1. firewalld 启动命令
  • 启动firewalld.

    1
    systemctl start firewalld
    2
    systemctl enable firewalld #加入到开机启动
  • 查看状态

    1
    systemctl status firewalld
    2
    firewall-cmd --state
  • 关闭firewalld

    1
    systemctl stop firewalld
2.firewalld 基础操作

service 说明

在 /usr/lib/firewalld/services/ 目录中,还保存了另外一类配置文件,每个文件对应一项具体的网络服务,如 ssh 服务等.
与之对应的配置文件中记录了各项服务所使用的 tcp/udp 端口,在最新版本的 firewalld 中默认已经定义了 70+ 种服务供我们使用.
当默认提供的服务不够用或者需要自定义某项服务的端口时,我们需要将 service 配置文件放置在 /etc/firewalld/services/ 目录中.
service 配置的好处显而易见:
第一,通过服务名字来管理规则更加人性化,
第二,通过服务来组织端口分组的模式更加高效,如果一个服务使用了若干个网络端口,则服务的配置文件就相当于提供了到这些端口的规则管理的批量操作快捷方式。

每加载一项 service 配置就意味着开放了对应的端口访问

  • 查看/usr/lib/firewalld/services/

    1
    [root@localhost ~]# ls /usr/lib/firewalld/services/
    2
    amanda-client.xml        high-availability.xml  nrpe.xml                  sips.xml
    3
    amanda-k5-client.xml     https.xml              ntp.xml                   sip.xml
    4
    bacula-client.xml        http.xml               openvpn.xml               smtp-submission.xml
    5
    bacula.xml               imaps.xml              ovirt-imageio.xml         smtps.xml
    6
    bitcoin-rpc.xml          imap.xml               ovirt-storageconsole.xml  smtp.xml
    7
    bitcoin-testnet-rpc.xml  ipp-client.xml         ovirt-vmconsole.xml       snmptrap.xml
    8
    bitcoin-testnet.xml      ipp.xml                pmcd.xml                  snmp.xml
    9
    bitcoin.xml              ipsec.xml              pmproxy.xml               spideroak-lansync.xml
    10
    ceph-mon.xml             iscsi-target.xml       pmwebapis.xml             squid.xml
    11
    ceph.xml                 kadmin.xml             pmwebapi.xml              ssh.xml
    12
    cfengine.xml             kerberos.xml           pop3s.xml                 synergy.xml
    13
    condor-collector.xml     kibana.xml             pop3.xml                  syslog-tls.xml
    14
    ctdb.xml                 klogin.xml             postgresql.xml            syslog.xml
    15
    dhcpv6-client.xml        kpasswd.xml            privoxy.xml               telnet.xml
    16
    dhcpv6.xml               kshell.xml             proxy-dhcp.xml            tftp-client.xml
    17
    dhcp.xml                 ldaps.xml              ptp.xml                   tftp.xml
    18
    dns.xml                  ldap.xml               pulseaudio.xml            tinc.xml
    19
    docker-registry.xml      libvirt-tls.xml        puppetmaster.xml          tor-socks.xml
    20
    dropbox-lansync.xml      libvirt.xml            quassel.xml               transmission-client.xml
    21
    elasticsearch.xml        managesieve.xml        radius.xml                vdsm.xml
    22
    freeipa-ldaps.xml        mdns.xml               RH-Satellite-6.xml        vnc-server.xml
    23
    freeipa-ldap.xml         mosh.xml               rpc-bind.xml              wbem-https.xml
    24
    freeipa-replication.xml  mountd.xml             rsh.xml                   xmpp-bosh.xml
    25
    freeipa-trust.xml        mssql.xml              rsyncd.xml                xmpp-client.xml
    26
    ftp.xml                  ms-wbt.xml             samba-client.xml          xmpp-local.xml
    27
    ganglia-client.xml       mysql.xml              samba.xml                 xmpp-server.xml
    28
    ganglia-master.xml       nfs.xml                sane.xml
  • 查看系统自带默认可配置service

    1
    [root@localhost ~]# firewall-cmd --get-services
    2
    RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntpopenvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnettftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
  • 查看当前系统已经开放的service和port

