firewalld

1.firewalld 的基本配置
systemctl start firewalld ##开启火墙
systemctl enable firewalld ##开机启动火墙

firewall-cmd –get-zones ##查看网络区域


firewall-cmd –get-default-zone ##查看默认网络区域
firewall-cmd –set-default-zone= trusted ##更改默认网络区域为trusted

firewall-cmd –add-service=http ##添加http服务，此添加为临时的重启火墙将失效
systemctl restart firewalld ##重启火墙
firewall-cmd –list-all ##查看火墙策略

firewall-cmd –permanent –add-service=http ##永久添加http服务
firewall-cmd –reloald ##重新加载火墙策略
firewall-cmd –list-all ##查看火墙策略

2.用文件永久性更改火墙服务
vim /etc/firewalld/zones/public.xml


##永久性添加ftp服务

firewall-cmd –reload ####重新加载火墙策略
firewall-cmd –list-all ##查看火墙策略

firewall-cmd –permanent –remove-service=ssh ##永久性移除ssh服务
firewall-cmd –reload
firewall-cmd –list-all

firewall-cmd –permanent –add-port=8080/tcp ##添加8080端口
firewall-cmd –reload
firewall-cmd –list-all

vim /etc/httpd/conf/httpd.conf ##编辑http配置文件
Listen 8080 ##改变http的访问端口为8080

systemctl restart httpd ## 重新启动httpd
测试：在浏览器中输入172.25.254.106：8080

firewall-cmd –permanent –remove-port=8080/tcp ##永久移除8080端口
firewall-cmd –reload
firewall-cmd –list-all

firewall-cmd –permanent –add-interface=eth1 –zone=trusted ##将网卡eth1添加到trusted网络区域
firewall-cmd –reload
systemctl restart firewalld ##更换网卡的网络去须需要重启火墙否则不生效
firewall-cmd –list-all

firewall-cmd –permanent –add-source=172.25.254,0/24 #只允许172.25.254.0/24网段的用户

3.Direct Rules
firewall-cmd –permanent –remove-service=ssh ##永久移除ssh服务
firewall-cmd –reload
firewall-cmd –list-all
firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 0 ! -s 172.25.254.206 -p tcp –dport 22 -j ACCEPT ##除了172.25.254.206不能通过ssh连接服务端，其他均可连接
firewall-cmd –reload
firewall-cmd –direct –get-all-rules ##查看direct rules

测试
ip=172.25.254.206

ip=172.25.254.6