返回列表 发帖

CentOS8_firewalld+Nginx

笺注:这是在 CentOS8安装LNMP+phpMyAdmin 的基础上进行的。



查看防火墙firewalld所有打开的端口:
[root@centos8 ~]# firewall-cmd --zone=public --list-ports
80/tcp


查看firewalld的当前配置信息:
firewall-cmd --zone=public --list-all
图片1.png
2021-1-31 15:48

注释: cockpit、dhcpv6-client、ssh 是默认就有的,这些服务的默认端口是可以被访问。


客户端远程访问服务器的TCP 80端口:
http://192.168.168.154:80
图片2.png
2021-1-31 15:48

注释:浏览器会自动去掉80端口。





删除一个TCP端口:
firewall-cmd --zone=public --remove-port=80/tcp --permanent
firewall-cmd --reload

端口删除成功:
[root@centos8 ~]# firewall-cmd --zone=public --list-ports

[root@centos8 ~]#



查看firewalld的当前配置信息:
firewall-cmd --list-all
图片3.png
2021-1-31 15:49

注释:这也是firewalld的初始状态。


客户端远程测试:
图片4.png
2021-1-31 15:49






插入防火墙规则:( 只允许IP地址(192.168.168.163)访问本机的TCP 80 端口 )
[root@centos8 ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.168.163" port protocol="tcp" port="80" accept'
success

[root@centos8 ~]# firewall-cmd --reload
success


查看firewalld的当前配置信息:
[root@centos8 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.168.163" port port="80" protocol="tcp" accept


客户端(192.168.168.163)远程测试:
图片5.png
2021-1-31 15:51




删除防火墙规则:
[root@centos8 ~]# firewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.168.163" port port="80" protocol="tcp" accept'
success

[root@centos8 ~]# firewall-cmd --reload
success


删除防火墙规则成功:
图片6.png
2021-1-31 15:52



客户端(192.168.168.163)远程测试:
图片7.png
2021-1-31 15:53






插入防火墙规则:( 只允许IP网段(192.168.168.0/24)访问本机的TCP 80 端口 )
[root@centos8 ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.168.0/24" port protocol="tcp" port="80" accept'
success

[root@centos8 ~]# firewall-cmd --reload
success


查看firewalld的当前配置信息:
[root@centos8 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
       rule family="ipv4" source address="192.168.168.0/24" port port="80" protocol="tcp" accept


客户端(192.168.168.163)远程测试:
图片8.png
2021-1-31 15:54






插入防火墙规则:( 禁止IP地址(192.168.168.163)访问本机的TCP 80 端口 )
[root@centos8 ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.168.163" port protocol="tcp" port="80" reject'
success

[root@centos8 ~]# firewall-cmd --reload
success


查看firewalld的当前配置信息:
[root@centos8 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.168.0/24" port port="80" protocol="tcp" accept
        rule family="ipv4" source address="192.168.168.163" port port="80" protocol="tcp" reject

笺注:条件符合reject就会被拒绝了,不是按规则顺序来执行。



客户端(192.168.168.163)远程测试:
图片9.png
2021-1-31 15:56





查看firewalld的配置文件:
[root@centos8 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="cockpit"/>
  <rule family="ipv4">
    <source address="192.168.168.0/24"/>
    <port port="80" protocol="tcp"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.168.163"/>
    <port port="80" protocol="tcp"/>
    <reject/>
  </rule>

</zone>

可以在配置文件里修改,然后重新加载firewalld的配置:
[root@centos8 ~]# firewall-cmd --reload
success












修改Nginx的默认站点的TCP端口:
[root@centos8 ~]# vi /etc/nginx/nginx.conf
图片10.png
2021-1-31 15:57

修改为TCP 8080 :
图片11.png
2021-1-31 15:57



重启Nginx服务:
[root@centos8 ~]# systemctl restart nginx


插入防火墙规则:( 只允许IP地址(192.168.168.163)访问本机的TCP 8000至8088范围之间的端口 )
[root@centos8 ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.168.163" port protocol="tcp" port="8000-8088" accept'
success

[root@centos8 ~]# firewall-cmd --reload
success


查看firewalld的当前配置信息:
[root@centos8 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.168.0/24" port port="80" protocol="tcp" accept
        rule family="ipv4" source address="192.168.168.163" port port="80" protocol="tcp" reject
        rule family="ipv4" source address="192.168.168.163" port port="8000-8088" protocol="tcp" accept


查看firewalld的配置文件:
[root@centos8 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="cockpit"/>
  <rule family="ipv4">
    <source address="192.168.168.0/24"/>
    <port port="80" protocol="tcp"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.168.163"/>
    <port port="80" protocol="tcp"/>
    <reject/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.168.163"/>
    <port port="8000-8088" protocol="tcp"/>
    <accept/>
  </rule>

</zone>




客户端(192.168.168.163)远程访问服务器的TCP 8080端口:
http://192.168.168.154:8080/
图片12.png
2021-1-31 15:59







相关文章:
CentOS8防火墙(firewalld)

返回列表