我要评论一、常用命令
#查看防火墙状态 systemctl status firewalld #关闭防火墙 systemctl stop firewalld #3、开启防火墙 systemctl start firewalld #4、禁止防火墙开机自启动 systemctl disable firewalld #5、设置防火墙开机自启动 systemctl enable firewalld
使用firewall-cmd命令管理防火墙
# 查看防火墙状态: firewall-cmd --state #查看防火墙,添加的端口也可以看到: firewall-cmd --list-all #列出所有区域的设置: firewall-cmd --list-all-zones #查看防火墙已开放的端口列表(默认不开放任何端口) firewall-cmd --list-ports # 查看获取的区域 [root@localhost ~] firewall-cmd --get-active-zones docker interfaces: docker0 注意:所有操作之前都需附带 --zone=public --permanent(指定区域和永久生效)。操作之后需要执行firewall-cmd --reload刷新配置。 # 添加规则 开启80端口(允许80端口通过防火墙) firewall-cmd --permanent --zone=public --add-port=80/tcp # --permanent (永久生效) #更新防火墙规则 firewall-cmd --reload # 删除开放的端口 firewall-cmd --permanent --zone=public --remove-port=80/tcp # 查看80端口状态: firewall-cmd --zone=public --query-port=80/tcp -------------- ip白名单设置 ---------------- #关闭某个端口 #开启某个端口(指定ip可访问) 只允许服务器192.168.1.1/24网段的3306端口能访问 firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept" #禁止ping数据包: firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop' # 关闭某个端口(删除策略) firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" source address="10.1.1.14/32" port protocol="tcp" port="80" accept" # 拒绝所有包: firewall-cmd --panic-on # 取消拒绝状态: firewall-cmd --panic-off # 查看是否拒绝: firewall-cmd --query-panic #显示服务列表: firewall-cmd --get-services #允许ssh服务通过: firewall-cmd --add-service=ssh #禁止ssh服务通过: firewall-cmd --remove-service=ssh #显示当前服务: firewall-cmd --list-services #临时允许samba服务通过600秒: firewall-cmd --enable service=samba --timeout=600 #查看指定接口所属区域: firewall-cmd --get-zone-of-interface=eth0 #完全重新载入规则(会中断已连接的连接,类似于重启): firewall-cmd --complete-reload 注意:打开防火墙后一定要先添加ssh端口到规则中,并重新载入 firewall-cmd --permanent --zone=public --add-port=22/tcp firewall-cmd --reload
二、配置docker0服务到受信任连接
#配置docker0服务到受信任连接 nmcli connection modify docker0 connection.zone trusted #停止networkmanager(检测网络、自动连接网络的程序)服务 systemctl stop networkmanager.service #修改docker网络接口为内部区域(永久) firewall-cmd --permanent --zone=trusted --change-interface=docker0 #启动networkmanager(检测网络、自动连接网络的程序)服务 systemctl start networkmanager.service #配置docker0服务到受信任连接 nmcli connection modify docker0 connection.zone trusted #重启docker服务 systemctl restart docker.service
三、help 帮助详解
[root@localhost ~]# firewall-cmd --help
usage: firewall-cmd [options...]
general options
-h, --help prints a short help text and exists
-v, --version print the version string of firewalld
-q, --quiet do not print status messages
status options 状态选择
--state return and print firewalld state 返回并打印防火墙状态
--reload reload firewall and keep state information 重新加载防火墙并保留状态信息
--complete-reload reload firewall and lose state information 重新加载防火墙并丢失状态信息
--runtime-to-permanent
create permanent from runtime configuration
--check-config check permanent configuration for errors
log denied options 日志拒绝选项
--get-log-denied print the log denied value 打印日志拒绝值
--set-log-denied=<value>
set log denied value
automatic helpers options
--get-automatic-helpers
print the automatic helpers value
--set-automatic-helpers=<value>
set automatic helpers value
permanent options
--permanent set an option permanently
usable for options marked with [p]zone options 区域选项
zone options
--get-default-zone print default zone for connections and interfaces 打印连接和接口的默认区域
--set-default-zone=<zone>
set default zone 设置默认区域
--get-active-zones print currently active zones 打印当前活动区域
--get-zones print predefined zones [p] 打印预定义区域
--get-services print predefined services [p] 打印预定义服务
--get-icmptypes print predefined icmptypes [p]
--get-zone-of-interface=<interface>
print name of the zone the interface is bound to [p]
--get-zone-of-source=<source>[/<mask>]|<mac>|ipset:<ipset>
print name of the zone the source is bound to [p]
--list-all-zones list everything added for or enabled in all zones [p]
--new-zone=<zone> add a new zone [p only]
--new-zone-from-file=<filename> [--name=<zone>]
add a new zone from file with optional name [p only]
--delete-zone=<zone> delete an existing zone [p only]
--load-zone-defaults=<zone>
load zone default settings [p only] [z]
--zone=<zone> use this zone to set or query options, else default zone
usable for options marked with [z]
--get-target get the zone target [p only] [z]
--set-target=<target>
set the zone target [p only] [z]
--info-zone=<zone> print information about a zone
--path-zone=<zone> print file path of a zone [p only]ipset options
ipset options
--get-ipset-types print the supported ipset types 打印支持的ipset类型
--new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]]..
