1, View firewall status
1. First, check whether the firewall is turned on. If it is not turned on, you need to turn on the firewall and start it automatically
systemctl status firewalld
Turn on the firewall and set the startup self startup
systemctl start firewalld
systemctl enable firewalld
Generally, you need to restart the machine, otherwise the later settings may not take effect
2, Open or restrict ports
1. Open port
(1) If we need to open port 22 for XShell connection
firewall-cmd --zone=public --add-port=22/tcp --permanent
The function of -- permanent is to make the settings take effect permanently. If it is not added, it will become invalid after the machine is restarted
(2) Reload the firewall settings to make them take effect
firewall-cmd --reload
(3) you can check whether it is effective through the following commands
firewall-cmd --zone=public --query-port=22/tcp
(4) the following commands can view all ports opened by the current system
firewall-cmd --zone=public --list-ports
2. Restricted port
(1) For example, we need to turn off port 22 just opened
firewall-cmd --zone=public --remove-port=22/tcp --permanent
(2) reload the firewall settings to make them effective
firewall-cmd --reload
(3) check all the open ports of the system. You can see that there is no port 22
firewall-cmd --zone=public --list-ports
3. Batch open or restricted ports
(1) Open ports in batches, such as ports from 100 to 500. We need to open them all
firewall-cmd --zone=public --add-port=100-500/tcp --permanent
(2) reload the firewall settings to make them effective
firewall-cmd --reload
(3) Check all open ports of the system, and you can see that all ports from 100 to 500 have been opened
firewall-cmd --zone=public --list-ports
(4) similarly, the batch limit port is
firewall-cmd --zone=public --remove-port=100-500/tcp --permanent
firewall-cmd --reload
3, Open or restrict IP
1. Restrict IP address access
(1) For example, if the IP address is restricted to 192.168.0.200, access to port 80 is prohibited, that is, access to the machine is prohibited
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.200" port protocol="tcp" port="80" reject"
(2) reload the firewall settings to make them effective
firewall-cmd --reload
(3) View the set rules
firewall-cmd --zone=public --list-rich-rules
2. Remove IP address restrictions
(1) Release the 192.168.0.200 restricted just now
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.200" port protocol="tcp" port="80" accept"
(2) reload the firewall settings to make them effective
firewall-cmd --reload
(3) Check the rule settings again and find that there is no restriction of 192.168.0.200
firewall-cmd --zone=public --list-rich-rules
If the setting does not take effect, you can try to edit the rule file directly, delete the original setting rule and reload the firewall
vi /etc/firewalld/zones/public.xml
3. Restricted IP address segment
(1) If we need to restrict the IP of the whole section of 10.0.0.0-10.0.0.255, they are prohibited from accessing
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.0.0.0/24" port protocol="tcp" port="80" reject"
Among them, 10.0.0.0/24 indicates that it starts from the IP of 10.0.0.0, and 24 indicates that the subnet mask is 255.255.255.0, which contains 256 addresses, that is, 256 IP addresses from 0-255, which just limits the IP address of this whole section. Refer to the following table for specific setting rules
(2) Reload the firewall settings to make them take effect
firewall-cmd --reload
(3) Check the rules to confirm whether they are effective
firewall-cmd --zone=public --list-rich-rules
(4) Similarly, the opening limit is
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.0.0.0/24" port protocol="tcp" port="80" accept"
firewall-cmd --reload
Original article: https://blog.csdn.net/ywd1992/article/details/80401630