CentOS防火墙与白名单配置

作者:zhangyunlong 发布时间: 2023-11-01 阅读量:3 评论数:0
开发
#CentOS #Linux

1 配置防火墙默认活跃区

编辑/etc/sysconfig/network-scripts/目录下的网卡配置文件(根据当前使用的网卡名确定具体文件, 如示例中为eth0网卡, 则为ifcfg-eh0文件)

[root@yycpyfzx-4 ~]# cd /etc/sysconfig/network-scripts/
[root@yycpyfzx-4 network-scripts]# ls
ifcfg-eth0  ifdown-bnep  ifdown-ipv6  ifdown-ppp     ifdown-Team      ifup          ifup-eth   ifup-isdn   ifup-post    ifup-sit       ifup-tunnel
ifcfg-lo    ifdown-eth   ifdown-isdn  ifdown-routes  ifdown-TeamPort  ifup-aliases  ifup-ippp  ifup-plip   ifup-ppp     ifup-Team      ifup-wirele
ifdown      ifdown-ippp  ifdown-post  ifdown-sit     ifdown-tunnel    ifup-bnep     ifup-ipv6  ifup-plusb  ifup-routes  ifup-TeamPort  init.ipv6-g
[root@yycpyfzx-4 network-scripts]# ifconfig 
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:42:2e:a7:36  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
​
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.162.4  netmask 255.255.255.0  broadcast 192.168.162.255
        inet6 fe80::f816:3eff:fe2b:abf1  prefixlen 64  scopeid 0x20<link>
        ether fa:16:3e:2b:ab:f1  txqueuelen 1000  (Ethernet)
        RX packets 91030  bytes 133590380 (127.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 49096  bytes 2925789 (2.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
​
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 49  bytes 11510 (11.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 49  bytes 11510 (11.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
​
[root@yycpyfzx-4 network-scripts]# vi ifcfg-eth0 
# 在配置文件中添加一行配置(如已存在则跳过):
ZONE=public

2 重启网卡

[root@yycpyfzx-4 ~]# systemctl restart network

3 配置白名单放行策略

比如对192.168.48.21放行80-13000的所有端口, 协议为tcp

[root@yycpyfzx-4 network-scripts]# firewall-cmd --zone=public --permanent --add-rich-rule="rule family="ipv4" source address="192.168.48.21" port protocol="tcp" port="80-13000" accept"
success
[root@yycpyfzx-4 network-scripts]# firewall-cmd --reload
success
[root@yycpyfzx-4 network-scripts]# 
[root@yycpyfzx-4 network-scripts]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" source address="192.168.48.21" port port="80-13000" protocol="tcp" accept
[root@yycpyfzx-4 network-scripts]#

上一篇:持续集成(CI)与持续交付(CD)
下一篇:Mysql安装以及主从配置

评论