add a new ipset [p only]
--new-ipset-from-file=<filename> [--name=<ipset>]
add a new ipset from file with optional name [p only]
--delete-ipset=<ipset>
delete an existing ipset [p only]
--load-ipset-defaults=<ipset>
load ipset default settings [p only]
--info-ipset=<ipset> print information about an ipset
--path-ipset=<ipset> print file path of an ipset [p only]
--get-ipsets print predefined ipsets
--ipset=<ipset> --set-description=<description>
set new description to ipset [p only]
--ipset=<ipset> --get-description
print description for ipset [p only]
--ipset=<ipset> --set-short=<description>
set new short description to ipset [p only]
--ipset=<ipset> --get-short
print short description for ipset [p only]
--ipset=<ipset> --add-entry=<entry>
add a new entry to an ipset [p]
--ipset=<ipset> --remove-entry=<entry>
remove an entry from an ipset [p]
--ipset=<ipset> --query-entry=<entry>
return whether ipset has an entry [p]
--ipset=<ipset> --get-entries
list entries of an ipset [p]
--ipset=<ipset> --add-entries-from-file=<entry>
add a new entries to an ipset [p]
--ipset=<ipset> --remove-entries-from-file=<entry>
remove entries from an ipset [p]icmptype options
icmptype options
--new-icmptype=<icmptype>
add a new icmptype [p only]
--new-icmptype-from-file=<filename> [--name=<icmptype>]
add a new icmptype from file with optional name [p only]
--delete-icmptype=<icmptype>
delete an existing icmptype [p only]
--load-icmptype-defaults=<icmptype>
load icmptype default settings [p only]
--info-icmptype=<icmptype>
print information about an icmptype
--path-icmptype=<icmptype>
print file path of an icmptype [p only]
--icmptype=<icmptype> --set-description=<description>
set new description to icmptype [p only]
--icmptype=<icmptype> --get-description
print description for icmptype [p only]
--icmptype=<icmptype> --set-short=<description>
set new short description to icmptype [p only]
--icmptype=<icmptype> --get-short
print short description for icmptype [p only]
--icmptype=<icmptype> --add-destination=<ipv>
enable destination for ipv in icmptype [p only]
--icmptype=<icmptype> --remove-destination=<ipv>
disable destination for ipv in icmptype [p only]
--icmptype=<icmptype> --query-destination=<ipv>
return whether destination ipv is enabled in icmptype [p only]
--icmptype=<icmptype> --get-destinations
list destinations in icmptype [p only]service options
service options
--new-service=<service>
add a new service [p only]
--new-service-from-file=<filename> [--name=<service>]
add a new service from file with optional name [p only]
--delete-service=<service>
delete an existing service [p only]
--load-service-defaults=<service>
load icmptype default settings [p only]
--info-service=<service>
print information about a service
--path-service=<service>
print file path of a service [p only]
--service=<service> --set-description=<description>
set new description to service [p only]
--service=<service> --get-description
print description for service [p only]
--service=<service> --set-short=<description>
set new short description to service [p only]
--service=<service> --get-short
print short description for service [p only]
--service=<service> --add-port=<portid>[-<portid>]/<protocol>
add a new port to service [p only]
--service=<service> --remove-port=<portid>[-<portid>]/<protocol>
remove a port from service [p only]
--service=<service> --query-port=<portid>[-<portid>]/<protocol>
return whether the port has been added for service [p only]
--service=<service> --get-ports
list ports of service [p only]
--service=<service> --add-protocol=<protocol>
add a new protocol to service [p only]
--service=<service> --remove-protocol=<protocol>
remove a protocol from service [p only]
--service=<service> --query-protocol=<protocol>
return whether the protocol has been added for service [p only]
--service=<service> --get-protocols
list protocols of service [p only]
--service=<service> --add-source-port=<portid>[-<portid>]/<protocol>
add a new source port to service [p only]
--service=<service> --remove-source-port=<portid>[-<portid>]/<protocol>
remove a source port from service [p only]
--service=<service> --query-source-port=<portid>[-<portid>]/<protocol>
return whether the source port has been added for service [p only]
--service=<service> --get-source-ports
list source ports of service [p only]
--service=<service> --add-module=<module>
add a new module to service [p only]
--service=<service> --remove-module=<module>
remove a module from service [p only]
--service=<service> --query-module=<module>
return whether the module has been added for service [p only]
--service=<service> --get-modules
list modules of service [p only]
