firewalld

############################################

###################火牆#####################

[root@localhost ~]# systemctl start firewalld

[root@localhost ~]# systemctl stop iptables

[root@localhost ~]# systemctl disable iptables

[root@localhost ~]# systemctl enable firewalld

[root@localhost ~]# firewall-cmd  --state      ##查看firewalld的狀態

running

[root@localhost ~]# firewall-cmd --get-active-zones     ##查看當前的區域，並附帶一個目前分配給它們的接口列表

ROL

  sources: 172.25.0.252/32

public

  interfaces: eth0 eth1

[root@localhost ~]# firewall-cmd --list-all       ##列出public的全部設置

[root@localhost ~]# firewall-cmd --get-services    ##列出全部預設服務

[root@localhost ~]# firewall-cmd --set-default-zone=trusted   ##設定默認區域trusted

success

[root@localhost ~]# firewall-cmd --get-default-zone    ##查看默認設置

trusted  

[root@localhost ~]# firewall-cmd --permanent --add-source=172.25.154.75  ##設置網絡地址到public

success

[root@localhost ~]# firewall-cmd --reload     ##重置全部設置

success

[root@localhost ~]# firewall-cmd --remove-source=172.25.154.75    ##去掉指定區域的網絡地址

success

[root@localhost ~]# firewall-cmd --permanent --zone=trusted --add-source=172.25.254.75  ##設置網絡地址到trusted

success

[root@localhost ~]# firewall-cmd --permanent --remove-source=172.25.154.75   ##永久去掉網絡地址

success

[root@localhost ~]# firewall-cmd --remove-interface=eth0 --zone=public   ##刪除網絡接口eth0，從public區域

success

[root@localhost ~]# firewall-cmd --add-interface=eth0 --zone=trusted     ##添加網絡接口eth0到trusted區域

success

[root@localhost ~]# firewall-cmd --zone=trusted  --list-all   ##列出trusted區域的全部設置

trusted (active)

  interfaces: eth0

  sources: 172.25.254.75

  services:

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

[root@localhost ~]# firewall-cmd --add-service=http --zone=public    ##添加http服務到public區域

success

[root@localhost ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth1

  sources:

  services: dhcpv6-client http

[root@localhost ~]# firewall-cmd --list-ports   ##列出端口

[root@localhost ~]# firewall-cmd --add-port=53/tcp   ##添加53端口

success

[root@localhost ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth1

  sources:

  services: dhcpv6-client http

  ports: 53/tcp

[root@localhost ~]# firewall-cmd --complete-reload

success

[root@localhost ~]# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 ! -s 172.25.254.78 -p tcp --dport 22 -j ACCEPT      ##除過78主機不能登錄，其它的主機均可以

success

[root@localhost ~]# firewall-cmd --add-rich-rule="rule service name=ftp limit value=2/h accept"    

success       ##每分鐘容許2個新鏈接訪問ftp服務

[root@localhost ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth1

  sources:

  services: dhcpv6-client

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

rule service name="ftp" accept limit value="2/h"

[root@localhost ~]# firewall-cmd --add-rich-rule="rule protocol value=icmp drop"

success        ##丟棄全部icmp包

[root@localhost ~]# firewall-cmd --add-rich-rule="rule protocol value=icmp reject" --timeout=10

success    ##規則將在指定的秒數內被激活

[root@localhost ~]# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=22:toaddr=172.25.254.75       ##將102的端口轉到75端口，訪問後直接到75

success

[root@localhost ~]# firewall-cmd --add-masquerade   ##打開masquerade

success

[root@localhost ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth1

  sources:

  services: dhcpv6-client

  ports:

  masquerade: yes

  forward-ports: port=22:proto=tcp:toport=22:toaddr=172.25.254.75

  icmp-blocks:

  rich rules:

[root@localhost ~]# firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=172.25.254.102 masquerade'

success

[root@localhost ~]# firewall-cmd --add-masquerade

success

[root@localhost ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth0

  sources:

  services: dhcpv6-client ssh

  ports:

  masquerade: yes

  forward-ports:

  icmp-blocks:

  rich rules:

rule family="ipv4" source address="172.25.254.102" masquerade

[root@localhost ~]# firewall-cmd --remove-service=ssh

success

測試

用作過假裝的主機10訪問11，在11上查看連節其的主機ip

附圖：