Linux系统firewalld防火墙的应用实操（对外端口开放使用，对内端口限制ip地址使用，不使用端口默认关闭）

• 本文直接进行Linux系统firewalld防火墙的应用实操

  • 对外端口开放使用
  • 对内端口限制ip地址使用
  • 不使用端口默认关闭

• 基础知识请查阅&＃xff1a;Linux系统firewalld防火墙的基本操作

• 进阶知识请查阅&＃xff1a;Linux系统firewalld防火墙的进阶操作&＃xff08;日志保存 IP网段 ssh服务&＃xff09;

• 应用实操请查阅&＃xff1a;Linux系统firewalld防火墙的应用实操&＃xff08;对外端口开放使用&＃xff0c;对内端口限制ip地址使用&＃xff0c;不使用端口默认关闭&＃xff09;

• 应用实操请查阅&＃xff1a;Linux系统firewalld防火墙的应用实操&＃xff08;禁止屏蔽海外国外IP访问&＃xff09;

• firewalld 默认不启动

systemctl status firewalld


[root&＃64;iZ2ze30dygwd6yh7gu6lskZ ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemonLoaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)Active: inactive (dead)Docs: man:firewalld(1)


• firewalld的规则是默认拒绝访问

systemctl start firewalldsystemctl status firewalld


[root&＃64;iZ2ze30dygwd6yh7gu6lskZ ~]# systemctl start firewalld
[root&＃64;iZ2ze30dygwd6yh7gu6lskZ ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemonLoaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)Active: active (running) since Sun 2022-08-14 23:10:53 CST; 6s agoDocs: man:firewalld(1)Main PID: 14774 (firewalld)Tasks: 2 (limit: 26213)Memory: 21.7MCGroup: /system.slice/firewalld.service└─14774 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopidAug 14 23:10:53 iZ2ze30dygwd6yh7gu6lskZ systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 14 23:10:53 iZ2ze30dygwd6yh7gu6lskZ systemd[1]: Started firewalld - dynamic firewall daemon.


• 所以启动firewalld后&＃xff0c;虽然服务器ip还能ping得通。
• 但是&＃xff0c;端口却telnet不通了。

telnet 8.140.110.xxx 80
telnet 8.140.110.xxx 8080
telnet 8.140.110.xxx 443
telnet 8.140.110.xxx 8443


• 80/8080/443/8443等对外开放的端口&＃xff0c;允许所有ip永久访问

firewall-cmd --add-port&＃61;80/tcp --permanent
firewall-cmd --add-port&＃61;8080/tcp --permanent
firewall-cmd --add-port&＃61;443/tcp --permanent
firewall-cmd --add-port&＃61;8443/tcp --permanent firewall-cmd --reloadfirewall-cmd --list-all


[root&＃64;iZ2ze30dygwd6yh7gu6lskZ ~]# firewall-cmd --add-port&＃61;80/tcp --permanent
success
[root&＃64;iZ2ze30dygwd6yh7gu6lskZ ~]# firewall-cmd --add-port&＃61;8080/tcp --permanent
success
[root&＃64;iZ2ze30dygwd6yh7gu6lskZ ~]# firewall-cmd --add-port&＃61;443/tcp --permanent
success
[root&＃64;iZ2ze30dygwd6yh7gu6lskZ ~]# firewall-cmd --add-port&＃61;8443/tcp --permanent
success
[root&＃64;iZ2ze30dygwd6yh7gu6lskZ ~]# firewall-cmd --reload
success
[root&＃64;iZ2ze30dygwd6yh7gu6lskZ ~]# firewall-cmd --list-all
public (active)target: defaulticmp-block-inversion: nointerfaces: eth0sources: services: cockpit dhcpv6-client sshports: 80/tcp 8080/tcp 443/tcp 8443/tcpprotocols: masquerade: noforward-ports: source-ports: icmp-blocks: rich rules:

• telnet 测试也通了

telnet 8.140.110.xxx 80
telnet 8.140.110.xxx 8080
telnet 8.140.110.xxx 443
telnet 8.140.110.xxx 8443

