############################################
###################火牆#####################
[root@localhost ~]# systemctl start firewalld
[root@localhost ~]# systemctl stop iptables
[root@localhost ~]# systemctl disable iptables
[root@localhost ~]# systemctl enable firewalld
[root@localhost ~]# firewall-cmd --state ##查看firewalld的狀態
running
[root@localhost ~]# firewall-cmd --get-active-zones ##查看當前的區域,並附帶一個目前分配給它們的接口列表
ROL
sources: 172.25.0.252/32
public
interfaces: eth0 eth1
[root@localhost ~]# firewall-cmd --list-all ##列出public的所有設置
[root@localhost ~]# firewall-cmd --get-services ##列出所有預設服務
[root@localhost ~]# firewall-cmd --set-default-zone=trusted ##設定默認區域trusted
success
[root@localhost ~]# firewall-cmd --get-default-zone ##查看默認設置
trusted
[root@localhost ~]# firewall-cmd --permanent --add-source=172.25.154.75 ##設置網絡地址到public
success
[root@localhost ~]# firewall-cmd --reload ##重置所有設置
success
[root@localhost ~]# firewall-cmd --remove-source=172.25.154.75 ##去掉指定區域的網絡地址
success
[root@localhost ~]# firewall-cmd --permanent --zone=trusted --add-source=172.25.254.75 ##設置網絡地址到trusted
success
[root@localhost ~]# firewall-cmd --permanent --remove-source=172.25.154.75 ##永久去掉網絡地址
success
[root@localhost ~]# firewall-cmd --remove-interface=eth0 --zone=public ##刪除網絡接口eth0,從public區域
success
[root@localhost ~]# firewall-cmd --add-interface=eth0 --zone=trusted ##添加網絡接口eth0到trusted區域
success
[root@localhost ~]# firewall-cmd --zone=trusted --list-all ##列出trusted區域的所有設置
trusted (active)
interfaces: eth0
sources: 172.25.254.75
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@localhost ~]# firewall-cmd --add-service=http --zone=public ##添加http服務到public區域
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth1
sources:
services: dhcpv6-client http
[root@localhost ~]# firewall-cmd --list-ports ##列出端口
[root@localhost ~]# firewall-cmd --add-port=53/tcp ##添加53端口
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth1
sources:
services: dhcpv6-client http
ports: 53/tcp
[root@localhost ~]# firewall-cmd --complete-reload
success
[root@localhost ~]# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 ! -s 172.25.254.78 -p tcp --dport 22 -j ACCEPT ##除過78主機不能登陸,其它的主機都可以
success
[root@localhost ~]# firewall-cmd --add-rich-rule="rule service name=ftp limit value=2/h accept"
success ##每分鐘允許2個新連接訪問ftp服務
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth1
sources:
services: dhcpv6-client
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule service name="ftp" accept limit value="2/h"
[root@localhost ~]# firewall-cmd --add-rich-rule="rule protocol value=icmp drop"
success ##丟棄所有icmp包
[root@localhost ~]# firewall-cmd --add-rich-rule="rule protocol value=icmp reject" --timeout=10
success ##規則將在指定的秒數內被激活
[root@localhost ~]# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.75 ##將102的端口轉到75端口,訪問後直接到75
success
[root@localhost ~]# firewall-cmd --add-masquerade ##打開masquerade
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth1
sources:
services: dhcpv6-client
ports:
masquerade: yes
forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.254.75
icmp-blocks:
rich rules:
[root@localhost ~]# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=172.25.254.102 masquerade'
success
[root@localhost ~]# firewall-cmd --add-masquerade
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.25.254.102" masquerade
[root@localhost ~]# firewall-cmd --remove-service=ssh
success
測試
用做過僞裝的主機10訪問11,在11上查看連節其的主機ip
附圖: