如何通过命令行增加防火墙入/出站规则?
Windows系统是可以直接从防火墙高级里面增加入站出站规则的,一步一步的挺方便,但是有的时候需要添加多个端口或IP,这样就显得十分笨拙,还是用命令行更省事。
一、Windows系统
以Windows Server 2008为例:
# 创建的规则类型为程序
# program="C:\xxx.exe"
# 创建的规则类型为端口
# protocol=TCP
# localport=1521
# 规则方向:入站
# dir=in
# 指定在连接与规则中指定的条件相匹配时要执行的操作
# action=allow
# 指定此规则应用的配置文件:域,专用,公用
# profile=ALL
# 指定作用域中的远程IP地址
# remoteip
# 示例1
netsh advfirewall firewall add rule name="应用程序入站规则测试" dir=in action=allow program="C:\xxx.exe" enable=yes remoteip=xxx.xxx.xxx.xxx,xxx.xxx.xxx.xx/xx,LocalSubnet profile=private,domain
# 示例2
netsh advfirewall firewall add rule name="端口入站规则测试" dir=in action=allow protocol=TCP localport=1234 enable=yes remoteip=xxx.xxx.xxx profile=domain
# 示例3
@echo off
REM 端口列表
set port_list=80,443,1521
REM IP列表
set ip_list=xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx
REM 先删
netsh advfirewall firewall delete rule name="入站规则-端口"
REM 后增
netsh advfirewall firewall add rule name="入站规则-端口" dir=in action=allow protocol=TCP localport=%port_list% enable=yes profile=domain,private remoteip=%ip_list%
更新已存在的规则
netsh advfirewall firewall set rule name="远程桌面(TCP-In)" new remoteip=XXX.XXX.XXX.XXX,LocalSubnet
启用程序示例:
# 旧版
netsh firewall add allowedprogram C:\MyApp\MyApp.exe "My Application" ENABLE
netsh firewall add allowedprogram program=C:\MyApp\MyApp.exe name="My Application" mode=ENABLE scope=CUSTOM addresses=157.60.0.1,172.16.0.0/16,LocalSubnet profile=Domain
netsh firewall add allowedprogram program=C:\MyApp\MyApp.exe name="My Application" mode=ENABLE scope=CUSTOM addresses=157.60.0.1,172.16.0.0/16,LocalSubnet profile=ALL
# 新版
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program= "C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=domain
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program= "C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=domain
netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0/16,LocalSubnet profile=private
二、Linux系统
以CentOS7为例:
目前有个缺点,命令行没有找到增加多个IP的方法,有了解的大佬可以交流下。
可以临时编辑/etc/firewalld/zones/public.xml文件用来批量添加。
比如:
<rule family="ipv4">
<source address="10.72.143.252"/>
<port protocol="tcp" port="10250-10258"/>
<accept/>
</rule>
补充firewall-cmd命令:
firewall-cmd --list-all
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=6379 protocol=tcp accept' --permanent
补充脚本方式:
# iptables: Saving firewall rules to /etc/sysconfig/iptables
# 查看规则
iptables -L -n --line-number
# -I 插入 -A 追加
# 禁用
iptables -I INPUT -p tcp --dport 1521 -j DROP
# 单IP
iptables -I INPUT -s 192.168.10.0 -p tcp --dport 1521 -j ACCEPT
# 多IP
iptables -I INPUT -s 192.168.10.49,192.168.10.33 -p tcp --dport 54321 -j ACCEPT
# 掩码
iptables -I INPUT -s 192.168.10.0/24 -p tcp --dport 1521 -j ACCEPT
# IP段
iptables -I INPUT -m iprange --src-range 192.168.10.0-192.168.10.255 -p tcp --dport 1521 -j ACCEPT
# 指定网卡
iptables -I INPUT -s 192.168.10.0 -p tcp -i eno1 --dport 1521 -j ACCEPT
# 指定目的IP
iptables -I INPUT -s 192.168.10.0 -p tcp -d 192.168.10.1 --dport 1521 -j ACCEPT
# 端口区间
iptables -I INPUT -s 192.168.10.0 -p tcp --dport 0:65535 -j ACCEPT
# 保存规则,永久生效(否则重启服务器则失效)
iptables-save > /etc/sysconfig/iptables
service iptables save
# 老版:service iptables restart
# /etc/init.d/iptables restart
systemctl restart iptables.service
# 提示:The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl
# 需安装iptables服务,重新执行 service iptables save
yum install iptables-services
# 配置iptables开机自启
# 老版:service iptables on
# 新版
systemctl enable iptables.service
systemctl is-enabled iptables.service
# 先看一下防火墙的状态
firewall-cmd --state
# 或者
systemctl status firewalld
# 若没有安装
yum install firewalld
# 如果没有启用,先启用
systemctl start firewalld
# 查询端口
firewall-cmd --query-port=5005/tcp
# 开启某个端口
# 临时:
firewall-cmd --zone=public --add-port=80/tcp
# 永久:
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --add-port=10250/tcp
# 为特定IP开放特定端口
firewall-cmd --zone=public --permanent --add-rich-rule="rule family="ipv4" source address="xxx.xxx.xxx.xxx" port protocol="tcp" port="3443" accept"
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp accept' --permanent
# 示例2(使用rich-rule)
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="xxx.xxx.xxx.xxx" port protocol="tcp" port="3306" accept'
# 示例3(禁用规则)
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="xxx.xxx.xxx.xxx" port protocol="tcp" port="3306" drop'
# 关闭开放的某个端口
firewall-cmd --zone=public --remove-port=3306/tcp
# 重新加载规则
firewall-cmd --reload
# 重启防火墙
service firewalld restart
# 查看端口开放情况、查看设置的所有规则
firewall-cmd --list-all
注意有些操作系统重启服务不再通过 service 操作,而是通过 systemctl 操作
# 查看 firewalld 服务是否启动
systemctl status firewalld
systemctl status firewalld.service
# 启动 firewalld 服务
systemctl start firewalld
# 重启 firewalld 服务
systemctl restart firewalld
# 设置 firewalld 服务开启自启动
systemctl enable firewalld