RHCE——网络端口安全性

管理firewall

图形化工具firewall-config
命令行工具firewall-cmd

# firewall-cmd --add-service=ftp  //暂时添加ftp服务# firewall-cmd --permanent --add-service=ftp   //永久添加ftp服务# firewall-cmd --permanent --remove-service=ftp  //永久删除ftp# systemctl restart firewalld//检验设定是否生效# iptables -L -n | grep 21ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:21 ctstate NEW//检查防火墙状态# firewall-cmd --state# firewall-cmd --list-allpublic (default)  interfaces:  sources:  services: dhcpv6-client ftp ssh  ports:  masquerade: no  forward-ports:  icmp-blocks:  rich rules://查询防火墙中的服务# firewall-cmd --get-service//查询服务的状态# firewall-cmd --query-service samba//自行加入要开放的 Port# firewall-cmd --add-port=3128/tcp

管理富规则

[root@iZtoz99sjuwqcnZ ~]# firewall-cmd --permanent --add-rich-rule=[root@iZtoz99sjuwqcnZ ~]# firewall-cmd --permanent --remove-rich-rule=[root@iZtoz99sjuwqcnZ ~]# firewall-cmd --permanent --query-rich-rule= [root@iZtoz99sjuwqcnZ ~]# fire

禁用服务

all-cmd –list-rich-rules

[root@localhost 桌面]# firewall-cmd --list-rich-rules rule family="ipv4" source address="192.168.0.0/24" service name="http" drop

禁用端口

[root@localhost 桌面]# firewall-cmd --list-rich-rules rule family="ipv4" source address="192.168.0.0/24" port port="80" protocol="tcp" drop

伪装和端口转发

[root@localhost 桌面]# firewall-cmd --list-rich-rules rule family="ipv4" source address="192.168.0.0/24" forward-port port="8080" protocol="tcp" to-port="80" to-addr="192.168.0.25"