目录

一、查看firewall规则

二、配置允许访问规则

(一)配置文件添加

(二)命令行添加

1. 开通所有源IP访问http服务

2. 开通访问http服务,并限制源IP访问

三、配置禁止访问规则

四、删除规则

五、备注

一、查看firewall规则

[root@localhost ~]# firewall-cmd --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp0s3

  sources:

  services: dhcpv6-client ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  sourceports:

  icmp-blocks:

  rich rules:

二、配置允许访问规则

(一)配置文件添加

        具体添加的内容:

[root@localhost zones]#  vim /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>

<zone>

  <short>Public</short>

  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

  <service name="dhcpv6-client"/>

  <service name="http"/>

  <service name="ssh"/>

  <rule family="ipv4">

    <source address="10.10.10.10"/>

    <port protocol="tcp" port="80"/>

    <drop/>

  </rule>

  <rule family="ipv4">

    <source address="10.10.10.11"/>

    <port protocol="tcp" port="22"/>

    <accept/>

  </rule>

</zone>

        编辑文件保存后,要执行firewall-cmd --reload才生效。

(二)命令行添加

1. 开通所有源IP访问http服务

        方法一:

[root@localhost conf]# firewall-cmd --permanent --add-port=80/tcp

[root@localhost conf]# firewall-cmd --reload

        结果:

[root@localhost conf]# firewall-cmd --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp0s3

  sources:

  services: dhcpv6-client ssh

  ports: 80/tcp

  protocols:

  masquerade: no

  forward-ports:

  sourceports:

  icmp-blocks:

  rich rules:

        方法二:

[root@localhost conf]# firewall-cmd --permanent --add-service=http

[root@localhost conf]# firewall-cmd --reload

        结果:

[root@localhost conf]# firewall-cmd --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp0s3

  sources:

  services: dhcpv6-client http ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  sourceports:

  icmp-blocks:

  rich rules:

2. 开通访问http服务,并限制源IP访问

firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp accept'

[root@localhost ~]# firewall-cmd --reload

        参数说明:

                family 对哪个协议;

                source address 源地址; 

                accept 允许;

                drop 拒绝;

三、配置禁止访问规则

        禁止某个源IP访问:

[root@localhost conf]# firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp drop'

[root@localhost conf]# firewall-cmd --reload

        结果:

[root@localhost conf]# firewall-cmd --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp0s3

  sources:

  services: dhcpv6-client http ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  sourceports:

  icmp-blocks:

  rich rules:

        rule family="ipv4" source address="10.10.10.10" port port="80" protocol="tcp" drop

四、删除规则

        删除访问规则命令:

firewall-cmd --permanent --remove-rich-rule 'rule family=ipv4 source address=10.10.10.10 port port=80 protocol=tcp accept'

[root@localhost ~]# firewall-cmd --reload

五、备注

        同一规则允许及拒绝时,效果为拒绝,不会跟iptables一样,没有先后顺序优先匹配,为全文匹配,拒绝大于允许。

# 运维 # 网络安全 # linux
Logo
华为云开发者联盟

为开发者提供学习成长、分享交流、生态实践、资源工具等服务,帮助开发者快速成长。

更多推荐

cover

解锁HDC 2024之旅:从购票到报名,全程攻略

avatar 华为云开发者联盟
cover

从原始边列表到邻接矩阵Python实现图数据处理的完整指南

avatar 华为云开发者联盟
cover

华为云云原生FinOps解决方案,释放云原生最大价值

avatar 华为云开发者联盟