    1
    [root@localhost ~]# firewall-cmd --list-services
    2
    ssh dhcpv6-client
    1
    [root@localhost ~]# firewall-cmd --zone=public --list-services
    2
    ssh dhcpv6-client
    3
    指定区域进行查看
    1
    [root@localhost ~]# firewall-cmd --list-ports
    2
    3
    [root@localhost ~]# firewall-cmd --zone=public --list-ports
    4
    5
    [root@localhost ~]#
  • 查看所有已经开放的service和port

    1
    [root@localhost ~]# firewall-cmd --list-all
    2
    public
    3
      target: default
    4
      icmp-block-inversion: no
    5
      interfaces:
    6
      sources:
    7
      services: ssh dhcpv6-client
    8
      ports:
    9
      protocols:
    10
      masquerade: no
    11
      forward-ports:
    12
      source-ports:
    13
      icmp-blocks:
    14
      rich rules:
    15
    16
    [root@localhost ~]# firewall-cmd --zone=public --list-all 查看指定区域
    17
    public
    18
      target: default
    19
      icmp-block-inversion: no
    20
      interfaces:
    21
      sources:
    22
      services: ssh dhcpv6-client
    23
      ports:
    24
      protocols:
    25
      masquerade: no
    26
      forward-ports:
    27
      source-ports:
    28
      icmp-blocks:
    29
      rich rules:
    30
    31
    [root@localhost ~]# firewall-cmd --list-all-zones 查看所有区域
    32
    block 
    33
      target: %%REJECT%%
    34
      icmp-block-inversion: no
    35
      interfaces:
    36
      sources:
    37
      services:
    38
      ports:
    39
      protocols:
    40
      masquerade: no
    41
      forward-ports:
    42
      source-ports:
    43
      icmp-blocks:
    44
      rich rules:
    45
    46
    47
    dmz
    48
      target: default
    49
      icmp-block-inversion: no
    50
      interfaces:
    51
      sources:
    52
      services: ssh
    53
      ports:
    54
      protocols:
    55
      masquerade: no
    56
      forward-ports:
    57
      source-ports:
    58
      icmp-blocks:
    59
      rich rules:
    60
    61
    62
    drop
    63
      target: DROP
    64
      icmp-block-inversion: no
    65
      interfaces:
    66
      sources:
    67
      services:
    68
      ports:
    69
      protocols:
    70
      masquerade: no
    71
      forward-ports:
    72
      source-ports:
    73
      icmp-blocks:
    74
      rich rules:
    75
    76
    77
    external
    78
      target: default
    79
      icmp-block-inversion: no
    80
      interfaces:
    81
      sources:
    82
      services: ssh
    83
      ports:
    84
      protocols:
    85
      masquerade: yes
    86
      forward-ports:
    87
      source-ports:
    88
      icmp-blocks:
    89
      rich rules:
    90
    91
    92
    home
    93
      target: default
    94
      icmp-block-inversion: no
    95
      interfaces:
    96
      sources:
    97
      services: ssh mdns samba-client dhcpv6-client
    98
      ports:
    99
      protocols:
    100
      masquerade: no
    101
      forward-ports:
    102
      source-ports:
    103
      icmp-blocks:
    104
      rich rules:
    105
    106
    107
    internal
    108
      target: default
    109
      icmp-block-inversion: no
    110
      interfaces:
    111
      sources:
    112
      services: ssh mdns samba-client dhcpv6-client
    113
      ports:
    114
      protocols:
    115
      masquerade: no
    116
      forward-ports:
    117
      source-ports:
    118
      icmp-blocks:
    119
      rich rules:
    120
    121
    122
    public
    123
      target: default
    124
      icmp-block-inversion: no
    125
      interfaces:
    126
      sources:
    127
      services: ssh dhcpv6-client
    128
      ports:
    129
      protocols:
    130
      masquerade: no
    131
      forward-ports:
    132
      source-ports:
    133
      icmp-blocks:
    134
      rich rules:
    135
    136
    137
    trusted
    138
      target: ACCEPT
    139
      icmp-block-inversion: no
    140
      interfaces:
    141
      sources:
    142
      services:
    143
      ports:
    144
      protocols:
    145
      masquerade: no
    146
      forward-ports:
    147
      source-ports:
    148
      icmp-blocks:
    149
      rich rules:
    150
    151
    152
    work
    153
      target: default
    154
      icmp-block-inversion: no
    155
      interfaces:
    156
      sources:
    157
      services: ssh dhcpv6-client
    158
      ports:
    159
      protocols:
    160
      masquerade: no
    161
      forward-ports:
    162
      source-ports:
    163
      icmp-blocks:
    164
      rich rules:
  • 查看单个服务启动状态