四、特殊端口限制ip地址开放

• 特殊端口&＃xff0c;
  • 比如22端口为了给远程连接ssh使用
  • 比如3306端口为了mysql数据库
  • 比如6379端口为了redis数据库
• 这些特殊端口仅提供给开发者访问&＃xff0c;以及本地java程序访问&＃xff0c;所以限制ip地址访问。
• 首先查询自己的ip&＃xff0c;然后把自己的ip添加进规则。

firewall-cmd --permanent --add-rich-rule&＃61;&＃39;rule family&＃61;"ipv4" source address&＃61;"127.0.0.1" port protocol&＃61;"tcp" port&＃61;"22" accept&＃39;
firewall-cmd --permanent --add-rich-rule&＃61;&＃39;rule family&＃61;"ipv4" source address&＃61;"127.0.0.1" port protocol&＃61;"tcp" port&＃61;"3306" accept&＃39;
firewall-cmd --permanent --add-rich-rule&＃61;&＃39;rule family&＃61;"ipv4" source address&＃61;"127.0.0.1" port protocol&＃61;"tcp" port&＃61;"6379" accept&＃39;
firewall-cmd --permanent --add-rich-rule&＃61;&＃39;rule family&＃61;"ipv4" source address&＃61;"59.61.25.232" port protocol&＃61;"tcp" port&＃61;"22" accept&＃39;
firewall-cmd --permanent --add-rich-rule&＃61;&＃39;rule family&＃61;"ipv4" source address&＃61;"59.61.25.232" port protocol&＃61;"tcp" port&＃61;"3306" accept&＃39;
firewall-cmd --permanent --add-rich-rule&＃61;&＃39;rule family&＃61;"ipv4" source address&＃61;"59.61.25.232" port protocol&＃61;"tcp" port&＃61;"6379" accept&＃39;firewall-cmd --reload


• 这边放了一个错误&＃xff0c;添加了127.0.0.1的ip地址&＃xff0c;但是本机java程序还是无法访问数据库。
• 然后又尝试了localhost&＃xff0c;直接报错。
• 最后添加了本机的ip 8.140.110.xxx才得以成功。

[root&＃64;iZ2ze30dygwd6yh7gu6lskZ home]# firewall-cmd --permanent --add-rich-rule&＃61;&＃39;rule family&＃61;"ipv4" source address&＃61;"localhost" port protocol&＃61;"tcp" port&＃61;"22" accept&＃39;
Error: INVALID_ADDR: localhost


firewall-cmd --permanent --add-rich-rule&＃61;&＃39;rule family&＃61;"ipv4" source address&＃61;"8.140.110.xxx" port protocol&＃61;"tcp" port&＃61;"22" accept&＃39;
firewall-cmd --permanent --add-rich-rule&＃61;&＃39;rule family&＃61;"ipv4" source address&＃61;"8.140.110.xxx" port protocol&＃61;"tcp" port&＃61;"3306" accept&＃39;
firewall-cmd --permanent --add-rich-rule&＃61;&＃39;rule family&＃61;"ipv4" source address&＃61;"8.140.110.xxx" port protocol&＃61;"tcp" port&＃61;"6379" accept&＃39;
firewall-cmd --reload


[root&＃64;iZ2ze30dygwd6yh7gu6lskZ home]# firewall-cmd --list-all
public (active)target: defaulticmp-block-inversion: nointerfaces: eth0sources: services: cockpit dhcpv6-client sshports: 80/tcp 8080/tcp 443/tcp 8443/tcpprotocols: masquerade: noforward-ports: source-ports: icmp-blocks: rich rules: rule family&＃61;"ipv4" source address&＃61;"59.61.25.232" port port&＃61;"22" protocol&＃61;"tcp" acceptrule family&＃61;"ipv4" source address&＃61;"59.61.25.232" port port&＃61;"3306" protocol&＃61;"tcp" acceptrule family&＃61;"ipv4" source address&＃61;"59.61.25.232" port port&＃61;"6379" protocol&＃61;"tcp" acceptrule family&＃61;"ipv4" source address&＃61;"8.140.110.xxx" port port&＃61;"22" protocol&＃61;"tcp" acceptrule family&＃61;"ipv4" source address&＃61;"8.140.110.xxx" port port&＃61;"3306" protocol&＃61;"tcp" acceptrule family&＃61;"ipv4" source address&＃61;"8.140.110.xxx" port port&＃61;"6379" protocol&＃61;"tcp" accept


• 测试验证
  • 使用本地网络&＃xff08;IP:59.61.25.232&＃xff09;&＃xff0c;则访问数据库ok
  • 使用手机热点开启的网络&＃xff08;IP:其他&＃xff09;&＃xff0c;则访问数据库ng

觉得好&＃xff0c;就一键三连呗&＃xff08;点赞&＃43;收藏&＃43;关注&＃xff09;