加

    具体添加的内容:

[root@localhost zones]#  vim /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>

<zone>

  <short>Public</short>

  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

  <service name="dhcpv6-client"/>

  <service name="http"/>

  <service name="ssh"/>

  <rule family="ipv4">

    <source address="10.10.10.10"/>

    <port protocol="tcp" port="80"/>

    <drop/>

  </rule>

  <rule family="ipv4">

    <source address="10.10.10.11"/>

    <port protocol="tcp" port="22"/>

    <accept/>

  </rule>

</zone>

    编辑文件保存后,要执行firewall-cmd --reload才生效。

(二)命令行添加

1. 开通所有源IP访问http服务

    方法一:

[root@localhost conf]# firewall-cmd --permanent --add-port=80/tcp

[root@localhost conf]# firewall-cmd --reload

    结果:

[root@localhost conf]# firewall-cmd --list-all

public (active)

target: default

icmp-block-inversion: no

interfaces: enp0s3

sources:

services: dhcpv6-client ssh

ports: 80/tcp

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

    方法二:

[root@localhost conf]# firewall-cmd --permanent --add-service=http

[root@localhost conf]# firewall-cmd --reload

    结果:

[root@localhost conf]# firewall-cmd --list-all

public (active)

target: default

icmp-block-inversion: no

interfaces: enp0s3

sources:

services: dhcpv6-client http ssh

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

2. 开通访问http服务,并限制源IP访问

firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp accept'

[root@localhost ~]# firewall-cmd --reload

    参数说明:

            family 对哪个协议;

            source address 源地址; 

            accept 允许;

            drop 拒绝;

三、配置禁止访问规则

    禁止某个源IP访问:

[root@localhost conf]# firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp drop'

[root@localhost conf]# firewall-cmd --reload

    结果:

[root@localhost conf]# firewall-cmd --list-all

public (active)

target: default

icmp-block-inversion: no

interfaces: enp0s3

sources:

services: dhcpv6-client http ssh

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

    rule family="ipv4" source address="10.10.10.10" port port="80" protocol="tcp" drop

四、删除规则

    删除访问规则命令:

firewall-cmd --permanent --remove-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp accept'

[root@localhost ~]# firewall-cmd --reload

五、备注

    同一规则允许及拒绝时,效果为拒绝,不会跟iptables一样,没有先后顺序优先匹配,为全文匹配,拒绝大于允许。
标签: 运维 网络安全 linux
本文转载自: https://blog.csdn.net/u013930899/article/details/126353258
版权归原作者 見贤思齊 所有, 如有侵权,请联系我们删除。
登录后发布评论

“linux的firewalld防火墙规则配置”的评论:

还没有评论
关于作者
...
overfit同步小助手
文章同步
相关阅读

Mac如何在终端进入root用户模式命令如下

提升你的命令行体验:自定义 Bash 提示符显示 Git 分支

failed to load steamui.dll的多种处理方法,steamui.dll的作用

大数据新视界 -- 大数据大厂之提升 Impala 查询效率:索引优化的秘籍大揭秘(上)(3/30)

前端如何安全存储密钥,防止信息泄露

【WebGIS】Cesium:地形加载

前端接口415状态码【解决】

文章导航