firewalld命令跟firewall-cmd
1.启动firewalld服务
systemctl start firewalld.service
2.关闭firewalld服务
systemctl stop firewalld.service
3.重启firewalld服务
systemctl restart firewalld.service
4.查看firewalld状态
systemctl status firewalld.service
5.开机自启firewalld
systemctl enable firewalld
6.查看版本
firewall-cmd --version
7.查看帮助
firewall-cmd --help
8.显示状态
firewall-cmd --state
9.查看当前所有规则
firewall-cmd --list-all
10.查看所有打开的端口
firewall-cmd --zone=public --list-ports
11.更新防火墙规则
firewall-cmd --reload
12.添加开放端口
firewall-cmd --zone=public --add-port=80/tcp --permanent
注意:permanent永久生效,没有此参数重启后失效
13.查看端口是否开放
firewall-cmd --zone=public --query-port=80/tcp
14.删除开放端口
firewall-cmd --zone=public --remove-port=80/tcp --permanent
15.批量开放一段TCP端口
firewall-cmd --permanent --add-port=9001-9100/tcp
16.开放IP的访问
firewall-cmd --permanent --add-source=192.168.229.1/24
17.开放整个源IP段的访问
firewall-cmd --permanent --add-source=192.168.229.0/24
18.移除IP访问
firewall-cmd --permanent --remove-source=192.168.229.1/24
19.允许指定IP访问本机80端口
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.229.1/24" port protocol="tcp" port="80" accept'
20.禁止指定IP访问本机80端口
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.229.1/24" port protocol="tcp" port="80" reject'
21.移除允许指定IP访问本机80端口规则
firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.229.1/24" port protocol="tcp" port="80" accept'
注:每次更改firewall规则后需重新加载(firewall-cmd --reload)
案例:
tomcat 的安装
//安装jdk环境
[root@localhost ~]# dnf -y install java-17-openjdk*
.....安装过程略
//下载tomcat
[root@localhost ~]# cd /usr/src/
[root@localhost src]# wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.65/bin/apache-tomcat-9.0.65.tar.gz
[root@localhost src]# tar xf apache-tomcat-9.0.65.tar.gz //解压部署
[root@localhost src]# ls
apache-tomcat-9.0.65 apache-tomcat-9.0.65.tar.gz debug kernels
[root@localhost src]# mv apache-tomcat-9.0.65 /usr/local/tomcat // 移动并重命名为Tomcat
[root@localhost src]# ll /usr/local/tomcat/ -d
drwxr-xr-x. 9 root root 220 Aug 15 13:03 /usr/local/tomcat/
// 启动tomcat
[root@localhost ~]# cd /usr/local/tomcat/bin/
[root@localhost bin]# ./catalina.sh start
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Using CATALINA_OPTS:
Tomcat started.
[root@localhost bin]# ss -antl // 查看端口
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 1 [::ffff:127.0.0.1]:8005 *:*
LISTEN 0 100 *:8080 *:*
LISTEN 0 128 [::]:22 [::]:*
已经关闭SElinux
不关闭防火墙的情况下firewalld
将Tomcat的8080端口映射为80端口
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
放行指定IP加端口80
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.229.148" port protocol="tcp" port="80" accept'
如果需要长期使用则增加--permanent加入到永久规则即可。
不添加 --permanent 重启后失效
重启防火墙
firewall-cmd --reload
查看当前所有规则
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
port=80:proto=tcp:toport=8080:toaddr=
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.229.148" port port="80" protocol="tcp" accept
[root@localhost ~]#
访问测试
访问192.168.229.184:80 是可以访问的
访问 192.168.229.184:8080 是访问不了的,因为只放行了80端口,没有放行8080端口