文章目录
- 防火墙管理
- 使用systemctl管理防火墙启动、关闭
- 使用firewalld-cmd配置访问防火墙策略
- firewalld配置文件修改
- 限制来源IP
- docker
- 使用 redis
防火墙管理
需要关闭防火墙或者开启对应端口
使用systemctl管理防火墙启动、关闭
- 启动防火墙: systemctl start firewalld
- 关闭防火墙: systemctl stop firewalld
- 查看防火墙状态: systemctl status firewalld
- 开机禁用防火墙: systemctl disable firewalld
- 开机启用防火墙 : systemctl enable firewalld
使用firewalld-cmd配置访问防火墙策略
- 查看版本firewall-cmd --version
- 查看帮助 firewall-cmd --help
- 显示状态 firewall-cmd --state
- 查看当前所有规则 firewall-cmd --list-all
- 查看所有打开的端口 firewall-cmd --zone=public --list-ports
- 更新防火墙规则 firewall-cmd --reload
- 添加开放端口
firewall-cmd --zone=public --add-port=80/tcp --permanent (permanent永久生效,没有此参数重启后失效)
- 查看端口是否开放firewall-cmd --zone=public --query-port=80/tcp
- 删除开放端口 firewall-cmd --zone=public --remove-port=80/tcp --permanent
- 批量开放一段TCP端口 firewall-cmd --permanent --add-port=9001-9100/tcp
- 开放IP的访问 firewall-cmd --permanent --add-source=192.168.1.1
- 开放整个源IP段的访问firewall-cmd --permanent --add-source=192.168.1.0/24
- 移除IP访问firewall-cmd --permanent --remove-source=192.168.1.1
- 允许指定IP访问本机80端口
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="80" accept'
- 禁止指定IP访问本机80端口
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="80" reject'
- 移除允许指定IP访问本机80端口规则
firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.1" port protocol="tcp" port="80" accept'
firewalld配置文件修改
通过修改配置文件修改防火墙访问策略
开放端口
永久开放2个端口
firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --reload
在 /etc/firewalld/zones 下的 public.xml里:
<?xml version="1.0" encoding="utf-8"?>
<zone><short>Public</short><description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description><service name="ssh"/><service name="dhcpv6-client"/><port protocol="tcp" port="80"/><port protocol="tcp" port="8080"/>
</zone>
限制来源IP
限制只能接收来自 10.10.x.x段的IP,开放8000到9000之间的端口。
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.0.0/16" port protocol="tcp" port="8000-9000" accept'
firewall-cmd --reload
再看 /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone><short>Public</short><description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description><service name="ssh"/><service name="dhcpv6-client"/><port protocol="tcp" port="80"/><port protocol="tcp" port="8080"/><rule family="ipv4"><source address="10.10.0.0/16"/><port protocol="tcp" port="8000-9000"/><accept/></rule><rule family="ipv4"><source address="192.168.1.0/24"/><port protocol="tcp" port="18000-19000"/><accept/></rule># 单个端口限制<rule family="ipv4"><source address="192.168.20.228"/><port protocol="tcp" port="18848"/><accept/></rule></zone>
所以,可以直接修改配置文件更改防火墙策略.
# firewall-cmd --list-all
publictarget: defaulticmp-block-inversion: nointerfaces: sources: services: ssh dhcpv6-clientports: 80/tcp 22/tcpprotocols: masquerade: noforward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="10.10.0.0/16" port port="8000-9000" protocol="tcp" acceptdocker
启动docker : systemctl start docker
使用 redis
docker使用redis6.0.8镜像创建容器(也叫运行镜像):
docker run -p 6379:6379 --name myr3 --privileged=true -v /app/redis/redis.conf:/etc/redis/redis.conf -v /app/redis/data:/data -d redis:6.0.8 redis-server /etc/redis/redis.conf
说明一下:-v /app/redis/redis.conf:/etc/redis/redis.conf
宿主机器上配置文件/app/redis/redis.conf,映射到容器里/etc/redis/redis.conf,容器使用映射后的配置文件/etc/redis/redis.conf
redis-cli连接上来
redis-cli -a 111111
