chill/chill_notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
10f91d61cfa8a50f06e35ac58381103ded7df0fc
chill_notes/Linux/CentOS/CentOS7防火墙设置.md
FNS Service f24c167a0a Update from Sync Service
2026-04-21 20:36:24 +08:00

217 lines
3.6 KiB
Markdown
Executable File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# CentOS7 防火墙设置
> firewalld 防火墙配置
---
## 简介
firewalld 是 CentOS7/RHEL7 默认的防火墙,提供基于区域的防火墙管理。
---
## 基础命令
### 服务管理
```bash
# 启动
sudo systemctl start firewalld
# 停止
sudo systemctl stop firewalld
# 重启
sudo systemctl restart firewalld
# 状态
sudo systemctl status firewalld
# 开机自启
sudo systemctl enable firewalld
# 禁用开机自启
sudo systemctl disable firewalld
```
### 查看状态
```bash
firewall-cmd --state # 查看运行状态
firewall-cmd --reload # 重载规则
firewall-cmd --list-ports # 查看已开放端口
firewall-cmd --list-services # 查看已开放服务
firewall-cmd --get-services # 查看所有可用服务
```
---
## 区域管理
```bash
# 查看所有区域
firewall-cmd --list-all-zones
# 查看活动区域
firewall-cmd --get-active-zones
# 设置默认区域
firewall-cmd --set-default-zone=public
# 查看默认区域
firewall-cmd --get-default-zone
```
### 区域说明
| 区域 | 说明 |
|------|------|
| drop | 丢弃所有连接 |
| block | 拒绝外部连接 |
| public | 公开,仅允许指定连接 |
| external | 外部网络(启用伪装) |
| dmz | 隔离区 |
| work | 工作网络 |
| home | 家庭网络 |
| internal | 内部网络 |
| trusted | 信任所有连接 |
---
## 端口管理
### 开放端口
```bash
# 临时开放(立即生效,重启失效)
firewall-cmd --add-port=80/tcp
# 永久开放(需要 reload
firewall-cmd --add-port=80/tcp --permanent
# 开放端口范围
firewall-cmd --add-port=65001-65010/tcp --permanent
```
### 关闭端口
```bash
# 临时关闭
firewall-cmd --remove-port=80/tcp
# 永久关闭
firewall-cmd --remove-port=80/tcp --permanent
```
### 指定区域开放端口
```bash
firewall-cmd --zone=public --add-port=80/tcp --permanent
```
---
## 服务管理
```bash
# 开放 HTTP 服务
firewall-cmd --add-service=http --permanent
# 关闭 HTTP 服务
firewall-cmd --remove-service=http --permanent
# 查看区域开放的服务
firewall-cmd --zone=public --list-services
```
---
## 接口管理
```bash
# 查看接口所属区域
firewall-cmd --get-zone-of-interface=eth0
# 将接口加入区域
firewall-cmd --zone=public --add-interface=eth0
# 从区域移除接口
firewall-cmd --zone=public --remove-interface=eth0
# 修改接口所属区域
firewall-cmd --zone=home --change-interface=eth0
```
---
## 示例
### 开放 Web 服务
```bash
# 开放 80 和 443 端口
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-port=443/tcp --permanent
# 或者直接开放服务
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
# 重载生效
firewall-cmd --reload
```
### 开放 SSH
```bash
firewall-cmd --add-port=22/tcp --permanent
firewall-cmd --reload
```
---
## 从 firewalld 切换到 iptables
```bash
# 安装 iptables
yum install iptables-services
# 停止 firewalld
systemctl stop firewalld
systemctl mask firewalld
# 启动 iptables
systemctl start iptables
systemctl start ip6tables
# 开机自启
systemctl enable iptables
systemctl enable ip6tables
```
> 配置文件:`/etc/sysconfig/iptables`
---
## 常用命令汇总
```bash
# 查看状态
firewall-cmd --state
# 查看已开放
firewall-cmd --list-ports
firewall-cmd --list-services
# 开放端口/服务
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-service=http --permanent
# 重新加载
firewall-cmd --reload
```
---
> 参考:[CentOS7 防火墙配置](https://www.jianshu.com/p/a2e8829aa50e)
Reference in New Issue View Git Blame Copy Permalink