1、firewalld的脚本使用
启动: systemctl start firewalld
查看状态: systemctl status firewalld
停止: systemctl disable firewalld
禁用: systemctl stop firewalld
2、配置firewalld-cmd
查看版本:firewall-cmd --version
查看帮助:firewall-cmd --help
显示状态:firewall-cmd --state
查看所有打开的端口:firewall-cmd --zone=public --list-ports
更新防火墙规则:firewall-cmd --reload
查看区域信息: firewall-cmd --get-active-zones
查看指定接口所属区域:firewall-cmd --get-zone-of-interface=eth0
拒绝所有包:firewall-cmd --panic-on
取消拒绝状态:firewall-cmd --panic-off
查看是否拒绝:firewall-cmd --query-panic
暂时开放 ftp 服务 : firewall-cmd --add-service=ftp
永久开放 ftp 服务 : firewall-cmd --add-service=ftp --permanent
查询服务的启用状态:firewall-cmd --query-service ftp
开放mysql端口:firewall-cmd --add-service=mysql
阻止http端口:firewall-cmd --remove-service=http
查看开放的服务:firewall-cmd --list-services
开放通过tcp访问3306:firewall-cmd --add-port=3306/tcp
阻止通过tcp访问3306:firewall-cmd --remove-port=3306/tcp
开放mysql服务:firewall-cmd --add-service=mysql --permanent
重载防火墙:firewall-cmd --reload
检查防火墙状态:firewall-cmd --state
开启一个端口:firewall-cmd--zone=public--add-port=80/tcp --permanent (--permanent永久生效,没有此参数重启后失效)
查看端口80的tcp服务:firewall-cmd--zone=public--query-port=80/tcp
删除端口80的tcp服务:firewall-cmd--zone=public--remove-port=80/tcp --permanent
添加指定ip访问特定端口规则:firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=192.168.0.1 port port=8080 protocol=tcp accept'
删除指定某个ip访问特定端口规则:
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.0.1" port protocol="tcp" port="8080" accept"
firwalld and iptable禁止端口转发
禁止某个ip访问:
iptables -I INPUT -s 138.138.138.138 -j DROP
firewall -cmd --permanent --add-rich-rule='rule family=ipv4 source address="138.138.138.138" drop'
端口转发:
# 将80端口的流量转发至8080
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080
# 将80端口的流量转发至
firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.1.0.1192.168.0.1
# 将80端口的流量转发至192.168.0.1的8080端口
firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1:toport=8080
