防火强firewalld常用规则总结

admin

firewall-cmd --list-all
, R; k& y& \3 }: W. @7 hpublic (active)
  target: default
9 f7 P$ b4 ^2 h5 N9 [6 q# R* o7 k: S5 c  icmp-block-inversion: no
  interfaces: enp0s3 enp0s8
  sources:
7 w" x0 o" M$ e  services: ssh dhcpv6-client
  ports:
, B, u  a7 k8 M7 I$ Q. T  protocols:
% ]9 ]: w& C* s& p6 o- J6 J  e* X) y  masquerade: no
  u* o( b( Z/ ]( K1 T' `! b' z  forward-ports:
  ^( N  i- e, A7 H: F  \2 j  source-ports:
; C: _1 n9 f: q) \& }9 z  icmp-blocks:
  rich rules:
8 e( C% D) }3 z/ K# `4 ]        rule family="ipv4" source address="192.18.5.3/24" service name="ssh" accept
        rule family="ipv4" source address="192.18.5.3" service name="ssh" drop
3 Z6 t% }9 @+ p. C- ?# e# N

admin

firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address='192.168.236.0/24' service name='keepalived' accept "

admin

firewall-cmd --permanent --add-port=5900-6000/tcp   放通某个端口组

admin

firewall-cmd --permanent --zone=internal --add-rich-rule="rule family='ipv4' port protocol='tcp' port='1-65535' accept"
firewall-cmd --permanent --zone=internal --add-rich-rule="rule family='ipv4' port protocol='udp' port='1-65535' accept"
2 J3 i4 z: q0 Y# M* r9 d0 Mfirewall-cmd --permanent --zone=internal --add-rich-rule="rule family='ipv4' protocol value='icmp' accept"

admin

# 1.允许10.35.89.0/24网段的主机访问本机的ftp服务，同时指定日志的前缀和输出级别：
6 w5 X5 s1 \+ A8 Z* w# \firewall-cmd --add-rich-rule 'rule family=ipv4 source address=10.35.89.0/24 service name=ftp log prefix="ftp" level=info accept' --permanent
" @  t1 R5 d% p8 V3 Q  [; f& e
# 2.允许10.35.89.0/24网段的主机访问本机的80/tcp端口，同时指定日志的前缀和输出级别：
, R( P1 @) \6 h. @firewall-cmd --add-rich-rule 'rule family=ipv4 source address=10.35.89.0/24 port port=80 protocol=tcp log prefix="80" level=info accept' --permanent
/ W6 n5 _) E, m) v, _4 x
# 3.将访问端口是808且源ip是192.168.10.0/24的主机转发到10.10.10.2:80
4 s% k! {0 l0 B5 kfirewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.10.0/24" forward-port port="808" protocol="tcp" to-port="80" to-addr="10.10.10.2"' --permanent

1 G2 B. ~# x/ M7 P# 4.富规则中使用伪装功能可以更精确详细的限制:
8 Q( z/ r- T2 u3 ufirewall-cmd --add-rich-rule 'rule family=ipv4 source address=10.10.10.2/24 masquerade'

# 5.允许192.168.1.0/24网段的地址访问本机的http服务：
firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="http" accept'
! Z8 h  S1 n% g" G% y6 }
, [1 P- E" ]# h3 a% V. c9 q! y# 6. 禁止192.168.1.0/24网段的地址访问本机的ssh服务：
0 [  ^9 x& Y4 u5 Y  h* Wfirewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 service name=ssh reject'
1 m, m4 d$ F9 @5 k" r" n
: j4 b) H9 V# |; s1 g& [8 X# 7. 删除示例6创建的富规则
/ Q* ~9 `3 @) H" ?* k$ Kfirewall-cmd --permanent --zone=public --remove-rich-rule='rule family=ipv4 source address=192.168.1.0/24 service name=ssh reject'

# 8. 允许192.168.1.0/24端口的主机访问本机的8080端口，同时指定日志的前缀和输出级别：
# D2 D" }1 ^  D# ffirewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port=8080 protocol="tcp" log prefix=proxy level=warning accept'

# 9.将访问端口是5432且源ip是192.168.0.0/32的主机转发到本机的80端口：
7 n$ H& V: r" g. w0 H; g. @; @firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=192.168.0.0/32 forward-port port=5432 protocol=tcp to-port=80'
! Q' S" u+ S$ ^" D8 D% ]1 `1 l
# 10. 允许icmp协议的数据包通信：
firewall-cmd --add-rich-rule 'rule protocol value="icmp" accept' --permanent