Linux system restricts or opens IP and ports through firewall

1, View firewall status

1. First, check whether the firewall is turned on. If it is not turned on, you need to turn on the firewall and start it automatically

systemctl status firewalld

 

 

Turn on the firewall and set the startup self startup

systemctl start firewalld
systemctl enable firewalld

Generally, you need to restart the machine, otherwise the later settings may not take effect

 

2, Open or restrict ports

1. Open port

(1) If we need to open port 22 for XShell connection

firewall-cmd --zone=public --add-port=22/tcp --permanent

The function of -- permanent is to make the settings take effect permanently. If it is not added, it will become invalid after the machine is restarted

(2) Reload the firewall settings to make them take effect

firewall-cmd --reload

 

(3) you can check whether it is effective through the following commands

firewall-cmd --zone=public --query-port=22/tcp

 

(4) the following commands can view all ports opened by the current system

firewall-cmd --zone=public --list-ports

 

2. Restricted port

(1) For example, we need to turn off port 22 just opened

firewall-cmd --zone=public --remove-port=22/tcp --permanent

 

(2) reload the firewall settings to make them effective

firewall-cmd --reload

 

(3) check all the open ports of the system. You can see that there is no port 22

firewall-cmd --zone=public --list-ports

 

 

3. Batch open or restricted ports

(1) Open ports in batches, such as ports from 100 to 500. We need to open them all

firewall-cmd --zone=public --add-port=100-500/tcp --permanent

 

(2) reload the firewall settings to make them effective

firewall-cmd --reload

 

(3) Check all open ports of the system, and you can see that all ports from 100 to 500 have been opened

firewall-cmd --zone=public --list-ports

 

(4) similarly, the batch limit port is

firewall-cmd --zone=public --remove-port=100-500/tcp --permanent
firewall-cmd --reload

3, Open or restrict IP

1. Restrict IP address access

(1) For example, if the IP address is restricted to 192.168.0.200, access to port 80 is prohibited, that is, access to the machine is prohibited

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.200" port protocol="tcp" port="80" reject"

 

(2) reload the firewall settings to make them effective

firewall-cmd --reload

(3) View the set rules

firewall-cmd --zone=public --list-rich-rules

2. Remove IP address restrictions

(1) Release the 192.168.0.200 restricted just now

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.200" port protocol="tcp" port="80" accept"

 

(2) reload the firewall settings to make them effective

firewall-cmd --reload

(3) Check the rule settings again and find that there is no restriction of 192.168.0.200

firewall-cmd --zone=public --list-rich-rules

 

If the setting does not take effect, you can try to edit the rule file directly, delete the original setting rule and reload the firewall

vi /etc/firewalld/zones/public.xml

3. Restricted IP address segment

(1) If we need to restrict the IP of the whole section of 10.0.0.0-10.0.0.255, they are prohibited from accessing

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.0.0.0/24" port protocol="tcp" port="80" reject"

Among them, 10.0.0.0/24 indicates that it starts from the IP of 10.0.0.0, and 24 indicates that the subnet mask is 255.255.255.0, which contains 256 addresses, that is, 256 IP addresses from 0-255, which just limits the IP address of this whole section. Refer to the following table for specific setting rules

 

 

(2) Reload the firewall settings to make them take effect

firewall-cmd --reload

(3) Check the rules to confirm whether they are effective

firewall-cmd --zone=public --list-rich-rules

(4) Similarly, the opening limit is

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.0.0.0/24" port protocol="tcp" port="80" accept"
firewall-cmd --reload

 

Original article: https://blog.csdn.net/ywd1992/article/details/80401630

Posted by pspeakman on Sat, 14 May 2022 09:04:20 +0300