CentOS 7 防火墙 firewalld 设置

Centos 7 在一些设置上与之前的版本存在较大的差异,如防火墙不再采用 iptables 命令,改用firewalld

systemctl 是 CentOS 7 的服务管理工具中主要的工具,它融合之前servicechkconfig的功能于一体。

查看服务

  • 查看 service 服务:systemctl list-units|grep fire
  • 查看已启动的服务列表:systemctl list-unit-files|grep enabled

firewalld服务

  • 状态: systemctl status firewalld.service

    或者:firewall-cmd --state

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    [root@gxvmcentos7 ~]# systemctl status firewalld
    firewalld.service - firewalld - dynamic firewall daemon
    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
    # 启动状态是 active(running), 未启动状态是 inactive (dead)
    Active: active (running) since Mon 2021-03-22 21:41:20 EDT; 1 day 1h ago
    Docs: man:firewalld(1)
    Main PID: 770 (firewalld)
    Tasks: 2
    CGroup: /system.slice/firewalld.service
    └─770 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

    Mar 22 21:41:18 gxvmcentos7 systemd[1]: Starting firewalld - dynamic firewall daemon...
    Mar 22 21:41:20 gxvmcentos7 systemd[1]: Started firewalld - dynamic firewall daemon.
    Mar 22 21:41:20 gxvmcentos7 firewalld[770]: WARNING: AllowZoneDrifting is enabled. This is consid...ow.
    Hint: Some lines were ellipsized, use -l to show in full.

    # 或者
    [root@gxvmcentos7 ~]# firewall-cmd --state
    running
  • 启动: systemctl start firewalld.service

  • 重启: systemctl restart firewalld.service

  • 重载: systemctl reload firewalld.service

  • 停止: systemctl stop firewalld.service

  • 是否开机启动:systemctl is-enabled firewalld

    1
    2
    3
    4
    5
    6
    # 开机启动
    [root@localhost ~]# systemctl is-enabled firewalld
    enabled
    # 非开机启动
    [root@localhost ~]# systemctl is-enabled firewalld
    disable
  • 开机时启动:systemctl enable firewalld.service

  • 禁止开机启动:systemctl disable firewalld.service

  • 查看开机是否启动:systemctl is-enabled firewalld.service;echo $?

firewalld配置

  • 查看版本: firewall-cmd --version
  • 查看帮助: firewall-cmd --help
  • 显示状态: firewall-cmd --state
  • 查看放行端口: firewall-cmd --zone=public --list-portsfirewall-cmd --list-ports
  • 重新加载配置: firewall-cmd --reload
  • 查看区域信息: firewall-cmd --get-active-zones
  • 查看指定接口所属区域: firewall-cmd --get-zone-of-interface=eth0
  • 拒绝所有包:firewall-cmd --panic-on
  • 取消拒绝状态: firewall-cmd --panic-off
  • 查看是否拒绝: firewall-cmd --query-panic

端口开关

  • 添加放行端口:firewall-cmd --zone=public --add-port=80/tcp --permanent (–permanent永久生效,没有此参数重启后失效)
  • 重新加载配置:firewall-cmd --reload
  • 查看端口是否已开放:firewall-cmd --zone=public --query-port=80/tcp
  • 查看所有开放的端口:firewall-cmd --list-ports
  • 删除放行端口:firewall-cmd --zone=public --remove-port=80/tcp --permanent

监听端口

查看系统监听端口:netstat -tunlp

  • -a 显示所有
  • -n 以ip形式显示当前建立的有效连接和端口
  • -u 显示UDP协议
  • -t 显示TCP协议
  • -p 显示对应PID与程序名
1
2
3
4
5
6
7
8
9
[root@gxvmcentos7 ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1207/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1204/cupsd
tcp6 0 0 :::22 :::* LISTEN 1207/sshd
tcp6 0 0 :::4369 :::* LISTEN 1911/epmd
udp 0 0 0.0.0.0:863 0.0.0.0:* 691/rpcbind
udp6 0 0 ::1:323 :::* 716/chronyd
作者

光星

发布于

2021-03-23

更新于

2022-06-17

许可协议

评论