启用并开机启动
systemctl start firewalld.service
systemctl enable firewalld.service
查看firewall规则与状态
#查看默认防火墙状态(关闭后显示notrunning,开启后显示running)
firewall-cmd --state
#查看防火墙规则(只显示/etc/firewalld/zones/public.xml中防火墙策略)
firewall-cmd --list-all
#查看所有的防火墙策略(即显示/etc/firewalld/zones/下的所有策略)
firewall-cmd --list-all-zones
#重新加载配置文件
firewall-cmd --reload
添加删除端口
#添加
firewall-cmd --add-port=22122/tcp --permanent
#删除
firewall-cmd --remove-port=22122/tcp --permanent
#mysql服务的3306端口只允许192.168.1.1/24网段的服务器能访问
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"
#添加 smtp 服务至 work 作用域
firewall-cmd --zone=work --add-service=smtp
firewall-cmd --zone=work --remove-service=smtp
端口转发
# 开启伪装
firewall-cmd --zone=public --add-masquerade
#删除
firewall-cmd --zone=public --remove-masquerade
# 配置端口转发
firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=3753
firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toaddr=192.168.1.100
firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.168.1.100
IP 封禁
#reject 拒绝 accept 允许
#单个IP
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='222.222.222.222' reject"
#IP段
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='222.222.222.0/24' reject"
#单个IP的某个端口
firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=192.168.1.2 port port=80 protocol=tcp accept"