    1
    [root@localhost ~]# firewall-cmd --query-service http
    2
    no
3. firewalld 规则配置
  • 动态添加一条防火墙规则之默认区域(public), 比如开放服务或端口(此方法可以立刻生效,重启firewalld服务或reload不再生效,没有永久保存在配置文件中)

    以开放8000 http服务为例:

    1
    [root@localhost ~]# firewall-cmd --add-port=8000/tcp # 默认添加到public zone 等价于 firewall-cmd --zone=public --add-port=8000/tcp
    2
    success
    3
    [root@localhost ~]# firewall-cmd --zone=public --list-port
    4
    8000/tcp
    5
    6
    [root@localhost ~]# firewall-cmd --add-service=http
    7
    success
    8
    [root@localhost ~]# firewall-cmd --zone=public --list-port
    9
    8000/tcp
    10
    [root@localhost ~]# firewall-cmd --zone=public --list-service
    11
    ssh dhcpv6-client http
    12
    13
    [root@localhost ~]# cat !$
    14
    cat /usr/lib/firewalld/zones/public.xml
    15
    <?xml version="1.0" encoding="utf-8"?>
    16
    <zone>
    17
      <short>Public</short>
    18
      <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
    19
      <service name="ssh"/>
    20
      <service name="dhcpv6-client"/>
    21
    </zone>
    22
    可以看到, 此时并没有加入到指定规则中, 这个配置文件是默认,命令行添加规则并不会影响该文件, 如需修改, 修改前需备份
    23
    24
    25
    注意:
    26
    	http 默认开启80端口 如需修改端口,需要修改xml文件
    27
    [root@localhost ~]# cat /usr/lib/firewalld/services/http.xml
    28
    <?xml version="1.0" encoding="utf-8"?>
    29
    <service>
    30
      <short>WWW (HTTP)</short>
    31
      <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
    32
      <port protocol="tcp" port="80"/> 修改端口在此处
    33
    </service>
  • 动态添加防火墙规则后需要添加参数 --permanent才能保存至zone中(reload才生效)

    1
    [root@localhost ~]# firewall-cmd --zone=public --add-port=8000/tcp --permanent
    2
    success
    3
    4
    [root@localhost ~]# firewall-cmd --list-ports
    5
    6
    # 没有reload 所以无法查询到
    7
    8
    [root@localhost ~]# firewall-cmd --reload
    9
    success
    10
    11
    [root@localhost ~]# firewall-cmd --list-ports
    12
    8000/tcp
  • 动态移除和永久移除规则

    1
    [root@localhost ~]# firewall-cmd --list-services
    2
    ssh dhcpv6-client http
    3
    [root@localhost ~]# firewall-cmd --remove-service=http
    4
    success
    5
    [root@localhost ~]# firewall-cmd --list-services
    6
    ssh dhcpv6-client
    7
    # 移除直接生效
    8
    9
    [root@localhost ~]# firewall-cmd --reload
    10
    success
    11
    [root@localhost ~]# firewall-cmd --list-services
    12
    ssh dhcpv6-client http
    13
    14
    [root@localhost ~]# firewall-cmd --remove-service=http --permanent 永久移除
    15
    success
    16
    [root@localhost ~]# firewall-cmd --list-services
    17
    ssh dhcpv6-client http
    18
    [root@localhost ~]# firewall-cmd --reload
    19
    success
    20
    [root@localhost ~]# firewall-cmd --list-services
    21
    ssh dhcpv6-client
  • firewalld重载

    一般来说,手动修改zone配置后需要进行重载方可生效

    1
    [root@localhost ~]# firewall-cmd --reload
    2
    success
    3
    重新加载防火墙,并不中断用户连接,即不丢失状态信息

    当防火墙出现严重问题时,可使用如下命令

    1
    [root@localhost ~]# firewall-cmd --complete-reload
    2
    success
    3
    比如,防火墙规则是正确的,但却出现状态信息问题和无法建立连接, 可以使用该命令
    4
    这条命令会重置连接, 非特殊情况不可使用
  • 端口转发

    • 将同一台服务器上80端口的流量转发至本机8000
    1
    [root@localhost ~]# firewall-cmd --list-ports
    2
    8000/tcp
    3
    [root@localhost ~]# firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8000
    4
    success
    5
    6
    [root@localhost ~]# python -m SimpleHTTPServer
    7
    Serving HTTP on 0.0.0.0 port 8000 ...

