命令firewalld和firewall-cmd用法

firewalld命令跟firewall-cmd
1.启动firewalld服务

systemctl start firewalld.service

2.关闭firewalld服务

systemctl stop firewalld.service

3.重启firewalld服务

systemctl restart firewalld.service

4.查看firewalld状态

systemctl status firewalld.service

5.开机自启firewalld

systemctl enable firewalld

6.查看版本

firewall-cmd --version

7.查看帮助

firewall-cmd --help

8.显示状态

firewall-cmd --state

9.查看当前所有规则

firewall-cmd --list-all

10.查看所有打开的端口

firewall-cmd --zone=public --list-ports

11.更新防火墙规则

firewall-cmd --reload

12.添加开放端口

firewall-cmd --zone=public --add-port=80/tcp --permanent 
注意：permanent永久生效，没有此参数重启后失效

13.查看端口是否开放

firewall-cmd --zone=public --query-port=80/tcp

14.删除开放端口

firewall-cmd --zone=public --remove-port=80/tcp --permanent

15.批量开放一段TCP端口

firewall-cmd --permanent --add-port=9001-9100/tcp

16.开放IP的访问

firewall-cmd --permanent --add-source=192.168.229.1/24

17.开放整个源IP段的访问

firewall-cmd --permanent --add-source=192.168.229.0/24

18.移除IP访问

firewall-cmd --permanent --remove-source=192.168.229.1/24

19.允许指定IP访问本机80端口

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.229.1/24" port protocol="tcp" port="80" accept'

20.禁止指定IP访问本机80端口

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.229.1/24" port protocol="tcp" port="80" reject'

21.移除允许指定IP访问本机80端口规则

firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.229.1/24" port protocol="tcp" port="80" accept'

注：每次更改firewall规则后需重新加载（firewall-cmd --reload）

案例：

tomcat 的安装

//安装jdk环境
[root@localhost ~]# dnf -y install java-17-openjdk*
.....安装过程略

//下载tomcat
[root@localhost ~]# cd /usr/src/
[root@localhost src]# wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.65/bin/apache-tomcat-9.0.65.tar.gz

[root@localhost src]# tar xf apache-tomcat-9.0.65.tar.gz  //解压部署
[root@localhost src]# ls
apache-tomcat-9.0.65  apache-tomcat-9.0.65.tar.gz  debug  kernels
[root@localhost src]# mv apache-tomcat-9.0.65 /usr/local/tomcat  // 移动并重命名为Tomcat
[root@localhost src]# ll  /usr/local/tomcat/ -d
drwxr-xr-x. 9 root root 220 Aug 15 13:03 /usr/local/tomcat/

// 启动tomcat
[root@localhost ~]# cd /usr/local/tomcat/bin/
[root@localhost bin]# ./catalina.sh start
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:        /usr
Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Using CATALINA_OPTS:
Tomcat started.

[root@localhost bin]# ss -antl  // 查看端口
State  Recv-Q Send-Q        Local Address:Port   Peer Address:Port Process
LISTEN 0      128                 0.0.0.0:22          0.0.0.0:*
LISTEN 0      1        [::ffff:127.0.0.1]:8005              *:*
LISTEN 0      100                       *:8080              *:*
LISTEN 0      128                    [::]:22             [::]:*

已经关闭SElinux

不关闭防火墙的情况下firewalld
将Tomcat的8080端口映射为80端口

firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 --permanent

放行指定IP加端口80

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.229.148" port protocol="tcp" port="80" accept'

如果需要长期使用则增加--permanent加入到永久规则即可。
不添加 --permanent 重启后失效

重启防火墙

firewall-cmd --reload

查看当前所有规则

[root@localhost ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
	port=80:proto=tcp:toport=8080:toaddr=
  source-ports:
  icmp-blocks:
  rich rules:
	rule family="ipv4" source address="192.168.229.148" port port="80" protocol="tcp" accept
[root@localhost ~]#

访问测试

访问192.168.229.184:80 是可以访问的

---

访问 192.168.229.184:8080 是访问不了的，因为只放行了80端口，没有放行8080端口

---