firewall
一些基本語法
增加端口
[root@localhost ~]# firewall-cmd --zone=work --add-port=3306/tcp --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
work (active)
target: default
icmp-block-inversion: no
interfaces: enp0s20f0u1u6 enp90s0f3
sources:
services: dhcpv6-client ftp ssh
ports: 3306/tcp 80/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
刪除端口
[root@localhost ~]# firewall-cmd --zone=work --remove-port=80/tcp --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
work (active)
target: default
icmp-block-inversion: no
interfaces: enp0s20f0u1u6 enp90s0f3
sources:
services: dhcpv6-client ftp ssh
ports: 3306/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
查看防火墻策略
[root@localhost ~]# firewall-cmd --list-all
work (active)
target: default
icmp-block-inversion: no
interfaces: enp0s20f0u1u6 enp90s0f3
sources:
services: dhcpv6-client ftp ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
1.更改默認zone:默認public
[root@weixing01 ~]# firewall-cmd --set-default-zone=work
success
[root@weixing01 ~]# firewall-cmd --get-default-zone
work
2.查看當(dāng)前zone下有哪些service:
[root@localhost upload]# firewall-cmd --list-services
ssh dhcpv6-client
3.查看指定zone下有哪些service
[root@localhost upload]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client
4.把一些服務(wù)增加到指定zone下面:
[root@localhost upload]# firewall-cmd --zone=public --add-service=http
success
[root@localhost upload]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client http
6.模板文件存在路徑:
[root@localhost upload]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
[root@localhost upload]# ls /usr/lib/firewalld/services/
amanda-client.xml ipp-client.xml pmwebapis.xml squid.xml
amanda-k5-client.xml ipp.xml pmwebapi.xml ssh.xml
bacula-client.xml ipsec.xml pop3s.xml synergy.xml
bacula.xml iscsi-target.xml pop3.xml syslog-tls.xml
ceph-mon.xml kadmin.xml postgresql.xml syslog.xml
ceph.xml kerberos.xml privoxy.xml telnet.xml
dhcpv6-client.xml kpasswd.xml proxy-dhcp.xml tftp-client.xml
dhcpv6.xml ldaps.xml ptp.xml tftp.xml
dhcp.xml ldap.xml pulseaudio.xml tinc.xml
dns.xml libvirt-tls.xml puppetmaster.xml tor-socks.xml
docker-registry.xml libvirt.xml radius.xml transmission-client.xml
dropbox-lansync.xml mdns.xml RH-Satellite-6.xml vdsm.xml
freeipa-ldaps.xml mosh.xml rpc-bind.xml vnc-server.xml
freeipa-ldap.xml mountd.xml rsyncd.xml wbem-https.xml
freeipa-replication.xml ms-wbt.xml samba-client.xml xmpp-bosh.xml
ftp.xml mysql.xml samba.xml xmpp-client.xml
high-availability.xml nfs.xml sane.xml xmpp-local.xml
https.xml ntp.xml smtps.xml xmpp-server.xml
http.xml openvpn.xml smtp.xml
imaps.xml pmcd.xml snmptrap.xml
imap.xml pmproxy.xml snmp.xml
7.拷貝ftp模板過來
cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="21"/>
<module name="nf_conntrack_ftp"/>
</service>
8.拷貝work模板過來
cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
9.修改work.xml增加ftp服務(wù)
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>
10.更改默認zone為work
firewall-cmd --set-default-zone=work
11.重啟防火墻
service firewalld restart
iptables設(shè)置
1.增加21端口
vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
2.加載額外模塊 ip_conntrack_ftp
vi /etc/sysconfig/iptables-config
IPTABLES_MODULES="ip_conntrack_ftp"
3.重啟防火墻
service iptables restart