    访问本机80端口

    1562809255866

    1
    [root@localhost ~]# python -m SimpleHTTPServer
    2
    Serving HTTP on 0.0.0.0 port 8000 ...
    3
    192.168.75.1 - - [11/Jul/2019 09:41:44] "GET / HTTP/1.1" 200 -
    4
    192.168.75.1 - - [11/Jul/2019 09:41:44] "GET / HTTP/1.1" 200 -
    5
    6
    [root@localhost ~]# firewall-cmd --list-all
    7
    public
    8
      target: default
    9
      icmp-block-inversion: no
    10
      interfaces:
    11
      sources:
    12
      services: ssh dhcpv6-client http
    13
      ports: 8000/tcp
    14
      protocols:
    15
      masquerade: no
    16
      forward-ports: port=80:proto=tcp:toport=8000:toaddr=
    17
      source-ports:
    18
      icmp-blocks:
    19
      rich rules:
  • 如果要将的端口转发到另一台服务器上, 在需要的区域中激活masquerade

    1
    [root@localhost ~]# firewall-cmd --zone=public --add-masquerade
    2
    success

    添加转发规则

    例子:将本地的80端口的流量转发到ip地址为192.168.75.138的8000端口上

    1
    [root@localhost ~]# firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8000:toaddr=192.168.75.138
    2
    success
    3
    [root@localhost ~]# firewall-cmd --list-all
    4
    public
    5
      target: default
    6
      icmp-block-inversion: no
    7
      interfaces:
    8
      sources:
    9
      services: ssh dhcpv6-client
    10
      ports: 8000/tcp
    11
      protocols:
    12
      masquerade: yes
    13
      forward-ports: port=80:proto=tcp:toport=8000:toaddr=192.168.75.138
    14
      source-ports:
    15
      icmp-blocks:
    16
      rich rules:

    1562809817806

  • 伪装IP

    1
    [root@localhost ~]# firewall-cmd --query-masquerade # 检查是否允许伪装ip
    2
    yes
    3
    4
    5
    [root@localhost ~]# firewall-cmd --add-masquerade --zone=public # 允许伪装
    6
    Warning: ALREADY_ENABLED: masquerade already enabled in 'public'
    7
    success
    8
    9
    [root@localhost ~]# firewall-cmd --remove-masquerade --zone=public # 禁止防火墙伪装IP
    10
    success
4. firewalld zone

区域”是针对给定位置或场景(例如家庭、公共、受信任等)可能具有的各种信任级别的预构建规则集。不同的区域允许不同的网络服务和入站流量类型,而拒绝其他任何流量。 首次启用 FirewallD 后,public 将是默认区域。

区域也可以用于不同的网络接口。例如,要分离内部网络和互联网的接口,你可以在 internal 区域上允许 DHCP,但在external 区域仅允许 HTTP 和 SSH。未明确设置为特定区域的任何接口将添加到默认区域。

