CenOS7防火墙配置


CenOS7 防火墙配置

文章目录

    • CenOS7 防火墙配置
    • 1. 查看firewall服务状态
    • 2. 查看firewall的状态
    • 3. 开启/关闭 /重启firewalld.service服务
    • 4. 查看防火墙规则
    • 5. 查询/开放/关闭端口

1. 查看firewall服务状态

systemctl status firewalld

1
2
3
4
5
6
7
8
9
10
11
?  network systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2020-04-03 20:28:21 CST; 3h 27min ago
     Docs: man:firewalld(1)
 Main PID: 2543 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─2543 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Apr 03 20:28:19 python systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 03 20:28:21 python systemd[1]: Started firewalld - dynamic firewall daemon.

2. 查看firewall的状态

firewall-cmd --state

1
2
?  network firewall-cmd --state
running

3. 开启/关闭 /重启firewalld.service服务

  • 开启 service firewalld start
  • 关闭 service firewalld stop
  • 重启 service firewalld restart
1
2
3
4
5
6
?  network service firewalld start
Redirecting to /bin/systemctl start firewalld.service
?  network service firewalld stop
Redirecting to /bin/systemctl stop firewalld.service
?  network service firewalld restart
Redirecting to /bin/systemctl restart firewalld.service

4. 查看防火墙规则

firewall-cmd --list-all

1
2
3
4
5
6
7
8
9
10
11
12
13
14
?  network firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh dhcpv6-client ftp
  ports: 21/tcp 20/tcp 80/tcp 443/tcp 8899/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

5. 查询/开放/关闭端口

1
2
3
4
5
6
7
8
9
10
11
12
13
# 查询端口是否开放
firewall-cmd --query-port=8080/tcp
# 开放80端口
firewall-cmd --permanent --add-port=80/tcp
# 移除端口
firewall-cmd --permanent --remove-port=8080/tcp
# 重启防火墙(修改配置后要重启防火墙)
firewall-cmd --reload
# 参数解释
# firwall-cmd 是Linux提供的操作firewall的一个工具
# --permanent:表示设置为持久
# --add-port:标识添加的端口
# --remove-port: 标识移除端口
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
?  network firewall-cmd --add-port=8899/tcp --permanent
success
?  network firewall-cmd --reload
success
?  network firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh dhcpv6-client ftp
  ports: 21/tcp 20/tcp 80/tcp 443/tcp 8899/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

# 修改配置后要重启防火墙,否则可能不起效果
?  network firewall-cmd --remove-port=8899/tcp --permanent
success
?  network firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh dhcpv6-client ftp
  ports: 21/tcp 20/tcp 80/tcp 443/tcp 8899/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
   
?  network firewall-cmd --reload
success
?  network firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh dhcpv6-client ftp
  ports: 21/tcp 20/tcp 80/tcp 443/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules: