The firewalld command follows firewall-cmd
1. Start the firewalld service
systemctl start firewalld.service
2. Close the firewalld service
systemctl stop firewalld.service
3. Restart the firewalld service
systemctl restart firewalld.service
4. View firewalld status
systemctl status firewalld.service
5. Start firewalld automatically after booting
systemctl enable firewalld
6. View version
firewall-cmd --version
7. View help
firewall-cmd --help
8. Display Status
firewall-cmd --state
9. View all current rules
firewall-cmd --list-all
10. View all open ports
firewall-cmd --zone=public --list-ports
11. Update firewall rules
firewall-cmd --reload
12. Add open ports
firewall-cmd --zone=public --add-port=80/tcp --permanent
注意:permanent永久生效,没有此参数重启后失效
13. Check whether the port is open
firewall-cmd --zone=public --query-port=80/tcp
14. Delete open ports
firewall-cmd --zone=public --remove-port=80/tcp --permanent
15. Open a section of TCP ports in batches
firewall-cmd --permanent --add-port=9001-9100/tcp
16. Open IP access
firewall-cmd --permanent --add-source=192.168.229.1/24
17. Open access to the entire source IP segment
firewall-cmd --permanent --add-source=192.168.229.0/24
18. Remove IP access
firewall-cmd --permanent --remove-source=192.168.229.1/24
19. Allow the specified IP to access port 80 of the machine
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.229.1/24" port protocol="tcp" port="80" accept'
20. Forbid the specified IP to access port 80 of the machine
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.229.1/24" port protocol="tcp" port="80" reject'
21. Remove the rule that allows specified IP to access port 80 of the machine
firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.229.1/24" port protocol="tcp" port="80" accept'
Note: Each time you change the firewall rules, you need to reload (firewall-cmd --reload)
case:
tomcat installation
//安装jdk环境
[root@localhost ~]# dnf -y install java-17-openjdk*
.....安装过程略
//下载tomcat
[root@localhost ~]# cd /usr/src/
[root@localhost src]# wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.65/bin/apache-tomcat-9.0.65.tar.gz
[root@localhost src]# tar xf apache-tomcat-9.0.65.tar.gz //解压部署
[root@localhost src]# ls
apache-tomcat-9.0.65 apache-tomcat-9.0.65.tar.gz debug kernels
[root@localhost src]# mv apache-tomcat-9.0.65 /usr/local/tomcat // 移动并重命名为Tomcat
[root@localhost src]# ll /usr/local/tomcat/ -d
drwxr-xr-x. 9 root root 220 Aug 15 13:03 /usr/local/tomcat/
// 启动tomcat
[root@localhost ~]# cd /usr/local/tomcat/bin/
[root@localhost bin]# ./catalina.sh start
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Using CATALINA_OPTS:
Tomcat started.
[root@localhost bin]# ss -antl // 查看端口
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 1 [::ffff:127.0.0.1]:8005 *:*
LISTEN 0 100 *:8080 *:*
LISTEN 0 128 [::]:22 [::]:*
SElinux has been turned off
firewalld maps Tomcat port 8080 to port 80 without closing the firewall
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
Release the specified IP plus port 80
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.229.148" port protocol="tcp" port="80" accept'
如果需要长期使用则增加--permanent加入到永久规则即可。
不添加 --permanent 重启后失效
restart firewall
firewall-cmd --reload
View all current rules
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
port=80:proto=tcp:toport=8080:toaddr=
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.229.148" port port="80" protocol="tcp" accept
[root@localhost ~]#
access test
Access 192.168.229.184:80 is accessible
It is impossible to access 192.168.229.184:8080, because only port 80 is allowed, and port 8080 is not allowed