CentOS 7 防火墙配置和白名单问题

CentOS 7 防火墙配置和白名单问题

查看防火墙状态：

systemctl status firewalld

开启防火墙并设置开机自启

systemctl start firewalld
systemctl enable firewalld

1. 开放 22端口：

firewall-cmd --zone=public --add-port=22/tcp --permanent

重新载入一下：
firewall-cmd --reload

查看下是否生效：

firewall-cmd --zone=public --query-port=22/tcp

查看开放的端口：
firewall-cmd --zone=public --list-ports

批量开放端口：

firewall-cmd --zone=public --add-port=100-500/tcp --permanent

查看是否生效

firewall-cmd --zone=public --list-rich-rules

2. 插入代码：

#!/bin/bash

# enable the firewall service
service firewalld start

# config firewall to permit ip range:172.16.17.1-70, port:1521


firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.0/26" port protocol="tcp" port="1521" accept'


# permit 172.16.17.63, since it is broadcast address in above ip range.

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.63" port protocol="tcp" port="1521" accept'


# permit 172.16.17.64-70 one by one


firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.64" port protocol="tcp" port="1521" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.65" port protocol="tcp" port="1521" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.66" port protocol="tcp" port="1521" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.67" port protocol="tcp" port="1521" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.68" port protocol="tcp" port="1521" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.69" port protocol="tcp" port="1521" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.17.70" port protocol="tcp" port="1521" accept'

# reload for taking effect this time

firewall-cmd --reload

3. 查看文件，修改规则

vi /etc/firewalld/zones/public.xml

简记firewalld-cmd常用命令，以443端口举例，永久操作需要添加 --permanent 参数，其他端口放行替换443即可。

添加规则

临时添加：

firewall-cmd --zone=public --add-port=443/tcp

持久添加：

firewall-cmd --permanent --zone=public --add-port=443/tcp

添加完规则要生效需要让防火墙重新加载规则

重新加载规则

firewall-cmd --reload

删除规则

临时删除：

firewall-cmd --zone=public --remove-port=443/tcp

持久删除：

firewall-cmd --permanent --zone=public --remove-port=443/tcp

删除完规则要生效需要让防火墙重新加载规则

查看所有已放行的端口

firewall-cmd --zone=public --list-ports