firewall-cmd命令范例

启用并开机启动

systemctl start firewalld.service
systemctl enable firewalld.service

查看firewall规则与状态

#查看默认防火墙状态(关闭后显示notrunning,开启后显示running)
firewall-cmd --state              
 
#查看防火墙规则(只显示/etc/firewalld/zones/public.xml中防火墙策略)
firewall-cmd --list-all           
 
#查看所有的防火墙策略(即显示/etc/firewalld/zones/下的所有策略)
firewall-cmd --list-all-zones     
 
#重新加载配置文件
firewall-cmd --reload  

添加删除端口

#添加
firewall-cmd --add-port=22122/tcp --permanent
#删除
firewall-cmd --remove-port=22122/tcp --permanent
#mysql服务的3306端口只允许192.168.1.1/24网段的服务器能访问
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.1/24" port protocol="tcp" port="3306" accept"
#添加 smtp 服务至 work 作用域
firewall-cmd --zone=work --add-service=smtp
firewall-cmd --zone=work --remove-service=smtp

端口转发

# 开启伪装
firewall-cmd --zone=public --add-masquerade
#删除
firewall-cmd --zone=public --remove-masquerade


# 配置端口转发
firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=3753
firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toaddr=192.168.1.100
firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.168.1.100

IP 封禁

#reject 拒绝   accept 允许
#单个IP
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='222.222.222.222' reject"  
#IP段
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='222.222.222.0/24' reject" 
#单个IP的某个端口
firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=192.168.1.2 port port=80  protocol=tcp  accept"