Linux 防火墙命令说明

发表于 | 分类于
字数统计:

Linux firewalld 说明。

通过firewalld管理ipset

firewalld默认的ipset配置路径为/etc/firewalld/ipsets

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 
# 查看ipset
firewall-cmd --info-ipset=[ipset_name]

# 增删ipset集合
firewall-cmd --permanent --new-ipset=[ipset_name] --type=[type] --option
# –option=family=inet6
firewall-cmd --permanent --delete-ipset=[ipset_name]

# 增删ipset集合条目
firewall-cmd --permanent --ipset=[ipset_name] --add-entry=[xxx.xxx.xxx.xxx]
firewall-cmd --permanent --ipset=[ipset_name] --remove-entry=[xxx.xxx.xxx.xxx]

# 持久化设置需要重新载入生效
firewall-cmd --reload

man-pages: firewalld.ipset
ubuntu: firewalld.ipset

防火墙绑定源source与区域zone

1
2
3
 
firewall-cmd --permanent --zone="drop" --add-source="xxx.xxx.xxx.xxx"
firewall-cmd --permanent --zone="drop" --add-source="xxx.xxx.xxx.xxx/24"
firewall-cmd --permanent --zone="drop" --add-source=ipset=[ipset_name]

富规则

``sh
firewall-cmd –add-rich-rule=’rule source ipset=blacklist drop’

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 




## Scripts

```sh
#!/bin/sh
# _firewall.sh

if [[ $SSH_PRP = "load" ]]
  then
    firewall-cmd --permanent --info-service=ssh
    firewall-cmd --permanent --service=ssh --add-port=$SSH_PORT_NEW
    firewall-cmd --permanent --info-service=ssh
    firewall-cmd --permanent --service=ssh --remove-port=$SSH_PORT_DEFAULT
    firewall-cmd --permanent --info-service=ssh
    # systemctl restart firewalld
fi

Status

start # systemctl start firewalld
status # systemctl status firewalld 或者 firewall-cmd –state
disable # systemctl disable firewalld
stop # systemctl stop firewalld

Config

1
2
3
4
5
6
7
8
 
--permanent
# firewall-cmd --reload
# firewall-cmd --complete-reload
# firewall-cmd --zone=public --add-interface=eth0
# firewall-cmd --zone=dmz --list-ports
# firewall-cmd --zone=dmz --add-port=8080/tcp
# firewall-cmd --zone=work --add-service=smtp
# firewall-cmd --zone=work --remove-service=smtp

firewalld.org
firewalld in redhat

0%