一、开启关闭命令
启动服务:systemctl start firewalld
开机自启:systemctl enable firewalld
关闭服务:systemctl stop firewalld
关闭自启:systemctl disable firewalld
重启服务:systemctl restart firewalld
平滑重启:systemctl reload firewalld或firewall-cmd –reload
查看状态:systemctl status firewalld
二、基础查看命令
查看版本:firewall-cmd –version 或 firewall-cmd -V
查看帮助:firewall-cmd –help 或 firewall-cmd -h 或 man firewall-cmd
查看状态:firewall-cmd –state
查看所有预定义区域(zone):firewall-cmd –get-zones
查看防火墙默认策略(只显示/etc/firewalld/zones/public.xml):
firewall-cmd –list-all
查看策略中的某一项如端口:firewall-cmd –list-ports
查看指定接口所属区域: firewall-cmd –get-zone-of-interface=eth0
三、zone介绍
drop: 丢弃所有进入的包,而不给出任何响应
block: 拒绝所有外部发起的连接,允许内部发起的连接
public: 允许指定的进入连接
external: 同上,对伪装的进入连接,一般用于路由转发
dmz: 允许受限制的进入连接
work: 允许受信任的计算机被限制的进入连接,类似 workgroup
home: 同上,类似 homegroup
internal: 同上,范围针对所有互联网用户
trusted: 信任所有连接
四、管理策略
添加:firewall-cmd –zone=xxx –add-yyy[=value]
删除:firewall-cmd –zone=xxx –remove-yyy[=value]
查看:firewall-cmd –zone=xxx –query-yyy[=value]
注1:以上命令临时生效,加参数–permanent可永久生效
注2:xxx为区域名如public,work
注3:yyy为某项策略(service/port/interface/protocol/masquerade/forward-port/source-port/icmp-block/rich-rule)
注4:添加参数–timeout=60代表临时添加某项60s
例:firewall-cmd –zone=public –add-service=ssh –permanent
允许防火墙伪装IP:firewall-cmd –add-masquerade
五、常见用法
将80端口的流量转发至8080
firewall-cmd –add-forward-port=port=80:proto=tcp:toport=8080
将80端口的流量转发至192.168.0.1
firewall-cmd –add-forward-port=port=80:proto=tcp:toaddr=192.168.1.0.1
将80端口的流量转发至192.168.0.1的8080端口
firewall-cmd –add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1:toport=8080
使用富规则将80端口转发至192.168.0.1的8080端口
firewall-cmd
–add-rich-rule ‘rule family=”ipv4″ source address=”0.0.0.0/0″
forward-port port=”80″ protocol=”tcp” to-port=”8080″
to-addr=”192.168.0.1″‘