  • 查看所有区域中的配置

    1
    [root@localhost ~]# firewall-cmd --list-all-zones
    2
    block
    3
      target: %%REJECT%%
    4
      icmp-block-inversion: no
    5
      interfaces:
    6
      sources:
    7
      services:
    8
      ports:
    9
      protocols:
    10
      masquerade: no
    11
      forward-ports:
    12
      source-ports:
    13
      icmp-blocks:
    14
      rich rules:
    15
    16
    17
    dmz
    18
      target: default
    19
      icmp-block-inversion: no
    20
      interfaces:
    21
      sources:
    22
      services: ssh
    23
      ports:
    24
      protocols:
    25
      masquerade: no
    26
      forward-ports:
    27
      source-ports:
    28
      icmp-blocks:
    29
      rich rules:
    30
    31
    32
    drop
    33
      target: DROP
    34
      icmp-block-inversion: no
    35
      interfaces:
    36
      sources:
    37
      services:
    38
      ports:
    39
      protocols:
    40
      masquerade: no
    41
      forward-ports:
    42
      source-ports:
    43
      icmp-blocks:
    44
      rich rules:
    45
    46
    47
    external
    48
      target: default
    49
      icmp-block-inversion: no
    50
      interfaces:
    51
      sources:
    52
      services: ssh
    53
      ports:
    54
      protocols:
    55
      masquerade: yes
    56
      forward-ports:
    57
      source-ports:
    58
      icmp-blocks:
    59
      rich rules:
    60
    61
    62
    home
    63
      target: default
    64
      icmp-block-inversion: no
    65
      interfaces:
    66
      sources:
    67
      services: ssh mdns samba-client dhcpv6-client
    68
      ports:
    69
      protocols:
    70
      masquerade: no
    71
      forward-ports:
    72
      source-ports:
    73
      icmp-blocks:
    74
      rich rules:
    75
    76
    77
    internal
    78
      target: default
    79
      icmp-block-inversion: no
    80
      interfaces:
    81
      sources:
    82
      services: ssh mdns samba-client dhcpv6-client
    83
      ports:
    84
      protocols:
    85
      masquerade: no
    86
      forward-ports:
    87
      source-ports:
    88
      icmp-blocks:
    89
      rich rules:
    90
    91
    92
    public
    93
      target: default
    94
      icmp-block-inversion: no
    95
      interfaces:
    96
      sources:
    97
      services: ssh dhcpv6-client
    98
      ports: 8000/tcp
    99
      protocols:
    100
      masquerade: no
    101
      forward-ports: port=80:proto=tcp:toport=8000:toaddr=192.168.75.138
    102
      source-ports:
    103
      icmp-blocks:
    104
      rich rules:
    105
    106
    107
    trusted
    108
      target: ACCEPT
    109
      icmp-block-inversion: no
    110
      interfaces:
    111
      sources:
    112
      services:
    113
      ports:
    114
      protocols:
    115
      masquerade: no
    116
      forward-ports:
    117
      source-ports:
    118
      icmp-blocks:
    119
      rich rules:
    120
    121
    122
    work
    123
      target: default
    124
      icmp-block-inversion: no
    125
      interfaces:
    126
      sources:
    127
      services: ssh dhcpv6-client
    128
      ports:
    129
      protocols:
    130
      masquerade: no
    131
      forward-ports:
    132
      source-ports:
    133
      icmp-blocks:
    134
      rich rules:
  • 查看当前系统中默认使用哪个区域

    1
    [root@localhost ~]# firewall-cmd  --get-default-zone
    2
    public
  • 信任级别

    1
    drop: 丢弃所有进入的包,而不给出任何响应 
    2
    block: 拒绝所有外部发起的连接,允许内部发起的连接 
    3
    public: 允许指定的进入连接 
    4
    external: 同上,对伪装的进入连接,一般用于路由转发 
    5
    dmz: 允许受限制的进入连接 
    6
    work: 允许受信任的计算机被限制的进入连接,类似 workgroup 
    7
    home: 同上,类似 homegroup 
    8
    internal: 同上,范围针对所有互联网用户 
    9
    trusted: 信任所有连接
  • 查看当前系统中默认使用哪个区域

    1
    [root@localhost ~]# firewall-cmd --get-active-zones
  • 修改默认区域, 修改后即时生效,而且reload、重启后也是生效的。

    1
    [root@localhost ~]# firewall-cmd --set-default-zone=public
    2
    Warning: ZONE_ALREADY_SET: public
    3
    success
  • 获取指定区域的所有配置

    1
    [root@localhost ~]# firewall-cmd --zone=public --list-all
    2
    public
    3
      target: default
    4
      icmp-block-inversion: no
    5
      interfaces:
    6
      sources:
    7
      services: ssh dhcpv6-client
    8
      ports: 8000/tcp
    9
      protocols:
    10
      masquerade: no
    11
      forward-ports: port=80:proto=tcp:toport=8000:toaddr=192.168.75.138
    12
      source-ports:
    13
      icmp-blocks:
    14
      rich rules:
  • 如果有多个网络接口可以通过此方法进行配置

