禁止ping
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
开启ping
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all安装firewall
yum install firewalld服务相关
systemctl disable firewalld
systemctl enable firewalld
systemctl start firewalld
systemctl stop firewalld
systemctl restart firewalld
firewall-cmd --state查看当前防火墙规则
firewall-cmd --list-all重载防火墙
firewall-cmd --reload查看当前接口情况
firewall-cmd --get-active-zonesIP伪装端口转发
firewall-cmd --permanent --add-masquerade --zone=external
firewall-cmd --add-forward-port=port=22:proto=tcp:toport=3753 --permanent --zone=external
firewall-cmd --add-forward-port=port=22:proto=tcp:toaddr=192.0.2.55 --permanent --zone=external
firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55 --permanent --zone=external添加删除http限制并发规则
firewall-cmd --zone=public --add-rich-rule='rule service name="http" limit value="80/s" accept' --permanent
firewall-cmd --zone=public --remove-rich-rule='rule service name="http" limit value="80/s" accept' --permanent添加删除80端口限制并发规则
firewall-cmd --zone=public --add-rich-rule='rule port port=80 protocol=tcp limit value="80/s" accept' --permanent
firewall-cmd --zone=public --remove-rich-rule='rule port port=80 protocol=tcp limit value="80/s" accept' --permanent添加删除tcp端口
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --remove-port=80/tcp黑名单
firewall-cmd --zone=drop --add-source 192.168.1.1
firewall-cmd --zone=drop --remove-source 192.168.1.1
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" drop' --permanent
firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" drop' --permanent控制规则
rule [family="<rule family>"]
[ source address="<address>" [invert="True"] ]
[ destination address="<address>" [invert="True"] ]
[ <element> ]
[ log [prefix="<prefix text>"] [level="<log level>"] [limit value="rate/duration"] ]
[ audit ]
[ accept|reject|drop ]
`port`
端口既可以是一个独立端口数字,又或者端口范围,例如,5060-5062。协议可以指定为 tcp 或 udp 。命令为以下形式:
port port=number_or_range protocol=protocol综合应用
允许指定IP的端口访问
[root@ADmanagement ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.16.21.118" port protocol="tcp" port="61234" accept"
success
[root@ADmanagement ~]# firewall-cmd --reload
success
[root@ADmanagement ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: cockpit dhcpv6-client ssh
ports: 10050-10051/tcp 61222/tcp 80/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.16.21.118" port port="61234" protocol="tcp" accept
移除策略
[root@ADmanagement ~]# firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="172.16.21.118" port protocol="tcp" port="61234" accept"
success
[root@ADmanagement ~]# firewall-cmd --reload
success
允许指定网段的端口访问
[root@ADmanagement ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.17.0.0/16" port protocol="tcp" port="61234" accept"
success
[root@ADmanagement ~]# firewall-cmd --reload
success
移除策略
[root@ADmanagement ~]# firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="172.17.0.0/16" port protocol="tcp" port="61234" accept"
success
[root@ADmanagement ~]# firewall-cmd --reload
success
允许 accept
阻止 drop
评论