返回列表 发帖

CentOS7.8_firewalld+SSH

CentOS5/6的防火墙叫netfilter,CentOS7/8的防火墙叫firewalld


查看操作系统的版本:
图片1.png
2020-8-19 14:46



查看防火墙firewalld的版本:
[root@ser1 ~]# firewall-cmd --version
0.6.3


查看区域信息:  (默认zone就是 public
[root@ser1 ~]# firewall-cmd --get-active-zones
public
  interfaces: ens33


查看指定网卡接口所属区域:
[root@ser1 ~]# firewall-cmd --get-zone-of-interface=ens33
public


查看firewalld所有打开的服务:
[root@ser1 ~]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh
注释: dhcpv6-client、ssh 是默认就有的,这些服务的默认端口是可以被访问;本机其他服务、端口是默认禁止外部IP地址进行访问的。


查看firewalld所有打开的端口:(虽然看不见TCP 22端口,但因为已经在firewalld的服务里打开了ssh,所以默认是可以访问的)
firewall-cmd --zone=public --list-ports
图片1.png
2021-2-1 12:12




查看firewalld的当前配置信息:(firewalld的初始状态)
firewall-cmd --list-all
图片2.png
2021-2-1 12:13



查看firewalld的配置文件:(firewalld的初始状态)
[root@ser1 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
</zone>





关闭firewalld:
[root@ser1 ~]# systemctl stop firewalld

禁止开机自动启动firewalld:
[root@ser1 ~]# systemctl disable firewalld


启动firewalld:
[root@ser1 ~]# systemctl start firewalld

开机自动启动firewalld:
[root@ser1 ~]# systemctl enable firewalld





######

只允许某个客户端IP地址远程SSH登录本机:

先在firewalld中删除 ssh
[root@ser1 ~]# firewall-cmd --permanent --zone=public --remove-service=ssh
success

插入防火墙规则:( 只允许IP地址(192.168.168.163)访问本机的TCP 22 端口 )
[root@ser1 ~]#
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.168.163" port protocol="tcp" port="22" accept'
success

重新加载firewalld的配置:
[root@ser1 ~]# firewall-cmd --reload
success


查看firewalld的当前配置信息:
[root@ser1 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.168.163" port port="22" protocol="tcp" accept


查看firewalld的配置文件:
[root@ser1 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <rule family="ipv4">
    <source address="192.168.168.163"/>
    <port protocol="tcp" port="22"/>
    <accept/>
  </rule>

</zone>





删除防火墙规则的方法:
[root@ser1 ~]# firewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.168.163" port port="22" protocol="tcp" accept'
success

[root@ser1 ~]# firewall-cmd --reload
success


删除防火墙规则的模板:
firewall-cmd --permanent --zone=public --remove-rich-rule='#rich rules#'


查看firewalld的当前配置信息:
[root@ser1 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:





######

只允许某个客户端IP网段远程SSH登录本机:

插入防火墙规则:( 只允许网段(192.168.168.0/24)访问本机的TCP 22 端口 )
[root@ser1 ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.168.0/24" port protocol="tcp" port="22" accept'
success

[root@ser1 ~]# firewall-cmd --reload
success


查看firewalld的当前配置信息:
[root@ser1 ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.168.0/24" port port="22" protocol="tcp" accept


查看firewalld的当前配置信息:
[root@ser1 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <rule family="ipv4">
    <source address="192.168.168.0/24"/>
    <port protocol="tcp" port="22"/>
    <accept/>
  </rule>

</zone>

可以在配置文件里修改,然后重新加载firewalld的配置:
[root@ser1 ~]# firewall-cmd --reload
success






相关文章:
CentOS8防火墙(firewalld)
CentOS7_TCP Wrappers

返回列表