--service=<service> --set-destination=<ipv>:<address>[/<mask>]
set destination for ipv to address in service [p only]
--service=<service> --remove-destination=<ipv>
disable destination for ipv i service [p only]
--service=<service> --query-destination=<ipv>:<address>[/<mask>]
return whether destination ipv is set for service [p only]
--service=<service> --get-destinations
list destinations in service [p only]options to adapt and query zones 适应和查询区域的选项
options to adapt and query zones
--list-all list everything added for or enabled in a zone [p] [z]
--list-services list services added for a zone [p] [z]
--timeout=<timeval> enable an option for timeval time, where timeval is
a number followed by one of letters 's' or 'm' or 'h'
usable for options marked with [t]
--set-description=<description>
set new description to zone [p only] [z]
--get-description print description for zone [p only] [z]
--set-short=<description>
set new short description to zone [p only] [z]
--get-short print short description for zone [p only] [z]
--add-service=<service>
add a service for a zone [p] [z] [t]
--remove-service=<service>
remove a service from a zone [p] [z]
--query-service=<service>
return whether service has been added for a zone [p] [z]
--list-ports list ports added for a zone [p] [z]
--add-port=<portid>[-<portid>]/<protocol>
add the port for a zone [p] [z] [t]
--remove-port=<portid>[-<portid>]/<protocol>
remove the port from a zone [p] [z]
--query-port=<portid>[-<portid>]/<protocol>
return whether the port has been added for zone [p] [z]
--list-protocols list protocols added for a zone [p] [z]
--add-protocol=<protocol>
add the protocol for a zone [p] [z] [t]
--remove-protocol=<protocol>
remove the protocol from a zone [p] [z]
--query-protocol=<protocol>
return whether the protocol has been added for zone [p] [z]
--list-source-ports list source ports added for a zone [p] [z]
--add-source-port=<portid>[-<portid>]/<protocol>
add the source port for a zone [p] [z] [t]
--remove-source-port=<portid>[-<portid>]/<protocol>
remove the source port from a zone [p] [z]
--query-source-port=<portid>[-<portid>]/<protocol>
return whether the source port has been added for zone [p] [z]
--list-icmp-blocks list internet icmp type blocks added for a zone [p] [z]
--add-icmp-block=<icmptype>
add an icmp block for a zone [p] [z] [t]
--remove-icmp-block=<icmptype>
remove the icmp block from a zone [p] [z]
--query-icmp-block=<icmptype>
return whether an icmp block has been added for a zone
[p] [z]
--add-icmp-block-inversion
enable inversion of icmp blocks for a zone [p] [z]
--remove-icmp-block-inversion
disable inversion of icmp blocks for a zone [p] [z]
--query-icmp-block-inversion
return whether inversion of icmp blocks has been enabled
for a zone [p] [z]
--list-forward-ports list ipv4 forward ports added for a zone [p] [z]
--add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
add the ipv4 forward port for a zone [p] [z] [t]
--remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
remove the ipv4 forward port from a zone [p] [z]
--query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
return whether the ipv4 forward port has been added for
a zone [p] [z]
--add-masquerade enable ipv4 masquerade for a zone [p] [z] [t]
--remove-masquerade disable ipv4 masquerade for a zone [p] [z]
--query-masquerade return whether ipv4 masquerading has been enabled for a
zone [p] [z]
--list-rich-rules list rich language rules added for a zone [p] [z]
--add-rich-rule=<rule>
add rich language rule 'rule' for a zone [p] [z] [t]
--remove-rich-rule=<rule>
remove rich language rule 'rule' from a zone [p] [z]
--query-rich-rule=<rule>
return whether a rich language rule 'rule' has been
added for a zone [p] [z]options to handle bindings of interfaces 处理接口绑定的选项
options to handle bindings of interfaces
--list-interfaces list interfaces that are bound to a zone [p] [z]
--add-interface=<interface>
bind the <interface> to a zone [p] [z]
--change-interface=<interface>
change zone the <interface> is bound to [p] [z]
--query-interface=<interface>
query whether <interface> is bound to a zone [p] [z]
--remove-interface=<interface>
remove binding of <interface> from a zone [p] [z]
options to handle bindings of sources
--list-sources list sources that are bound to a zone [p] [z]
--add-source=<source>[/<mask>]|<mac>|ipset:<ipset>
bind the source to a zone [p] [z]
--change-source=<source>[/<mask>]|<mac>|ipset:<ipset>
change zone the source is bound to [z]
--query-source=<source>[/<mask>]|<mac>|ipset:<ipset>
query whether the source is bound to a zone [p] [z]
--remove-source=<source>[/<mask>]|<mac>|ipset:<ipset>
remove binding of the source from a zone [p] [z]helper options 助手选项
helper options
