linux 防火墙

Last updated on November 22, 2024 am

🧙 Questions

释放端口号

☄️ Ideas

常用命令

sudo systemctl stop firewalld
sudo systemctl start firewalld
sudo systemctl disable firewalld
sudo systemctl status firewalld

查询释放的端口号

sudo firewall-cmd --list-all
sudo firewall-cmd --zone=public --list-ports

public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="101.132.135.228" accept
        rule family="ipv4" source address="101.80.203.74" accept
        rule family="ipv4" source address="47.118.199.212" port port="443" protocol="tcp" accept
        rule family="ipv4" source address="47.118.199.212" port port="80" protocol="tcp" accept
        rule family="ipv4" source address="47.92.152.18" accept

添加规则

# 指定端口号开发
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="101.80.203.74" port protocol="tcp" port="40000" accept'
# 所有端口号开发
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="124.221.151.148" accept'
sudo firewall-cmd --reload 
# ipv6
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv6" source address="2400:9ce0:5a1a:f49e:dcba:a3ae:272f:dccf" accept'
sudo firewall-cmd --reload

删除规则

sudo firewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv4" source address="101.80.203.74" accept'
sudo firewall-cmd --reload

检测生效

A 对 B开放

# A服务器上
netstat -nlpt | grep 40000
# B服务器上
sudo yum install telnet -y
telnet 47.92.152.18 40004

访问失败

Trying 47.92.152.18...
telnet: connect to address 47.92.152.18: No route to host

访问成功

Trying 47.92.152.18...
Connected to 47.92.152.18.
Escape character is '^]'.

获取当前网络ip

curl ifconfig.co
# or
wget http://ipecho.net/plain -O - -q ; echo

防火墙对所有ip开放指定端口号

# sudo iptables -A INPUT -p tcp --dport 40004 -j ACCEPT
# sudo iptables-save > /etc/sysconfig/iptables
firewall-cmd --zone=public --add-port=30177/tcp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --query-port=30177/tcp
firewall-cmd --zone=public --list-ports