首页 > 代码库 > firewalld

firewalld

############################################

###################火墙#####################

[root@localhost ~]# systemctl start firewalld

[root@localhost ~]# systemctl stop iptables

[root@localhost ~]# systemctl disable iptables

[root@localhost ~]# systemctl enable firewalld

[root@localhost ~]# firewall-cmd  --state      ##查看firewalld的状态

running

[root@localhost ~]# firewall-cmd --get-active-zones     ##查看当前的区域,并附带一个目前分配给它们的接口列表

ROL

  sources: 172.25.0.252/32

public

  interfaces: eth0 eth1

[root@localhost ~]# firewall-cmd --list-all       ##列出public的所有设置

[root@localhost ~]# firewall-cmd --get-services    ##列出所有预设服务

[root@localhost ~]# firewall-cmd --set-default-zone=trusted   ##设定默认区域trusted

success

[root@localhost ~]# firewall-cmd --get-default-zone    ##查看默认设置

trusted  

[root@localhost ~]# firewall-cmd --permanent --add-source=172.25.154.75  ##设置网络地址到public

success

[root@localhost ~]# firewall-cmd --reload     ##重置所有设置

success

[root@localhost ~]# firewall-cmd --remove-source=172.25.154.75    ##去掉指定区域的网络地址

success

[root@localhost ~]# firewall-cmd --permanent --zone=trusted --add-source=172.25.254.75  ##设置网络地址到trusted

success

[root@localhost ~]# firewall-cmd --permanent --remove-source=172.25.154.75   ##永久去掉网络地址

success

[root@localhost ~]# firewall-cmd --remove-interface=eth0 --zone=public   ##删除网络接口eth0,从public区域

success

[root@localhost ~]# firewall-cmd --add-interface=eth0 --zone=trusted     ##添加网络接口eth0到trusted区域

success

[root@localhost ~]# firewall-cmd --zone=trusted  --list-all   ##列出trusted区域的所有设置

trusted (active)

  interfaces: eth0

  sources: 172.25.254.75

  services:

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

[root@localhost ~]# firewall-cmd --add-service=http --zone=public    ##添加http服务到public区域

success

[root@localhost ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth1

  sources:

  services: dhcpv6-client http

[root@localhost ~]# firewall-cmd --list-ports   ##列出端口

[root@localhost ~]# firewall-cmd --add-port=53/tcp   ##添加53端口

success

[root@localhost ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth1

  sources:

  services: dhcpv6-client http

  ports: 53/tcp

[root@localhost ~]# firewall-cmd --complete-reload

success

[root@localhost ~]# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 ! -s 172.25.254.78 -p tcp --dport 22 -j ACCEPT      ##除过78主机不能登陆,其它的主机都可以

success

[root@localhost ~]# firewall-cmd --add-rich-rule="rule service name=ftp limit value=http://www.mamicode.com/2/h accept"    

success       ##每分钟允许2个新连接访问ftp服务

[root@localhost ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth1

  sources:

  services: dhcpv6-client

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

rule service name="ftp" accept limit value="http://www.mamicode.com/2/h"

[root@localhost ~]# firewall-cmd --add-rich-rule="rule protocol value=http://www.mamicode.com/icmp drop"

success        ##丢弃所有icmp包

[root@localhost ~]# firewall-cmd --add-rich-rule="rule protocol value=http://www.mamicode.com/icmp reject" --timeout=10

success    ##规则将在指定的秒数内被激活

[root@localhost ~]# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.75       ##将102的端口转到75端口,访问后直接到75

success

[root@localhost ~]# firewall-cmd --add-masquerade   ##打开masquerade

success

[root@localhost ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth1

  sources:

  services: dhcpv6-client

  ports:

  masquerade: yes

  forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.254.75

  icmp-blocks:

  rich rules:

[root@localhost ~]# firewall-cmd --zone=public --add-rich-rule=‘rule family=ipv4 source address=172.25.254.102 masquerade‘

success

[root@localhost ~]# firewall-cmd --add-masquerade

success

[root@localhost ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth0

  sources:

  services: dhcpv6-client ssh

  ports:

  masquerade: yes

  forward-ports:

  icmp-blocks:

  rich rules:

rule family="ipv4" source address="172.25.254.102" masquerade

[root@localhost ~]# firewall-cmd --remove-service=ssh

success

测试

用做过伪装的主机10访问11,在11上查看连节其的主机ip

附图:

 

 技术分享


firewalld