centos7 防火墙 firewall 开启关闭添加端口

查看防火墙状态

systemctl status firewalld

或者

firewall-cmd --state

开启防火墙

systemctl start firewalld

关闭防火墙

systemctl stop firewalld

防火墙服务开机启动

systemctl enable firewalld

禁止防火墙开机启动

systemctl disable firewalld

防火墙添加端口

firewall-cmd --zone=public --add-port=80/tcp --permanent

删除指定的端口

firewall-cmd --zone=public --remove-port=80/tcp --permanent

列出当前生效的规则

firewall-cmd --list-all

重新加载规则

firewall-cmd --reload

查看当前生效的服务

其实一个服务对应一个端口，每个服务对应 /usr/lib/firewalld/services下面一个 xml 文件

firewall-cmd --list-services

查看还有哪些服务可以打开

firewall-cmd --get-services

查看所有打开的端口

firewall-cmd --zone=public --list-ports

或者

firewall-cmd --list-ports

临时添加一个服务到firewalld

firewall-cmd --add-service=http

• http换成想要开放的service 因为没有使用 --permanent 参数，所以这个规则

永久添加一个service，加上 --permanent

firewall-cmd --permanent --add-service=http

• --permanent 这个参数是

添加规则，允许指定的 IP:端口访问本设备

firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.19.32.142" port port="3306" protocol="tcp" accept"

firewall-cmd --permanent --add-rich-rule "rule family="ipv4" source address="172.19.32.142" port port="1-65535" protocol="tcp" accept"

删除规则：允许指定的 IP:端口访问本设备

firewall-cmd --permanent --remove-rich-rule "rule family="ipv4" source address="172.19.32.142" port port="3306" protocol="tcp" accept"

firewall-cmd --permanent --remove-rich-rule "rule family="ipv4" source address="172.19.32.142" port port="1-65535" protocol="tcp" accept"

添加规则：禁止指定的IP:端口访问本设备

# 限制IP为192.168.0.200的地址禁止访问80端口即禁止访问机器
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.200" port protocol="tcp" port="80" reject"

查看default zone和active zone

firewall-cmd --get-default-zone
firewall-cmd --get-active-zones

把 docker 的网卡添加到 zone

1、先检查网络管理程序的状态，需要禁用网络管理服务 network 和 NetworkManager 其中的一个。查看他们的状态

# systemctl status NetworkManager
● NetworkManager.service - Network Manager
   Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; disabled; vendor preset: enabled)
   Active: inactive (dead) since Wed 2020-06-17 16:59:26 CST; 23min ago
     Docs: man:NetworkManager(8)
# systemctl status network
Hint: Some lines were ellipsized, use -l to show in full.
● network.service - LSB: Bring up/down networking
   Loaded: loaded (/etc/rc.d/init.d/network; bad; vendor preset: disabled)
   Active: active (exited) since Wed 2020-06-17 13:53:28 CST; 3h 29min ago
     Docs: man:systemd-sysv-generator(8)

2、如果发现这两个服务都是 active 状态，那就需要把 NetworkManager 停掉，停掉 NetworkManager 的命令如下

systemctl stop NetworkManager
systemctl disable NetworkManager

3、找到 docker 主机所在的虚拟网卡

# ip a
...
...
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 02:42:a1:9a:1a:40 brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.1/16 brd 172.16.255.255 scope global docker0
       valid_lft forever preferred_lft forever

4、把 docker 主机的虚拟网卡添加到 firewall 的 work 区域中

firewall-cmd --add-interface=docker0 --zone=work --permanent

5、在 work 区域中开放 172.17.0.0/16 IP段

firewall-cmd --zone=work --permanent --add-rich-rule "rule family="ipv4" source address="172.17.0.0/16" port port="1-65535" protocol="tcp" accept"

5、重载 firewall

firewall-cmd --reload