2MUCH

Linux-防火墙firewall

2022-09-18


Linux-防火墙firewall

Linux中有两种防火墙软件,ConterOS7.0以上使用的是firewall,ConterOS7.0以下使用的是iptables。ConterOS7.0以上默认使用firewalld防火墙,如果想换回iptables防火墙,可关闭firewalld并安装iptables。

由于目前我的云主机是ConterOS7.0+,所以就先只学习firewall。

基本命令

查看防火墙状态和规则

查看防火墙状态:

systemctl status firewalld

[cindy@iZbp15qc4wmx335c268l5mZ ~]$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2022-04-28 21:54:51 CST; 4 months 21 days ago
     Docs: man:firewalld(1)
 Main PID: 560 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─560 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

看到Active: active (running)字样,表示防火墙是启动状态

查看防火墙规则:

firewall-cmd --list-all

[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: # 略
  ports: # 略
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

开启和关闭防火墙

开启:

systemctl start firewalld

关闭:

systemctl stop firewalld

设置开机启动:

systemctl enable firewalld

禁用开机启动:

systemctl disable firewalld

重启防火墙:

firewall-cmd --reload

端口开放或关闭

查看开放的端口(root执行):

firewall-cmd --list-ports

[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --list-ports
# 结果略,查询结果格式: 端口号/协议名称(如20/tcp)

查询特定端口是否开放:

firewall-cmd --query-port=#port#/#protocol#

# 例如查询3306端口是否开放
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --query-port=3306/tcp
no

开放端口:

irewall-cmd --zone=public --add-port=#port#/#protocol# --permanent

permanent:表示设置为持久

# 例如,开放mysql 3306端口
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --zone=public --add-port=3306/tcp --permanent
success
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --reload
success
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --query-port=3306/tcp
yes

关闭端口:

firewall-cmd --zone=public --remove-port=#port#/#protocol# --permanent

[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --zone=public --remove-port=3306/tcp --permanent
success
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --reload
success
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --query-port=3306/tcp
no

注意,修改配置后,需要重启防火墙方可生效

Macos使用telnet

为了验证是否主机的某端口是否可正常access,可以在本机telnet到主机的特定端口。

Mac安装telnet

终端默认不支持telnet,所以需要先安装:

brew install telnet

测试telnet已安装成功:

Mac ~ % telnet
telnet> 

验证防火墙开放结果

开放3306端口前

Mac ~ % telnet 101.37.146.100 3306
Trying 101.37.146.100...
telnet: connect to address 101.37.146.100: Connection refused
telnet: Unable to connect to remote host

开放3306端口并重启防火墙服务后

Mac ~ % telnet 101.37.146.100 3306
Trying 101.37.146.100...
Connected to 101.37.146.100.
Escape character is '^]'.
FHost 'xxx'(隐去) is not allowed to connect to this MySQL serverConnection closed by foreign host.

看起来,是可以通的。说明防火墙开启3306端口服务生效了。

题外话:但是上面还是有报错,那可能是因为mysql的设置,不允许远程访问。为了确保安全,就不设置root用户的远程访问授权了。执行以下命令,使其支持cindy用户远程访问。

mysql> use mysql;
Database changed
mysql> select host from user where user='cindy';
+-----------+
| host      |
+-----------+
| localhost |
+-----------+
1 row in set (0.00 sec)

mysql> update user set host='%' where user = 'cindy';
Query OK, 1 row affected (0.01 sec)
Rows matched: 1  Changed: 1  Warnings: 0

mysql> select host from user where user='cindy';
+------+
| host |
+------+
| %    |
+------+
1 row in set (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

此时,用数据库连接工具使用cindy用户连接mysql数据库,已经可以正常远程连上了。

参考链接

https://blog.csdn.net/wade3015/article/details/90725871

https://juejin.cn/post/6844903865146425351

https://blog.csdn.net/weixin_42521949/article/details/119362634