简单的配置，参考学习：
–permanent 当设定永久状态时在命令开头或者结尾处加入此参数,否则重载或重启防火墙后设置失效！

开放端口：

firewall-cmd –zone=public –add-port=80/tcp –permanent

firewall-cmd –zone=public –add-port=22/tcp –permanent

常见端口
http:80
ssh:22
redis:6379 7000 7001 7002
mysql:3306
mongdb:5672
es:9300
rebbitmq:5672
consul:8500

可以一次指定多个：

firewall-cmd –zone=public –permanent –add-port=111/tcp –add-port=139/tcp –add-port=445/tcp

firewall-cmd –reload
查看所有打开的端口：

firewall-cmd –list-port

firewall-cmd –zone=public –list-ports

开启伪装：

firewall-cmd [–zone=zone] –add-masquerade

firewall-cmd –remove-masquerade

firewall-cmd –query-masquerade

添加区域接口：

firewall-cmd [–zone=zone] –add-interface=

firewall-cmd –zone=public –add-interface=eth0

列出全部启用的区域的特性
firewall-cmd –list-all-zones
输出区域全部启用的特性。如果省略区域，将显示默认区域的信息

firewall-cmd –zone=public –list-all

启用某个服务：
firewall-cmd –add-service=http
firewall-cmd –add-service=vnc-server

firewall-cmd –zone=public –add-service=nfs –add-service=samba –add-service=samba-client –permanent

firewall-cmd –remove-service=service 移除服务
查询：firewall-cmd –list-service

NAT地址转换：
firewall-cmd [–zone=] –add-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=

| :toport=[-]:toaddr=

}
IP端口转发：

firewall-cmd –add-forward-port=222:proto=tcp:toport=333:toaddr=192.168.1.100

本地转发：

firewall-cmd –add-forward-port=port=9898:proto=tcp:toport=8088:toaddr=

success
查询：

firewall-cmd –list-forward-port

firewall-cmd –list-port

firewall-cmd –list-all

移除：

firewall-cmd –remove-forward-port=port=222:proto=tcp:toport=333:toaddr=

firewall-cmd –remove-forward-port=222:proto=tcp:toport=333:toaddr=192.168.1.100

图形化配置工具：# firewall-config

自定义规则：
/sbin/iptables -t filter -I INPUT_direct 2 -s 192.168.1.1 -p tcp –dport=22 -j DROP
usage: –direct –add-rule { ipv4 | ipv6 | eb }

firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 1 -s 192.168.1.0/24 -p tcp –dport=22 -j ACCEPT

firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 2 -p tcp –dport=22 -j DROP

firewall-cmd –reload

firewall-cmd –direct –get-all-rules

ipv4 filter INPUT 1 -s 192.168.1.0/24 -p tcp –dport=22 -j ACCEPT
ipv4 filter INPUT 2 -p tcp –dport=22 -j DROP

Centos7 Firewall 防火墙配置规则

firewall-cmd –zone=public –add-port=80/tcp –permanent

firewall-cmd –zone=public –add-port=22/tcp –permanent

firewall-cmd –zone=public –permanent –add-port=111/tcp –add-port=139/tcp –add-port=445/tcp

firewall-cmd –list-port

firewall-cmd –zone=public –list-ports

firewall-cmd [–zone=zone] –add-masquerade

firewall-cmd –remove-masquerade

firewall-cmd –query-masquerade

firewall-cmd [–zone=zone] –add-interface=

firewall-cmd –zone=public –add-interface=eth0

firewall-cmd –zone=public –list-all

firewall-cmd –zone=public –add-service=nfs –add-service=samba –add-service=samba-client –permanent

firewall-cmd –add-forward-port=222:proto=tcp:toport=333:toaddr=192.168.1.100

firewall-cmd –add-forward-port=port=9898:proto=tcp:toport=8088:toaddr=

firewall-cmd –list-forward-port

firewall-cmd –list-port

firewall-cmd –list-all

firewall-cmd –remove-forward-port=port=222:proto=tcp:toport=333:toaddr=

firewall-cmd –remove-forward-port=222:proto=tcp:toport=333:toaddr=192.168.1.100

firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 1 -s 192.168.1.0/24 -p tcp –dport=22 -j ACCEPT

firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 2 -p tcp –dport=22 -j DROP

firewall-cmd –reload

firewall-cmd –direct –get-all-rules

猜你喜欢