--new-helper=<helper> --module=<module> [--family=<family>]
add a new helper [p only]
--new-helper-from-file=<filename> [--name=<helper>]
add a new helper from file with optional name [p only]
--delete-helper=<helper>
delete an existing helper [p only]
--load-helper-defaults=<helper>
load helper default settings [p only]
--info-helper=<helper> print information about an helper
--path-helper=<helper> print file path of an helper [p only]
--get-helpers print predefined helpers
--helper=<helper> --set-description=<description>
set new description to helper [p only]
--helper=<helper> --get-description
print description for helper [p only]
--helper=<helper> --set-short=<description>
set new short description to helper [p only]
--helper=<helper> --get-short
print short description for helper [p only]
--helper=<helper> --add-port=<portid>[-<portid>]/<protocol>
add a new port to helper [p only]
--helper=<helper> --remove-port=<portid>[-<portid>]/<protocol>
remove a port from helper [p only]
--helper=<helper> --query-port=<portid>[-<portid>]/<protocol>
return whether the port has been added for helper [p only]
--helper=<helper> --get-ports
list ports of helper [p only]
--helper=<helper> --set-module=<module>
set module to helper [p only]
--helper=<helper> --get-module
get module from helper [p only]
--helper=<helper> --set-family={ipv4|ipv6|}
set family for helper [p only]
--helper=<helper> --get-family
get module from helper [p only]direct options 直接选项
direct options
--direct first option for all direct options 所有直接选项的第一个选项
--get-all-chains
get all chains [p] 获得所有链条
--get-chains {ipv4|ipv6|eb} <table>
get all chains added to the table [p]
--add-chain {ipv4|ipv6|eb} <table> <chain>
add a new chain to the table [p]
--remove-chain {ipv4|ipv6|eb} <table> <chain>
remove the chain from the table [p]
--query-chain {ipv4|ipv6|eb} <table> <chain>
return whether the chain has been added to the table [p]
--get-all-rules
get all rules [p]
--get-rules {ipv4|ipv6|eb} <table> <chain>
get all rules added to chain in table [p]
--add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
add rule to chain in table [p]
--remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
remove rule with priority from chain in table [p]
--remove-rules {ipv4|ipv6|eb} <table> <chain>
remove rules from chain in table [p]
--query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
return whether a rule with priority has been added to
chain in table [p]
--passthrough {ipv4|ipv6|eb} <arg>...
pass a command through (untracked by firewalld)
--get-all-passthroughs
get all tracked passthrough rules [p]
--get-passthroughs {ipv4|ipv6|eb} <arg>...
get tracked passthrough rules [p]
--add-passthrough {ipv4|ipv6|eb} <arg>...
add a new tracked passthrough rule [p]
--remove-passthrough {ipv4|ipv6|eb} <arg>...
remove a tracked passthrough rule [p]
--query-passthrough {ipv4|ipv6|eb} <arg>...
return whether the tracked passthrough rule has been
added [p]lockdown options
lockdown options --lockdown-on enable lockdown. --lockdown-off disable lockdown. --query-lockdown query whether lockdown is enabled
lockdown whitelist options
lockdown whitelist options
--list-lockdown-whitelist-commands
list all command lines that are on the whitelist [p]
--add-lockdown-whitelist-command=<command>
add the command to the whitelist [p]
--remove-lockdown-whitelist-command=<command>
remove the command from the whitelist [p]
--query-lockdown-whitelist-command=<command>
query whether the command is on the whitelist [p]
--list-lockdown-whitelist-contexts
list all contexts that are on the whitelist [p]
--add-lockdown-whitelist-context=<context>
add the context context to the whitelist [p]
--remove-lockdown-whitelist-context=<context>
remove the context from the whitelist [p]
--query-lockdown-whitelist-context=<context>
query whether the context is on the whitelist [p]
--list-lockdown-whitelist-uids
list all user ids that are on the whitelist [p]
--add-lockdown-whitelist-uid=<uid>
add the user id uid to the whitelist [p]
--remove-lockdown-whitelist-uid=<uid>
remove the user id uid from the whitelist [p]
--query-lockdown-whitelist-uid=<uid>
query whether the user id uid is on the whitelist [p]
--list-lockdown-whitelist-users
list all user names that are on the whitelist [p]
--add-lockdown-whitelist-user=<user>
add the user name user to the whitelist [p]
--remove-lockdown-whitelist-user=<user>
remove the user name user from the whitelist [p]
--query-lockdown-whitelist-user=<user>
query whether the user name user is on the whitelist [p]panic options
panic options --panic-on enable panic mode --panic-off disable panic mode --query-panic query whether panic mode is enabled
总结
以上为个人经验,希望能给大家一个参考,也希望大家多多支持代码网。
发表评论