0


linux的firewalld防火墙规则配置

一、查看firewall规则

[root@localhost ~]# firewall-cmd --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp0s3

  sources:

  services: dhcpv6-client ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  sourceports:

  icmp-blocks:

  rich rules:

二、配置允许访问规则

(一)配置文件添加

    具体添加的内容:
[root@localhost zones]#  vim /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>

<zone>

  <short>Public</short>

  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

  <service name="dhcpv6-client"/>

  <service name="http"/>

  <service name="ssh"/>

  <rule family="ipv4">

    <source address="10.10.10.10"/>

    <port protocol="tcp" port="80"/>

    <drop/>

  </rule>

  <rule family="ipv4">

    <source address="10.10.10.11"/>

    <port protocol="tcp" port="22"/>

    <accept/>

  </rule>

</zone>
    编辑文件保存后,要执行firewall-cmd --reload才生效。

(二)命令行添加

1. 开通所有源IP访问http服务

    方法一:
[root@localhost conf]# firewall-cmd --permanent --add-port=80/tcp

[root@localhost conf]# firewall-cmd --reload
    结果:

[root@localhost conf]# firewall-cmd --list-all

public (active)

target: default

icmp-block-inversion: no

interfaces: enp0s3

sources:

services: dhcpv6-client ssh

ports: 80/tcp

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

    方法二:
[root@localhost conf]# firewall-cmd --permanent --add-service=http

[root@localhost conf]# firewall-cmd --reload
    结果:

[root@localhost conf]# firewall-cmd --list-all

public (active)

target: default

icmp-block-inversion: no

interfaces: enp0s3

sources:

services: dhcpv6-client http ssh

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

2. 开通访问http服务,并限制源IP访问

firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp accept'

[root@localhost ~]# firewall-cmd --reload
    参数说明:

            family 对哪个协议;

            source address 源地址; 

            accept 允许;

            drop 拒绝;

三、配置禁止访问规则

    禁止某个源IP访问:
[root@localhost conf]# firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp drop'

[root@localhost conf]# firewall-cmd --reload
    结果:

[root@localhost conf]# firewall-cmd --list-all

public (active)

target: default

icmp-block-inversion: no

interfaces: enp0s3

sources:

services: dhcpv6-client http ssh

ports:

protocols:

masquerade: no

forward-ports:

sourceports:

icmp-blocks:

rich rules:

    rule family="ipv4" source address="10.10.10.10" port port="80" protocol="tcp" drop

四、删除规则

    删除访问规则命令:
firewall-cmd --permanent --remove-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp accept'

[root@localhost ~]# firewall-cmd --reload

五、备注

    同一规则允许及拒绝时,效果为拒绝,不会跟iptables一样,没有先后顺序优先匹配,为全文匹配,拒绝大于允许。

本文转载自: https://blog.csdn.net/u013930899/article/details/126353258
版权归原作者 見贤思齊 所有, 如有侵权,请联系我们删除。

“linux的firewalld防火墙规则配置”的评论:

还没有评论