云野 Linux防火墙
1. Linux防火墙的使用方法:
systemctl status firewalld #查看防火墙运行状况 systemctl start firewalld #开启防火墙 systemctl stop firewalld #关闭防火墙 systemctl restart firewalld #重启防火墙 iptables -L -n #查看规则,这个命令是和iptables的相同的 systemctl enable firewalld #开机自启 systemctl disable firewalld #开机禁用
2. 检查防火墙是否开启:
2.1 如果回显以下显示说明防火墙未运行,此时可以排除防火墙问题.
[root@hecs-293015 ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: inactive (dead) since Wed 2023-03-29 16:23:34 CST; 2s ago Docs: man:firewalld(1) Process: 608 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS) Main PID: 608 (code=exited, status=0/SUCCESS) Mar 28 20:03:35 hecs-293015 systemd[1]: Starting firewalld - dynamic firewall daemon... Mar 28 20:03:37 hecs-293015 systemd[1]: Started firewalld - dynamic firewall daemon. Mar 28 20:03:37 hecs-293015 firewalld[608]: WARNING: AllowZoneDrifting is enabled. This is considered an insecur... now. Mar 29 16:23:34 hecs-293015 systemd[1]: Stopping firewalld - dynamic firewall daemon... Mar 29 16:23:34 hecs-293015 systemd[1]: Stopped firewalld - dynamic firewall daemon. Hint: Some lines were ellipsized, use -l to show in full.
2.2 如果回显结果有规则列出,说明客户开启了防火墙,此时需要进一步检查防火墙规则。
[root@hecs-293015 ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-03-29 16:25:26 CST; 1s ago Docs: man:firewalld(1) Main PID: 16244 (firewalld) CGroup: /system.slice/firewalld.service └─16244 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid Mar 29 16:25:25 hecs-293015 systemd[1]: Starting firewalld - dynamic firewall daemon... Mar 29 16:25:26 hecs-293015 systemd[1]: Started firewalld - dynamic firewall daemon. Mar 29 16:25:26 hecs-293015 firewalld[16244]: WARNING: AllowZoneDrifting is enabled. This is considered an insec... now. Hint: Some lines were ellipsized, use -l to show in full.
3. 查看防火墙开放端口
[root@hecs-293015 ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: 20/tcp 21/tcp 22/tcp 80/tcp 443/tcp 11028/tcp 39000-40000/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
4. 开放端口,例如MySQL的3306端口
[root@hecs-293015 ~]# firewall-cmd --zone=public --add-port=3306/tcp --permanent ##添加3306端口,格式为:端口/通讯协议,–zone 作用域,–permanent永久生效,不加此参数重启后失效 success [root@hecs-293015 ~]# firewall-cmd --reload ##重新加载防火墙 success [root@hecs-293015 ~]# firewall-cmd --list-all ##列出防火墙开放的所有端口 public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: 20/tcp 21/tcp 22/tcp 80/tcp 443/tcp 11028/tcp 39000-40000/tcp 3306/tcp ##3306端口添加成功 protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: