一、查看firewall规则
[root@localhost ~]# firewall-cmd --list-allpublic (active)target: defaulticmp-block-inversion: nointerfaces: enp0s3sources:services: dhcpv6-client sshports:protocols:masquerade: noforward-ports:sourceports:icmp-blocks:rich rules:
二、配置允许访问规则
(一)配置文件添加
具体添加的内容:
[root@localhost zones]# vim /etc/firewalld/zones/public.xml<?xml version="1.0" encoding="utf-8"?><zone><short>Public</short><description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description><service name="dhcpv6-client"/><service name="http"/><service name="ssh"/><rule family="ipv4"><source address="10.10.10.10"/><port protocol="tcp" port="80"/><drop/></rule><rule family="ipv4"><source address="10.10.10.11"/><port protocol="tcp" port="22"/><accept/></rule></zone>
编辑文件保存后,要执行firewall-cmd --reload才生效。
(二)命令行添加
1. 开通所有源IP访问http服务
方法一:
[root@localhost conf]# firewall-cmd --permanent --add-port=80/tcp[root@localhost conf]# firewall-cmd --reload
结果:
[root@localhost conf]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client ssh
ports: 80/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
方法二:
[root@localhost conf]# firewall-cmd --permanent --add-service=http[root@localhost conf]# firewall-cmd --reload
结果:
[root@localhost conf]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client http ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
2. 开通访问http服务,并限制源IP访问
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp accept'[root@localhost ~]# firewall-cmd --reload
参数说明:family 对哪个协议;source address 源地址;accept 允许;drop 拒绝;
三、配置禁止访问规则
禁止某个源IP访问:
[root@localhost conf]# firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp drop'[root@localhost conf]# firewall-cmd --reload
结果:
[root@localhost conf]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client http ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.10.10.10" port port="80" protocol="tcp" drop
四、删除规则
删除访问规则命令:
firewall-cmd --permanent --remove-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp accept'[root@localhost ~]# firewall-cmd --reload
五、备注
同一规则允许及拒绝时,效果为拒绝,不会跟iptables一样,没有先后顺序优先匹配,为全文匹配,拒绝大于允许。
版权归原作者 見贤思齊 所有, 如有侵权,请联系我们删除。