firewall
一些基本语法
增加端口
[root@localhost ~]# firewall-cmd --zone=work --add-port=3306/tcp --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
work (active)
target: default
icmp-block-inversion: no
interfaces: enp0s20f0u1u6 enp90s0f3
sources:
services: dhcpv6-client ftp ssh
ports: 3306/tcp 80/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
删除端口
[root@localhost ~]# firewall-cmd --zone=work --remove-port=80/tcp --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
work (active)
target: default
icmp-block-inversion: no
interfaces: enp0s20f0u1u6 enp90s0f3
sources:
services: dhcpv6-client ftp ssh
ports: 3306/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
查看防火墙策略
[root@localhost ~]# firewall-cmd --list-all
work (active)
target: default
icmp-block-inversion: no
interfaces: enp0s20f0u1u6 enp90s0f3
sources:
services: dhcpv6-client ftp ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
1.更改默认zone:默认public
[root@weixing01 ~]# firewall-cmd --set-default-zone=work
success
[root@weixing01 ~]# firewall-cmd --get-default-zone
work
2.查看当前zone下有哪些service:
[root@localhost upload]# firewall-cmd --list-services
ssh dhcpv6-client
3.查看指定zone下有哪些service
[root@localhost upload]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client
4.把一些服务增加到指定zone下面:
[root@localhost upload]# firewall-cmd --zone=public --add-service=http
success
[root@localhost upload]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client http
6.模板文件存在路径:
[root@localhost upload]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
[root@localhost upload]# ls /usr/lib/firewalld/services/
amanda-client.xml ipp-client.xml pmwebapis.xml squid.xml
amanda-k5-client.xml ipp.xml pmwebapi.xml ssh.xml
bacula-client.xml ipsec.xml pop3s.xml synergy.xml
bacula.xml iscsi-target.xml pop3.xml syslog-tls.xml
ceph-mon.xml kadmin.xml postgresql.xml syslog.xml
ceph.xml kerberos.xml privoxy.xml telnet.xml
dhcpv6-client.xml kpasswd.xml proxy-dhcp.xml tftp-client.xml
dhcpv6.xml ldaps.xml ptp.xml tftp.xml
dhcp.xml ldap.xml pulseaudio.xml tinc.xml
dns.xml libvirt-tls.xml puppetmaster.xml tor-socks.xml
docker-registry.xml libvirt.xml radius.xml transmission-client.xml
dropbox-lansync.xml mdns.xml RH-Satellite-6.xml vdsm.xml
freeipa-ldaps.xml mosh.xml rpc-bind.xml vnc-server.xml
freeipa-ldap.xml mountd.xml rsyncd.xml wbem-https.xml
freeipa-replication.xml ms-wbt.xml samba-client.xml xmpp-bosh.xml
ftp.xml mysql.xml samba.xml xmpp-client.xml
high-availability.xml nfs.xml sane.xml xmpp-local.xml
https.xml ntp.xml smtps.xml xmpp-server.xml
http.xml openvpn.xml smtp.xml
imaps.xml pmcd.xml snmptrap.xml
imap.xml pmproxy.xml snmp.xml
7.拷贝ftp模板过来
cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="21"/>
<module name="nf_conntrack_ftp"/>
</service>
8.拷贝work模板过来
cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
9.修改work.xml增加ftp服务
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>
10.更改默认zone为work
firewall-cmd --set-default-zone=work
11.重启防火墙
service firewalld restart
iptables设置
1.增加21端口
vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
2.加载额外模块 ip_conntrack_ftp
vi /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_ftp"
3.重启防火墙
service iptables restart
网友评论