    1
    [root@localhost ~]# firewall-cmd --zone=public --change-interface=ens33
    2
    success
  • 危险命令:[立即生效]

    1
    如果是远程的机器执行上面的规则会立刻断开网络连接,必须紧记不能随便执行。如果你只是虚拟机或者物理机器登陆就可以执行来调试。
    2
    3
    拒绝所有包:firewall-cmd --panic-on 
    4
    取消拒绝状态: firewall-cmd --panic-off 
    5
    查看是否拒绝: firewall-cmd --query-panic
5.禁用访问规则配置
  • 添加禁止响应ping

    1
    [root@localhost ~]# firewall-cmd --add-rich-rule='rule protocol value=icmp drop'
    2
    success
    3
    4
    [root@localhost ~]# ping 192.168.75.142
    5
    PING 192.168.75.142 (192.168.75.142) 56(84) bytes of data.
  • 查看是否有此规则

    1
    [root@localhost ~]# firewall-cmd --query-rich-rule='rule protocol value='icmp' drop'
    2
    yes
    3
    4
    [root@localhost ~]# firewall-cmd --list-all
    5
    public (active)
    6
      target: default
    7
      icmp-block-inversion: no
    8
      interfaces: ens33
    9
      sources:
    10
      services: ssh dhcpv6-client
    11
      ports: 8000/tcp
    12
      protocols:
    13
      masquerade: no
    14
      forward-ports: port=80:proto=tcp:toport=8000:toaddr=192.168.75.138
    15
      source-ports:
    16
      icmp-blocks:
    17
      rich rules:
    18
    	rule protocol value="icmp" drop
  • 删除规则

    1
    [root@localhost ~]# firewall-cmd --remove-rich-rule='rule protocol value=icmp drop'
    2
    success
    3
    4
    [root@localhost ~]# firewall-cmd --list-all
    5
    public (active)
    6
      target: default
    7
      icmp-block-inversion: no
    8
      interfaces: ens33
    9
      sources:
    10
      services: ssh dhcpv6-client
    11
      ports: 8000/tcp
    12
      protocols:
    13
      masquerade: no
    14
      forward-ports: port=80:proto=tcp:toport=8000:toaddr=192.168.75.138
    15
      source-ports:
    16
      icmp-blocks:
    17
      rich rules:
  • 添加拒绝某个ip访问ssh端口

    1
    [root@localhost ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.75.138 service name='ssh' reject'
    2
    success
    3
    4
    [root@localhost ~]# ssh 192.168.75.142
    5
    ssh: connect to host 192.168.75.142 port 22: Connection refused

    或者对端口进行操作

    1
    [root@localhost ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.75.138 port port=22 protocol=tcp reject'
    2
    success
    3
    [root@localhost ~]# firewall-cmd --list-all
    4
    public (active)
    5
      target: default
    6
      icmp-block-inversion: no
    7
      interfaces: ens33
    8
      sources:
    9
      services: ssh dhcpv6-client
    10
      ports: 8000/tcp
    11
      protocols:
    12
      masquerade: no
    13
      forward-ports: port=80:proto=tcp:toport=8000:toaddr=192.168.75.138
    14
      source-ports:
    15
      icmp-blocks:
    16
      rich rules:
    17
    	rule family="ipv4" source address="192.168.75.138" port port="22" protocol="tcp" reject
  • 说明

    1
    说明:
    2
        rule :规则
    3
        family:ipv4  指定ipv4的地址
    4
        source address=10.0.10.1  要拒绝的IP,可以是IP或者是IP段
    5
        service name='ssh'指定的是ssh服务 
    6
        drop :就是此条规则的执行方法是丢弃
    7
        如果要放行直接修改后面的reject为accept即可
  • 只允许来自某个ip通过防火墙

    1
    [root@localhost ~]# firewall-cmd --remove-service=ssh
    2
    Warning: NOT_ENABLED: 'ssh' not in 'public'
    3
    success
    4
    5
    [root@localhost ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.75.138 service name='ssh' accept'
    6
    success
    7
    8
    [root@localhost ~]# ssh 192.168.75.142
    9
    Last login: Thu Jul 11 10:44:47 2019 from 192.168.75.138
  • 对指定的ip开放指定的端口段

    1
    [root@localhost ~]#  firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.75.138" port protocol="tcp" port="30000-31000" accept"