Created
December 16, 2017 03:07
-
-
Save peter-y/1051f39ecc4971d45706c691251a5f6e to your computer and use it in GitHub Desktop.
centos7 firewalld 使用记录
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--permanent 不添加这个参数的的 都是临时操作,reload之后就没有了 | |
firewalld 有zone的概念 一般最初是public | |
查看指定级别的所有信息,譬如 public | |
firewall-cmd --zone=public --list-all | |
已经被激活的zone信息 | |
firewall-cmd --get-active-zones | |
查看运行状态 | |
firewall-cmd --state | |
查看所有的被允许的级别(服务) | |
firewall-cmd --get-service | |
查看所有的被永久允许的级别(服务) | |
firewall-cmd --get-service --permanent | |
设置public 为默认的信任级别 | |
firewall-cmd --set-default-zone=public | |
重新加载规则 | |
firewall-cmd --reload | |
重新加载规则 重启服务 | |
firewall-cmd --complete-reload | |
允许 tcp 端口 8080 至 dmz 级别 | |
firewall-cmd --zone=dmz --add-port=8080/tcp | |
允许某范围的 udp 端口至 public 级别,并永久生效 | |
firewall-cmd --zone=public --add-port=5060-5059/udp --permanent | |
列出 public zone 所有网卡 | |
firewall-cmd --zone=public --list-interfaces | |
添加服务 | |
firewall-cmd --zone=work --add-service=smtp | |
移除服务 | |
firewall-cmd --zone=work --remove-service=smtp | |
添加端口 | |
firewall-cmd --zone=public --add-port=6022/tcp --permanent | |
firewall-cmd --zone=public --add-port=6022/udp --permanent | |
删除端口 | |
firewall-cmd --zone=public --remove-port=6022/tcp --permanent | |
firewall-cmd --zone=public --remove-port=8080/tcp --permanent | |
重定向 | |
firewall-cmd --zone=public --remove-port=80/tcp --permanent | |
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 | |
显示规则 | |
firewall-cmd --list-rich-rule | |
DROP掉请求 | |
firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address='x.x.x.x/24' service name='ssh' drop" | |
拒绝特定IP ssh 服务 | |
firewall-cmd --permanent --zone=public --add-rich-rule="rule family='ipv4' source address='58.xxx.xxx.xxx/24' service name='ssh' reject" | |
firewall-cmd --permanent --zone=public --add-rich-rule="rule family='ipv4' source address='58.xxx.xxx.xxx/24' port port=22 protocol=tcp reject" | |
允许 | |
firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address='x.x.x.x/24' port port=22 procotol=tcp accept" | |
To create the ipset blacklist for IPv4: --reload 才能生效 会生成一个blacklist.xml 位于/etc/firewalld/ipsets 貌似直接编辑也是可以的参考 ipset_blacklist.xml | |
firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip | |
添加一个ip到blacklist 添加完成后立刻生效 拒绝所有的访问 | |
firewall-cmd --permanent --ipset=blacklist --add-entry=58.xxx.xxx.xxx | |
删除 | |
firewall-cmd --permanent --ipset=blacklist --remove-entry=60.xxx.xxx.xxx | |
添加一个规则 黑名单 reject or drop | |
firewall-cmd --permanent --add-rich-rule="rule source ipset=blacklist reject" | |
删除一个规则 | |
firewall-cmd --permanent [--zone=zone] --remove-rich-rule='rule' | |
一个ipv6的防火墙 | |
firewall-cmd --permanent --new-ipset=blacklist6 --type=hash:ip --option=family=inet6 | |
添加一个地址 | |
firewall-cmd --permanent --ipset=blacklist6 --add-entry=fe80::07FF:0004 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment