CentOS7中的防火墙配置

CentOS7中的防火墙配置

一、防火墙的基本用法

1、启动防火墙

[root@localhost ~]# systemctl start firewalld.service

2、关闭防火墙

[root@localhost ~]# systemctl stop firewalld.service

3、重新启动防火墙

[root@localhost ~]# systemctl restart firewalld.service

4、重新加载防火墙

[root@localhost ~]# systemctl reload firewalld.service

5、查看 firewalld 服务状态

[root@localhost ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2020-08-07 04:48:14 EDT; 1min 19s ago
     Docs: man:firewalld(1)
  Process: 1860 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 1764 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─1764 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Aug 07 04:48:13 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 07 04:48:14 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Aug 07 04:48:14 localhost.localdomain firewalld[1764]: WARNING: AllowZoneDrifting is enabled. This is considered an inse... now.
Aug 07 04:48:48 localhost.localdomain systemd[1]: Reloading firewalld - dynamic firewall daemon.
Aug 07 04:48:48 localhost.localdomain systemd[1]: Reloaded firewalld - dynamic firewall daemon.
Aug 07 04:48:48 localhost.localdomain firewalld[1764]: WARNING: AllowZoneDrifting is enabled. This is considered an inse... now.
Hint: Some lines were ellipsized, use -l to show in full.

6、开机时禁用防火墙

[root@localhost ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.

7、开机时启用防火墙

[root@localhost ~]# systemctl enable firewalld.service
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.

二、配置 firewall-cmd

1、查看帮助

[root@localhost ~]# firewall-cmd --help

Usage: firewall-cmd [OPTIONS...]

General Options
  -h, --help           Prints a short help text and exists
  -V, --version        Print the version string of firewalld
  -q, --quiet          Do not print status messages

Status Options
  --state              Return and print firewalld state
  --reload             Reload firewall and keep state information
  --complete-reload    Reload firewall and lose state information
  --runtime-to-permanent
                       Create permanent from runtime configuration
  --check-config       Check permanent configuration for errors
............

2、查看版本

[root@localhost ~]# firewall-cmd --version
0.6.3

3、显示状态

[root@localhost ~]# firewall-cmd --state
running

4、显示所有打开的端口

[root@localhost ~]# firewall-cmd --list-port
3306/tcp

5、更新防火墙规则

[root@localhost ~]# firewall-cmd --reload
success

6、查看防火墙规则

[root@localhost ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 3306/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

7、开放3306端口

[root@localhost ~]# firewall-cmd --permanent --add-port=3306/tcp
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 8080/tcp 3306/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

说明：
（1）–permanent：表示设置为持久；
（2）reload：重新加载防火墙。

8、移除3306端口

[root@localhost ~]# firewall-cmd --permanent --remove-port 3306/tcp
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 8080/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

说明：
（1）–permanent：表示设置为持久；
（2）reload：重新加载防火墙。