常见linux发行版的防火墙配置
1. firewall-cmd系列
适用RHEL系,包括CentOS、AlmaLinux等
1.1 直接开关或者封禁
是否关闭防火墙,取决于你的需求,如果关闭,参照如下:
1 2 3
| sudo systemctl stop firewalld sudo systemctl disable firewalld sudo systemctl mask --now firewalld
|
如果正常使用,那么一些基础配置如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| firewall-cmd --list-all
firewall-cmd --zone=my_lan --list-all
journalctl -xe
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='178.62.65.89' drop"
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='178.62.65.89' reject"
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --reload
|
参考:https://cloud.tencent.com/developer/article/1685401
1.2 基于区域进行配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
| semanage port -a -t http_port_t -p tcp 12345
semanage port -m -t http_port_t -p tcp 8002
firewall-cmd --get-active-zones
firewall-cmd --new-zone=my_lan --permanent
firewall-cmd --delete-zone=my_lan --permanent
firewall-cmd --zone=trusted --add-source=192.168.0.0/16 --permanent
firewall-cmd --zone=my_lan --add-port=80/tcp --permanent
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/16" port protocol="tcp" port="3306" accept'
firewall-cmd --zone=trusted --add-source=192.168.0.0/16 --permanent; firewall-cmd --zone=trusted --add-source=10.0.0.0/8 --permanent; firewall-cmd --zone=trusted --add-source=172.16.0.0/16 --permanent; firewall-cmd --zone=trusted --add-port=1-65535/tcp --permanent; firewall-cmd --zone=trusted --add-port=1-65535/udp --permanent; firewall-cmd --reload; setsebool -P httpd_can_network_connect 1;
|
2. UFW系列
适用Ubuntu
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
| sudo ufw status verbose
sudo ufw enable;
sudo ufw default deny;
sudo ufw allow ssh
sudo ufw status numbered
sudo ufw delete 数字
sudo ufw allow from 192.168.0.0/16;
sudo ufw allow 20022;
sudo ufw allow 60000:65535/tcp;
sudo ufw allow 60000:65535/udp;
sudo ufw deny from 46.101.138.249;
sudo ufw reload
|