标签:firewalld
############################################
###################火墙#####################
[root@localhost ~]# systemctl start firewalld
[root@localhost ~]# systemctl stop iptables
[root@localhost ~]# systemctl disable iptables
[root@localhost ~]# systemctl enable firewalld
[root@localhost ~]# firewall-cmd --state ##查看firewalld的状态
running
[root@localhost ~]# firewall-cmd --get-active-zones ##查看当前的区域,并附带一个目前分配给它们的接口列表
ROL
sources: 172.25.0.252/32
public
interfaces: eth0 eth1
[root@localhost ~]# firewall-cmd --list-all ##列出public的所有设置
[root@localhost ~]# firewall-cmd --get-services ##列出所有预设服务
[root@localhost ~]# firewall-cmd --set-default-zone=trusted ##设定默认区域trusted
success
[root@localhost ~]# firewall-cmd --get-default-zone ##查看默认设置
trusted
[root@localhost ~]# firewall-cmd --permanent --add-source=172.25.154.75 ##设置网络地址到public
success
[root@localhost ~]# firewall-cmd --reload ##重置所有设置
success
[root@localhost ~]# firewall-cmd --remove-source=172.25.154.75 ##去掉指定区域的网络地址
success
[root@localhost ~]# firewall-cmd --permanent --zone=trusted --add-source=172.25.254.75 ##设置网络地址到trusted
success
[root@localhost ~]# firewall-cmd --permanent --remove-source=172.25.154.75 ##永久去掉网络地址
success
[root@localhost ~]# firewall-cmd --remove-interface=eth0 --zone=public ##删除网络接口eth0,从public区域
success
[root@localhost ~]# firewall-cmd --add-interface=eth0 --zone=trusted ##添加网络接口eth0到trusted区域
success
[root@localhost ~]# firewall-cmd --zone=trusted --list-all ##列出trusted区域的所有设置
trusted (active)
interfaces: eth0
sources: 172.25.254.75
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@localhost ~]# firewall-cmd --add-service=http --zone=public ##添加http服务到public区域
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth1
sources:
services: dhcpv6-client http
[root@localhost ~]# firewall-cmd --list-ports ##列出端口
[root@localhost ~]# firewall-cmd --add-port=53/tcp ##添加53端口
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth1
sources:
services: dhcpv6-client http
ports: 53/tcp
[root@localhost ~]# firewall-cmd --complete-reload
success
[root@localhost ~]# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 ! -s 172.25.254.78 -p tcp --dport 22 -j ACCEPT ##除过78主机不能登陆,其它的主机都可以
success
[root@localhost ~]# firewall-cmd --add-rich-rule="rule service name=ftp limit value=2/h accept"
success ##每分钟允许2个新连接访问ftp服务
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth1
sources:
services: dhcpv6-client
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule service name="ftp" accept limit value="2/h"
[root@localhost ~]# firewall-cmd --add-rich-rule="rule protocol value=icmp drop"
success ##丢弃所有icmp包
[root@localhost ~]# firewall-cmd --add-rich-rule="rule protocol value=icmp reject" --timeout=10
success ##规则将在指定的秒数内被激活
[root@localhost ~]# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.75 ##将102的端口转到75端口,访问后直接到75
success
[root@localhost ~]# firewall-cmd --add-masquerade ##打开masquerade
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth1
sources:
services: dhcpv6-client
ports:
masquerade: yes
forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.254.75
icmp-blocks:
rich rules:
[root@localhost ~]# firewall-cmd --zone=public --add-rich-rule=‘rule family=ipv4 source address=172.25.254.102 masquerade‘
success
[root@localhost ~]# firewall-cmd --add-masquerade
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.25.254.102" masquerade
[root@localhost ~]# firewall-cmd --remove-service=ssh
success
测试
用做过伪装的主机10访问11,在11上查看连节其的主机ip
附图:
标签:firewalld
原文地址:http://12920735.blog.51cto.com/12910735/1936815
