linux服务器防火墙知识学习

 # 查看rich-rules 查看所有防火墙已注册的规则

[root@hcss-ecs-8b3c ~]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="xxx.xxx.xx.xx" accept

# 每次设定完规则相关后，都需要防火墙

[root@hcss-ecs-8b3c ~]# firewall-cmd --reload
success

# 删除已存在的防火墙规则

[root@hcss-ecs-8b3c ~]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="xxx.xxx.xxx.xx" accept'
success

• 启动： systemctl start firewalld
• 关闭： systemctl stop firewalld
• 查看状态： systemctl status firewalld
• 开机禁用 ： systemctl disable firewalld
• 开机启用 ： systemctl enable firewalld

# 重启防火墙

[root@hcss-ecs-8b3c ~]# service firewalld restart
Redirecting to /bin/systemctl restart firewalld.service

# 查看已开放的端口

[root@hcss-ecs-8b3c ~]# firewall-cmd --list-ports
20/tcp 21/tcp 22/tcp 80/tcp 443/tcp 30073/tcp 39000-40000/tcp 888/tcp

# 关闭已经开放的端口

[root@hcss-ecs-8b3c ~]# firewall-cmd --permanent --remove-port=20/tcp
success

# 批量开放80到90之间的所有端口

[root@hcss-ecs-8b3c ~]# firewall-cmd --zone=public --add-port=80-90/tcp --permanent
success

 # 批量关闭80到90之间的所有端口

[root@hcss-ecs-8b3c ~]# firewall-cmd --permanent --remove-port=80-90/tcp
success

# 限制单个ip，限制192.168.1.1这个ip访问80端口

[root@hcss-ecs-8b3c ~]# firewall-cmd --list-ports
20/tcp 21/tcp 22/tcp 80/tcp 443/tcp 30073/tcp 39000-40000/tcp 888/tcp
[root@hcss-ecs-8b3c ~]# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.1' port protocol='tcp'  port='80' reject"
success

# 批量限制ip，限制192.168.1.x的所有ip访问80端口

[root@hcss-ecs-8b3c ~]# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' port protocol='tcp'  port='80' reject"
success

# 允许单个ip访问80端口

[root@hcss-ecs-8b3c ~]# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.1' port protocol='tcp'  port='80' accept"
success

# 批量允许多ip访问80端口

[root@hcss-ecs-8b3c ~]# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' port protocol='tcp'  port='80' accept"
success