firewalld的几个常用用法

  • 2019-09-02
  • 0
  • 0

用法一:

内部所有主机都无法上网,只有内网地址。只能通过一台拥有外网地址的管理机上网

#管理机开启防火墙的IP地址伪装功能
[root@ljcccc ~]# firewall-cmd --add-masquerade
[root@ljcccc ~]# firewall-cmd --list-all             
......
  masquerade: yes
......

#内网机修改网卡信息,网关指向管理机
[root@ljc ~]# tail -1 /etc/sysconfig/network-scripts/ifcfg-eth1    
GATEWAY=10.0.0.3

#添加DNS
[root@ljc ~]# vim /etc/resolv.conf 
# Generated by NetworkManager
nameserver 223.5.5.5

用法二:

管理主机(10.0.0.3)仅允许公司的10.0.0.1的IP地址连接,其他统统拒绝.

#移除默认
[root@ljcccc ~]# firewall-cmd --remove-service=ssh
#添加富规则
[root@ljcccc ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=ssh accept'
success
[root@ljcccc ~]# firewall-cmd --list-all  
.......
  services: dhcpv6-client
........
  rich rules: 
        rule family="ipv4" source address="10.0.0.1/32" service name="ssh" accept
#测试
[root@ljc ~]# ssh root@10.0.0.3
ssh: connect to host 10.0.0.3 port 22: No route to host

ljcdeMBP:~ ljc$ ssh root@10.0.0.3
root@10.0.0.3's password: 
Last login: Wed Jun 12 20:28:28 2019 from 172.16.1.5
[root@ljcccc ~]# 

用法三:

在负载均衡服务上,仅放行80和443,22端口只有10.0.0.1能正常连接,其他统统拒绝.

[root@slb1 ~]# firewall-cmd --remove-service=ssh
[root@slb1 ~]# firewall-cmd --remove-service=dhcpv6-client
[root@slb1 ~]# firewall-cmd --add-service={https,http}
[root@slb1 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.1/32 service name=ssh accept'
[root@slb1 ~]# firewall-cmd --list-all  
........
  services: dhcpv6-client https http
........
  rich rules: 
        rule family="ipv4" source address="10.0.0.1/32" service name="ssh" accept

用法四:

将9000端口做成一个服务名称,比如php-fpm,则代表放行9000

[root@ljccc services]# cd /usr/lib/firewalld/services/
[root@ljccc  services]# cp mysql.xml php-fpm.xml
[root@ljccc  services]# vim php-fpm.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>php-fpm</short>
  <description>php-fpm Server</description>
  <port protocol="tcp" port="9000"/>
</service>

[root@ljccc  services]# systemctl restart firewalld.service 
[root@ljccc  services]# firewall-cmd --add-service=php-fpm  
success

评论

还没有任何评论,你来说两句吧

提供支持 - 友情链接 - 衫小寨