linux 防火墙

Last updated on April 3, 2025 am

🧙 Questions

释放端口号

☄️ Ideas

开放端口号

docker run --name some-nginx  -p 8080:80 -d nginx

http://47.92.212.233:8080

启动防火墙

sudo systemctl start firewalld
sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl status firewalld

网卡绑定

ifconfig
sudo firewall-cmd --permanent --zone=public --add-interface=eth0
# sudo firewall-cmd --permanent --zone=public --remove-interface=docker0
sudo firewall-cmd --reload 
sudo firewall-cmd --get-active-zones

docker开启端口号禁用

vim /usr/lib/systemd/system/docker.service

# ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
# 改成 
ExecStart=/usr/bin/dockerd --iptables=false -H fd:// --containerd=/run/containerd/containerd.sock

sudo systemctl daemon-reload
sudo systemctl restart docker

禁用端口号

sudo firewall-cmd --zone=public --remove-port=30107/tcp --permanent
sudo firewall-cmd --reload

开启端口号

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --reload

查询释放的端口号

sudo firewall-cmd --list-all
sudo firewall-cmd --zone=public --list-ports

添加规则

# 指定端口号开发
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="101.80.203.74" port protocol="tcp" port="40000" accept'
# 所有端口号开发
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="124.221.151.148" accept'
sudo firewall-cmd --reload 
# ipv6
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv6" source address="2400:9ce0:5a1a:f49e:dcba:a3ae:272f:dccf" accept'
sudo firewall-cmd --reload

删除规则

sudo firewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv4" source address="101.80.203.74" accept'
sudo firewall-cmd --reload

检测生效

A 对 B开放

# A服务器上
netstat -nlpt | grep 40000
# B服务器上
sudo yum install telnet -y
telnet 47.92.152.18 40004

访问失败

Trying 47.92.152.18...
telnet: connect to address 47.92.152.18: No route to host

访问成功

Trying 47.92.152.18...
Connected to 47.92.152.18.
Escape character is '^]'.

获取当前网络ip

curl ifconfig.co
# or
wget http://ipecho.net/plain -O - -q ; echo

防火墙对所有ip开放指定端口号

# sudo iptables -A INPUT -p tcp --dport 40004 -j ACCEPT
# sudo iptables-save > /etc/sysconfig/iptables
firewall-cmd --zone=public --add-port=30177/tcp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --query-port=30177/tcp
firewall-cmd --zone=public --list-ports

清空iptables规则

# 清空已有规则（谨慎使用）
iptables -F

iptables禁用端口号

sudo systemctl stop firewalld
iptables -L -v -n

# 允许访问80端口号
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT

# 禁止访问80端口号
iptables -A INPUT -p tcp --dport 80 -j DROP

# 删除旧规则
iptables -D INPUT -p tcp --dport 30107 -j DROP

dport: 目标端
sport: 来源端
INPUT: 输入
OUTPUT: 输出
ACCEPT: 允许访问
DROP: 禁止访问

iptables指定服务器可以访问任意端口号，其他服务器不可以访问

# 允许 192.168.1.100 访问
iptables -A INPUT -s 47.116.172.217 -j ACCEPT 
# 拒绝其他所有服务器访问 ！！！ 谨慎执行
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -j DROP
# iptables -D INPUT -j DROP
# 允许本机访问外部
iptables -A OUTPUT -j ACCEPT

iptables指定服务器可以访问指定端口号

iptables -A INPUT -s 121.89.247.94 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -s 121.89.247.94 -p tcp --sport 80 -j ACCEPT

iptables拒绝指定端口号访问

iptables -A INPUT -p tcp --dport 8080 -j DROP

越在上面的，权限越高

 Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   29  4077 ACCEPT     all  --  *      *       47.116.172.217       0.0.0.0/0           
  739 55101 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       154.64.226.21        0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       112.65.98.33         0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       112.65.98.33         0.0.0.0/0            tcp spt:80
  121  7723 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       121.89.247.94        0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1 packets, 68 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  462 64849 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22
    0     0 ACCEPT     tcp  --  *      *       112.65.98.33         0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       112.65.98.33         0.0.0.0/0            tcp spt:80
    0     0 ACCEPT     tcp  --  *      *       121.89.247.94        0.0.0.0/0            tcp spt:80