防火强firewalld常用规则总结

admin

firewall-cmd --list-all
public (active)
) t6 t) u8 u' t( E/ P3 j* W  target: default
* }/ K6 c" W- U; U  icmp-block-inversion: no
  interfaces: enp0s3 enp0s8
  sources:
  services: ssh dhcpv6-client
8 u8 z2 M5 X/ J' i7 e4 ?  ports:
9 y: P/ r4 K: B0 Y! P$ G& E  protocols:
# p; \+ k5 l/ k( a5 R" U4 B. R  masquerade: no
: D7 ]( `. ?' z: d! k  forward-ports:
% h% [6 i; W3 Y% Z  source-ports:
  icmp-blocks:
- d9 \  Z  T* r$ s0 q1 C  rich rules:
( s/ n+ |) @; S% w        rule family="ipv4" source address="192.18.5.3/24" service name="ssh" accept
        rule family="ipv4" source address="192.18.5.3" service name="ssh" drop
  q, F; a, [; U3 S: N! u/ U

admin

firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address='192.168.236.0/24' service name='keepalived' accept "

admin

firewall-cmd --permanent --add-port=5900-6000/tcp   放通某个端口组

admin

firewall-cmd --permanent --zone=internal --add-rich-rule="rule family='ipv4' port protocol='tcp' port='1-65535' accept"
firewall-cmd --permanent --zone=internal --add-rich-rule="rule family='ipv4' port protocol='udp' port='1-65535' accept"
# c0 B" B2 p6 [  _firewall-cmd --permanent --zone=internal --add-rich-rule="rule family='ipv4' protocol value='icmp' accept"

admin

# 1.允许10.35.89.0/24网段的主机访问本机的ftp服务，同时指定日志的前缀和输出级别：
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=10.35.89.0/24 service name=ftp log prefix="ftp" level=info accept' --permanent

# 2.允许10.35.89.0/24网段的主机访问本机的80/tcp端口，同时指定日志的前缀和输出级别：
+ {* P' y" P: S' {0 ~; [. T" rfirewall-cmd --add-rich-rule 'rule family=ipv4 source address=10.35.89.0/24 port port=80 protocol=tcp log prefix="80" level=info accept' --permanent
' d- b  [6 F; R5 N  L3 ~
6 W5 t3 F& S" n3 i: i# 3.将访问端口是808且源ip是192.168.10.0/24的主机转发到10.10.10.2:80
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.10.0/24" forward-port port="808" protocol="tcp" to-port="80" to-addr="10.10.10.2"' --permanent
  Z! R- T: v* n) `9 x* K& V
# 4.富规则中使用伪装功能可以更精确详细的限制:
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=10.10.10.2/24 masquerade'
4 l1 w4 V: J. Z9 l% T: u
# 5.允许192.168.1.0/24网段的地址访问本机的http服务：
6 t6 e  O; D6 o8 F  p/ R3 Jfirewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="http" accept'

8 ^% l  X! f3 p, _# 6. 禁止192.168.1.0/24网段的地址访问本机的ssh服务：
firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 service name=ssh reject'

& }: W$ a* K( o) d* z1 M! a  {, E" G# 7. 删除示例6创建的富规则
firewall-cmd --permanent --zone=public --remove-rich-rule='rule family=ipv4 source address=192.168.1.0/24 service name=ssh reject'
, R- G: V2 N/ g) t$ o! O
7 l. J; H9 r) K# 8. 允许192.168.1.0/24端口的主机访问本机的8080端口，同时指定日志的前缀和输出级别：
# s, G7 W; `/ u* n6 q. `& Cfirewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port=8080 protocol="tcp" log prefix=proxy level=warning accept'

# 9.将访问端口是5432且源ip是192.168.0.0/32的主机转发到本机的80端口：
3 Z1 s0 |. ~. l1 `1 lfirewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=192.168.0.0/32 forward-port port=5432 protocol=tcp to-port=80'

# 10. 允许icmp协议的数据包通信：
firewall-cmd --add-rich-rule 'rule protocol value="icmp" accept' --permanent
  ?- M/ J, [, K1 M, u