我想安装CentOS 7防火墙,所有传入的请求将被封锁,除了IP白名单。对于白名单的IP的所有端口都要访问?
2015-08-15 07:25:36

5 Answers

    sudo firewall-cmd --zone=work --add-source=192.168.0.0/24

    sudo firewall-cmd --zone=work --add-port=8080-8090/tcp

2015-08-15 07:31:25

Just to add to Normunds answer:

$ sudo firewall-cmd --permanent --zone=work --add-source=172.16.0.0/12
$ sudo firewall-cmd --permanent --zone=work --add-port=8080-8090/tcp

To block all other traffic:

$ sudo firewall-cmd --set-default-zone=drop

Warning: if you access from remote machine, this may disconnect your login session. If you did not get the 'work' zone IP setup correctly, you will not be able to connect to your server.

To reload the firewall:

$ sudo firewall-cmd --reload

I could not figure out how to add two different IPs with '--add-rich-rule'.

2015-08-15 07:32:52

Firewalld will apply the rules for a zone based upon the following precedence:

  • If the source IP matches a source IP bound to a zone, it uses that.
  • If the source IP doesn't match any particular zone, it checks to see if there's a zone configured for the interface the packet came in on. If there is one, it uses that.
  • Lastly, if nothing else matches, it uses the default zone.

So, first off, you want to bind your trusted IP's to the "trusted" zone:

firewall-cmd --permanent --zone=trusted --add-source=1.2.3.4

Then, either set your default zone to "drop" or bind your interface to it:

firewall-cmd --permanent --set-default-zone=drop
firewall-cmd --permanent --zone=drop --change-interface=eth0

and then make the changes take effect (warning: this will probably drop your connection if you're doing this over the network and you didn't add your source IP to the trusted zone):

firewall-cmd --reload

Of course, you can also just test these temporarily by omitting the "--permanent" (and then you don't have to --reload, either).

2015-08-15 07:32:30
可以通过--add-rich-rule选项来实现
2015-08-15 07:27:37
adding sources to a zone. First checkout which sources there are for your zone:
firewall-cmd --permanent --zone=public --list-sources

If there are none, you can start to add them, this is your "whitelist"

firewall-cmd --permanent --zone=public --add-source=192.168.100.0/24
firewall-cmd --permanent --zone=public --add-source=192.168.222.123/32

(That adds a whole/24and a single IP, just so you have a reference for both a subnet and a single IP)

Set the range of ports you'd like open:

firewall-cmd --permanent --zone=public --add-port=1-22/tcp
firewall-cmd --permanent --zone=public --add-port=1-22/udp

This just does ports 1 through 22. You can widen this, if you'd like.

Now, reload what you've done.

firewall-cmd --reload

And check your work:

firewall-cmd --zone=public --list-all
2015-08-15 07:33:01
您不能回答该问题或者回答已经关闭!

相关文章推荐

  • C#实例解析适配器设计模式

    将一个类的接口变成客户端所期待的另一种接口,从而使原本因接口不匹配而无法在一起工作的两个类能够一起工作

  • C#开发高性能Log Help类设计开发

    项目中要在操作数据库的异常处理中加入写Log日志,对于商业上有要求,写log时对其它操作尽可能影响小,不能因为加入log导致耗时太多

  • C#协变和逆变

    “协变”是指能够使用与原始指定的派生类型相比,派生程度更大的类型,“逆变”则是指能够使用派生程度更小的类型

  • 使用托管C++粘合C#和C++代码(二)

    本文实现一下C++代码调用C#代码的过程。我构造一个简单并且直观的例子:通过C++ UI 触发C# UI.

  • C#基础概念之延迟加载

    延迟加载(lazy load)是Hibernate3关联关系对象默认的加载方式,延迟加载机制是为了避免一些无谓的性能开销而提出来的,所谓延迟加载就是当在真正需要数据的时候,才真正执行数据加载操作

  • C#中using指令的几种用法

    using + 命名空间名字,这样可以在程序中直接用命令空间中的类型,而不必指定类型的详细命名空间,类似于Java的import,这个功能也是最常用的,几乎每个cs的程序都会用到

  • C#运行时相互关系

    C#运行时相互关系,包括运行时类型、对象、线程栈和托管堆之间的相互关系,静态方法、实例方法和虚方法的区别等等

  • 使用托管C++粘合C#和C++代码(一)

    C#在xml读写,数据库操纵,界面构造等很多方面性能卓越;C++的效率高,是底层开发的必备武器

  • C#开发中的反射机制

    反射的定义:审查元数据并收集关于它的类型信息的能力。元数据(编译以后的最基本数据单元)就是一大堆的表,当编译程序集或者模块时,编译器会创建一个类定义表,一个字段定义表,和一个方法定义表等

  • C#中的索引器的简单理解和用法

    C#中的类成员可以是任意类型,包括数组和集合。当一个类包含了数组和集合成员时,索引器将大大简化对数组或集合成员的存取操作

  • 深入C# 序列化(Serialize)、反序列化(Deserialize)

    C#中的序列化和反序列化,序列化是.NET运行时环境用来支持用户定义类型的流化的机制

  • Async和Await使异步编程更简单

    C#5.0中async和await两个关键字,这两个关键字简化了异步编程,之所以简化了,还是因为编译器给我们做了更多的工作