防火强firewalld常用规则总结

admin

firewall-cmd --list-all
public (active)
8 A% d/ U5 ~6 W9 x  target: default
4 j; B8 A7 f) a  icmp-block-inversion: no
( T3 T& o' x3 O. w1 W  interfaces: enp0s3 enp0s8
2 |: h% l8 n& P* o# b7 N  sources:
9 F) I2 u8 j9 M' w( H  services: ssh dhcpv6-client
  ports:
0 A; Y( f( x  n8 b7 c6 b8 e  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
/ M7 N5 U2 j8 T" o' V. V2 a  rich rules:
        rule family="ipv4" source address="192.18.5.3/24" service name="ssh" accept
& u& ?$ c+ F- D: X4 s; u        rule family="ipv4" source address="192.18.5.3" service name="ssh" drop

admin

firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address='192.168.236.0/24' service name='keepalived' accept "

admin

firewall-cmd --permanent --add-port=5900-6000/tcp   放通某个端口组

admin

firewall-cmd --permanent --zone=internal --add-rich-rule="rule family='ipv4' port protocol='tcp' port='1-65535' accept"
& C7 I2 j7 P, O+ J! v9 G$ Nfirewall-cmd --permanent --zone=internal --add-rich-rule="rule family='ipv4' port protocol='udp' port='1-65535' accept"
firewall-cmd --permanent --zone=internal --add-rich-rule="rule family='ipv4' protocol value='icmp' accept"
: N: j: j4 u, W5 j

admin

# 1.允许10.35.89.0/24网段的主机访问本机的ftp服务，同时指定日志的前缀和输出级别：
8 L- n) f# {, Hfirewall-cmd --add-rich-rule 'rule family=ipv4 source address=10.35.89.0/24 service name=ftp log prefix="ftp" level=info accept' --permanent
' A" ^( M3 t4 B* G$ R( r! G9 t0 X
# 2.允许10.35.89.0/24网段的主机访问本机的80/tcp端口，同时指定日志的前缀和输出级别：
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=10.35.89.0/24 port port=80 protocol=tcp log prefix="80" level=info accept' --permanent
; k' B- }6 r2 V. k
+ y/ M2 r, A0 l6 X3 u; G1 I0 U# 3.将访问端口是808且源ip是192.168.10.0/24的主机转发到10.10.10.2:80
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.10.0/24" forward-port port="808" protocol="tcp" to-port="80" to-addr="10.10.10.2"' --permanent

# 4.富规则中使用伪装功能可以更精确详细的限制:
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=10.10.10.2/24 masquerade'
/ \4 i6 D, A: V/ t& r+ G1 `& g/ p
, u7 G+ r9 w' n& {6 _9 U, q: G7 V# 5.允许192.168.1.0/24网段的地址访问本机的http服务：
firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="http" accept'

# 6. 禁止192.168.1.0/24网段的地址访问本机的ssh服务：
, t. ?' \, M! L5 y* c1 Tfirewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 service name=ssh reject'

# 7. 删除示例6创建的富规则
5 X* [7 W( x  {' m% ]; S7 wfirewall-cmd --permanent --zone=public --remove-rich-rule='rule family=ipv4 source address=192.168.1.0/24 service name=ssh reject'
5 R7 t% }6 g0 w' p+ i9 n' m4 g
. u, M8 l5 k# s! f  K# 8. 允许192.168.1.0/24端口的主机访问本机的8080端口，同时指定日志的前缀和输出级别：
) }1 |! r( w5 \* @% I/ S9 afirewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port=8080 protocol="tcp" log prefix=proxy level=warning accept'

# 9.将访问端口是5432且源ip是192.168.0.0/32的主机转发到本机的80端口：
2 u6 u# F+ K* W  w. o% [( p3 D6 Tfirewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=192.168.0.0/32 forward-port port=5432 protocol=tcp to-port=80'
! V: j6 g4 t% `+ S( W8 v4 s/ n) E
5 Y, s5 o! O' D6 U1 S# 10. 允许icmp协议的数据包通信：
firewall-cmd --add-rich-rule 'rule protocol value="icmp" accept' --permanent