文章目录
- 一、前文
- 二、启动firewalld
- 三、开放端口
- 四、特殊端口限制ip地址开放
一、前文
-
本文直接进行Linux系统firewalld防火墙的应用实操
- 对外端口开放使用
- 对内端口限制ip地址使用
- 不使用端口默认关闭
-
基础知识请查阅:Linux系统firewalld防火墙的基本操作
-
进阶知识请查阅:Linux系统firewalld防火墙的进阶操作(日志保存 IP网段 ssh服务)
-
应用实操请查阅:Linux系统firewalld防火墙的应用实操(对外端口开放使用,对内端口限制ip地址使用,不使用端口默认关闭)
-
应用实操请查阅:Linux系统firewalld防火墙的应用实操(禁止屏蔽海外国外IP访问)
二、启动firewalld
systemctl status firewalld
[root@iZ2ze30dygwd6yh7gu6lskZ ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemonLoaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)Active: inactive (dead)Docs: man:firewalld(1)
systemctl start firewalldsystemctl status firewalld
[root@iZ2ze30dygwd6yh7gu6lskZ ~]# systemctl start firewalld
[root@iZ2ze30dygwd6yh7gu6lskZ ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemonLoaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)Active: active (running) since Sun 2022-08-14 23:10:53 CST; 6s agoDocs: man:firewalld(1)Main PID: 14774 (firewalld)Tasks: 2 (limit: 26213)Memory: 21.7MCGroup: /system.slice/firewalld.service└─14774 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopidAug 14 23:10:53 iZ2ze30dygwd6yh7gu6lskZ systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 14 23:10:53 iZ2ze30dygwd6yh7gu6lskZ systemd[1]: Started firewalld - dynamic firewall daemon.
- 所以启动firewalld后,虽然服务器ip还能ping得通。
- 但是,端口却telnet不通了。
telnet 8.140.110.xxx 80
telnet 8.140.110.xxx 8080
telnet 8.140.110.xxx 443
telnet 8.140.110.xxx 8443
三、开放端口
- 80/8080/443/8443等对外开放的端口,允许所有ip永久访问
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-port=8080/tcp --permanent
firewall-cmd --add-port=443/tcp --permanent
firewall-cmd --add-port=8443/tcp --permanent firewall-cmd --reloadfirewall-cmd --list-all
[root@iZ2ze30dygwd6yh7gu6lskZ ~]# firewall-cmd --add-port=80/tcp --permanent
success
[root@iZ2ze30dygwd6yh7gu6lskZ ~]# firewall-cmd --add-port=8080/tcp --permanent
success
[root@iZ2ze30dygwd6yh7gu6lskZ ~]# firewall-cmd --add-port=443/tcp --permanent
success
[root@iZ2ze30dygwd6yh7gu6lskZ ~]# firewall-cmd --add-port=8443/tcp --permanent
success
[root@iZ2ze30dygwd6yh7gu6lskZ ~]# firewall-cmd --reload
success
[root@iZ2ze30dygwd6yh7gu6lskZ ~]# firewall-cmd --list-all
public (active)target: defaulticmp-block-inversion: nointerfaces: eth0sources: services: cockpit dhcpv6-client sshports: 80/tcp 8080/tcp 443/tcp 8443/tcpprotocols: masquerade: noforward-ports: source-ports: icmp-blocks: rich rules:
telnet 8.140.110.xxx 80
telnet 8.140.110.xxx 8080
telnet 8.140.110.xxx 443
telnet 8.140.110.xxx 8443
四、特殊端口限制ip地址开放
- 特殊端口,
- 比如22端口为了给远程连接ssh使用
- 比如3306端口为了mysql数据库
- 比如6379端口为了redis数据库
- 这些特殊端口仅提供给开发者访问,以及本地java程序访问,所以限制ip地址访问。
- 首先查询自己的ip,然后把自己的ip添加进规则。
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="127.0.0.1" port protocol="tcp" port="22" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="127.0.0.1" port protocol="tcp" port="3306" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="127.0.0.1" port protocol="tcp" port="6379" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="59.61.25.232" port protocol="tcp" port="22" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="59.61.25.232" port protocol="tcp" port="3306" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="59.61.25.232" port protocol="tcp" port="6379" accept'firewall-cmd --reload
- 这边放了一个错误,添加了
127.0.0.1
的ip地址,但是本机java程序还是无法访问数据库。 - 然后又尝试了
localhost
,直接报错。 - 最后添加了本机的ip
8.140.110.xxx
才得以成功。
[root@iZ2ze30dygwd6yh7gu6lskZ home]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="localhost" port protocol="tcp" port="22" accept'
Error: INVALID_ADDR: localhost
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="8.140.110.xxx" port protocol="tcp" port="22" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="8.140.110.xxx" port protocol="tcp" port="3306" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="8.140.110.xxx" port protocol="tcp" port="6379" accept'
firewall-cmd --reload
[root@iZ2ze30dygwd6yh7gu6lskZ home]# firewall-cmd --list-all
public (active)target: defaulticmp-block-inversion: nointerfaces: eth0sources: services: cockpit dhcpv6-client sshports: 80/tcp 8080/tcp 443/tcp 8443/tcpprotocols: masquerade: noforward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="59.61.25.232" port port="22" protocol="tcp" acceptrule family="ipv4" source address="59.61.25.232" port port="3306" protocol="tcp" acceptrule family="ipv4" source address="59.61.25.232" port port="6379" protocol="tcp" acceptrule family="ipv4" source address="8.140.110.xxx" port port="22" protocol="tcp" acceptrule family="ipv4" source address="8.140.110.xxx" port port="3306" protocol="tcp" acceptrule family="ipv4" source address="8.140.110.xxx" port port="6379" protocol="tcp" accept
- 测试验证
- 使用本地网络(IP:59.61.25.232),则访问数据库ok
- 使用手机热点开启的网络(IP:其他),则访问数据库ng
觉得好,就一键三连呗(点赞+收藏+关注)