linux 防火墙
Last updated on April 3, 2025 am
🧙 Questions
☄️ Ideas
开放端口号
docker run --name some-nginx -p 8080:80 -d nginx
启动防火墙
sudo systemctl start firewalld
sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl status firewalld
网卡绑定
ifconfig
sudo firewall-cmd --permanent --zone=public --add-interface=eth0
# sudo firewall-cmd --permanent --zone=public --remove-interface=docker0
sudo firewall-cmd --reload
sudo firewall-cmd --get-active-zones
docker开启端口号禁用
vim /usr/lib/systemd/system/docker.service
# ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
# 改成
ExecStart=/usr/bin/dockerd --iptables=false -H fd:// --containerd=/run/containerd/containerd.sock
sudo systemctl daemon-reload
sudo systemctl restart docker
禁用端口号
sudo firewall-cmd --zone=public --remove-port=30107/tcp --permanent
sudo firewall-cmd --reload
开启端口号
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --reload
查询释放的端口号
sudo firewall-cmd --list-all
sudo firewall-cmd --zone=public --list-ports
添加规则
# 指定端口号开发
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="101.80.203.74" port protocol="tcp" port="40000" accept'
# 所有端口号开发
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="124.221.151.148" accept'
sudo firewall-cmd --reload
# ipv6
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv6" source address="2400:9ce0:5a1a:f49e:dcba:a3ae:272f:dccf" accept'
sudo firewall-cmd --reload
删除规则
sudo firewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv4" source address="101.80.203.74" accept'
sudo firewall-cmd --reload
检测生效
A 对 B开放
# A服务器上
netstat -nlpt | grep 40000
# B服务器上
sudo yum install telnet -y
telnet 47.92.152.18 40004
访问失败
Trying 47.92.152.18...
telnet: connect to address 47.92.152.18: No route to host
访问成功
Trying 47.92.152.18...
Connected to 47.92.152.18.
Escape character is '^]'.
获取当前网络ip
curl ifconfig.co
# or
wget http://ipecho.net/plain -O - -q ; echo
防火墙对所有ip开放指定端口号
# sudo iptables -A INPUT -p tcp --dport 40004 -j ACCEPT
# sudo iptables-save > /etc/sysconfig/iptables
firewall-cmd --zone=public --add-port=30177/tcp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --query-port=30177/tcp
firewall-cmd --zone=public --list-ports
清空iptables规则
# 清空已有规则(谨慎使用)
iptables -F
iptables禁用端口号
sudo systemctl stop firewalld
iptables -L -v -n
# 允许访问80端口号
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
# 禁止访问80端口号
iptables -A INPUT -p tcp --dport 80 -j DROP
# 删除旧规则
iptables -D INPUT -p tcp --dport 30107 -j DROP
- dport: 目标端
- sport: 来源端
- INPUT: 输入
- OUTPUT: 输出
- ACCEPT: 允许访问
- DROP: 禁止访问
iptables指定服务器可以访问任意端口号,其他服务器不可以访问
# 允许 192.168.1.100 访问
iptables -A INPUT -s 47.116.172.217 -j ACCEPT
# 拒绝其他所有服务器访问 !!! 谨慎执行
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -j DROP
# iptables -D INPUT -j DROP
# 允许本机访问外部
iptables -A OUTPUT -j ACCEPT
iptables指定服务器可以访问指定端口号
iptables -A INPUT -s 121.89.247.94 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -s 121.89.247.94 -p tcp --sport 80 -j ACCEPT
iptables拒绝指定端口号访问
iptables -A INPUT -p tcp --dport 8080 -j DROP
越在上面的,权限越高
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
29 4077 ACCEPT all -- * * 47.116.172.217 0.0.0.0/0
739 55101 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 154.64.226.21 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 112.65.98.33 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 112.65.98.33 0.0.0.0/0 tcp spt:80
121 7723 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 121.89.247.94 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 68 bytes)
pkts bytes target prot opt in out source destination
462 64849 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
0 0 ACCEPT tcp -- * * 112.65.98.33 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 112.65.98.33 0.0.0.0/0 tcp spt:80
0 0 ACCEPT tcp -- * * 121.89.247.94 0.0.0.0/0 tcp spt:80
🔗 Links
linux 防火墙
https://ispong.isxcode.com/os/linux/linux 防火墙/