Linux-防火墙firewall
2022-09-18
Linux-防火墙firewall
Linux中有两种防火墙软件,ConterOS7.0以上使用的是firewall,ConterOS7.0以下使用的是iptables。ConterOS7.0以上默认使用firewalld防火墙,如果想换回iptables防火墙,可关闭firewalld并安装iptables。
由于目前我的云主机是ConterOS7.0+,所以就先只学习firewall。
基本命令
查看防火墙状态和规则
查看防火墙状态:
systemctl status firewalld
[cindy@iZbp15qc4wmx335c268l5mZ ~]$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-04-28 21:54:51 CST; 4 months 21 days ago
Docs: man:firewalld(1)
Main PID: 560 (firewalld)
CGroup: /system.slice/firewalld.service
└─560 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
看到Active: active (running)字样,表示防火墙是启动状态
查看防火墙规则:
firewall-cmd --list-all
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: # 略
ports: # 略
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
开启和关闭防火墙
开启:
systemctl start firewalld
关闭:
systemctl stop firewalld
设置开机启动:
systemctl enable firewalld
禁用开机启动:
systemctl disable firewalld
重启防火墙:
firewall-cmd --reload
端口开放或关闭
查看开放的端口(root执行):
firewall-cmd --list-ports
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --list-ports
# 结果略,查询结果格式: 端口号/协议名称(如20/tcp)
查询特定端口是否开放:
firewall-cmd --query-port=#port#/#protocol#
# 例如查询3306端口是否开放
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --query-port=3306/tcp
no
开放端口:
irewall-cmd --zone=public --add-port=#port#/#protocol# --permanent
permanent:表示设置为持久
# 例如,开放mysql 3306端口
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --zone=public --add-port=3306/tcp --permanent
success
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --reload
success
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --query-port=3306/tcp
yes
关闭端口:
firewall-cmd --zone=public --remove-port=#port#/#protocol# --permanent
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --zone=public --remove-port=3306/tcp --permanent
success
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --reload
success
[root@iZbp15qc4wmx335c268l5mZ ~]# firewall-cmd --query-port=3306/tcp
no
注意,修改配置后,需要重启防火墙方可生效
Macos使用telnet
为了验证是否主机的某端口是否可正常access,可以在本机telnet到主机的特定端口。
Mac安装telnet
终端默认不支持telnet,所以需要先安装:
brew install telnet
测试telnet已安装成功:
Mac ~ % telnet
telnet>
验证防火墙开放结果
开放3306端口前
Mac ~ % telnet 101.37.146.100 3306
Trying 101.37.146.100...
telnet: connect to address 101.37.146.100: Connection refused
telnet: Unable to connect to remote host
开放3306端口并重启防火墙服务后
Mac ~ % telnet 101.37.146.100 3306
Trying 101.37.146.100...
Connected to 101.37.146.100.
Escape character is '^]'.
FHost 'xxx'(隐去) is not allowed to connect to this MySQL serverConnection closed by foreign host.
看起来,是可以通的。说明防火墙开启3306端口服务生效了。
题外话:但是上面还是有报错,那可能是因为mysql的设置,不允许远程访问。为了确保安全,就不设置root用户的远程访问授权了。执行以下命令,使其支持cindy用户远程访问。
mysql> use mysql;
Database changed
mysql> select host from user where user='cindy';
+-----------+
| host |
+-----------+
| localhost |
+-----------+
1 row in set (0.00 sec)
mysql> update user set host='%' where user = 'cindy';
Query OK, 1 row affected (0.01 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql> select host from user where user='cindy';
+------+
| host |
+------+
| % |
+------+
1 row in set (0.00 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
此时,用数据库连接工具使用cindy用户连接mysql数据库,已经可以正常远程连上了。
参考链接
https://blog.csdn.net/wade3015/article/details/90725871
https://juejin.cn/post/6844903865146425351
https://blog.csdn.net/weixin_42521949/article/details/119362634