防火强firewalld常用规则总结

admin

firewall-cmd --list-all
public (active)
* ]8 K! R+ r) u- G6 M+ J  target: default
  icmp-block-inversion: no
% @' F" K7 K8 R& G  interfaces: enp0s3 enp0s8
& C& z6 F  _! N0 e; M0 o8 s  sources:
  services: ssh dhcpv6-client
  ports:
0 V; r0 ^0 ~9 h9 T  |  protocols:
  masquerade: no
4 c6 p" J, \# k4 D  W4 h- b% }  forward-ports:
- i! |9 }# w. t& `  source-ports:
  |9 Y& G- H" ]$ O/ }; a# }4 }2 A8 Q  icmp-blocks:
! n4 Z6 k" F! U$ H6 m* j; @& @  rich rules:
        rule family="ipv4" source address="192.18.5.3/24" service name="ssh" accept
        rule family="ipv4" source address="192.18.5.3" service name="ssh" drop
+ T/ \! }* [, F' s6 ~

admin

firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address='192.168.236.0/24' service name='keepalived' accept "

admin

firewall-cmd --permanent --add-port=5900-6000/tcp   放通某个端口组

admin

firewall-cmd --permanent --zone=internal --add-rich-rule="rule family='ipv4' port protocol='tcp' port='1-65535' accept"
* b) g9 q6 A! `, Ofirewall-cmd --permanent --zone=internal --add-rich-rule="rule family='ipv4' port protocol='udp' port='1-65535' accept"
firewall-cmd --permanent --zone=internal --add-rich-rule="rule family='ipv4' protocol value='icmp' accept"
$ g$ n" }* `- l0 [6 B

admin

# 1.允许10.35.89.0/24网段的主机访问本机的ftp服务，同时指定日志的前缀和输出级别：
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=10.35.89.0/24 service name=ftp log prefix="ftp" level=info accept' --permanent
8 [$ y0 K; E" o0 @
# 2.允许10.35.89.0/24网段的主机访问本机的80/tcp端口，同时指定日志的前缀和输出级别：
  @( b3 u! F) J( n0 N% v7 o5 Sfirewall-cmd --add-rich-rule 'rule family=ipv4 source address=10.35.89.0/24 port port=80 protocol=tcp log prefix="80" level=info accept' --permanent
8 C; l4 _3 G0 g' k; _$ i
$ w3 Q; O# l7 N; I# 3.将访问端口是808且源ip是192.168.10.0/24的主机转发到10.10.10.2:80
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.10.0/24" forward-port port="808" protocol="tcp" to-port="80" to-addr="10.10.10.2"' --permanent
% V( m7 G6 P6 j* B4 H' y
2 R  b6 R0 ]6 y4 b7 H  z6 r# 4.富规则中使用伪装功能可以更精确详细的限制:
firewall-cmd --add-rich-rule 'rule family=ipv4 source address=10.10.10.2/24 masquerade'

0 k7 j+ |# l& J, g& R4 `# 5.允许192.168.1.0/24网段的地址访问本机的http服务：
2 h" z. @7 h$ w% [% ^& Y& N5 n' m. gfirewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="http" accept'
; C* K2 f) r& I* b$ L7 F1 x, T' Z
3 ]' [5 ^/ \2 \8 j' L1 {# T# 6. 禁止192.168.1.0/24网段的地址访问本机的ssh服务：
: y! U/ n3 ]0 m; i) x+ ^( F% vfirewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 service name=ssh reject'

# 7. 删除示例6创建的富规则
. l+ f6 ^2 f: N0 J. Efirewall-cmd --permanent --zone=public --remove-rich-rule='rule family=ipv4 source address=192.168.1.0/24 service name=ssh reject'

5 _& w$ V+ Q5 p3 h, J5 Z# 8. 允许192.168.1.0/24端口的主机访问本机的8080端口，同时指定日志的前缀和输出级别：
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port=8080 protocol="tcp" log prefix=proxy level=warning accept'
$ K; S& ]% ?8 d6 s
# 9.将访问端口是5432且源ip是192.168.0.0/32的主机转发到本机的80端口：
, I7 q2 A; D+ f, gfirewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=192.168.0.0/32 forward-port port=5432 protocol=tcp to-port=80'

2 h4 M6 b7 P7 P8 Y# 10. 允许icmp协议的数据包通信：
: }1 `) c' v$ A) j% z) R7 h5 vfirewall-cmd --add-rich-rule 'rule protocol value="icmp" accept' --permanent