CentOS 7 Firewalld防火墙配置指南

CentOS 7 Firewalld防火墙配置指南掌握9个安全区域配置实现IP白名单和端口限制!-- 快速导航 -- div classbg-white rounded-lg shadow-lg p-6 mb-8 h2 classtext-2xl font-bold mb-4 text-gray-800 i classfas fa-compass text-green-600/i 快速导航 /h2 div classgrid grid-cols-1 md:grid-cols-3 gap-4 a href#basic-commands classbtn btn-outline btn-primary基础命令/a a href#rich-rules classbtn btn-outline btn-secondary高级规则/a a href#zones classbtn btn-outline btn-accent安全区域/a /div /div !-- 基础命令区域 -- div idbasic-commands classbg-white rounded-lg shadow-lg p-6 mb-8 h2 classtext-2xl font-bold mb-4 text-gray-800 i classfas fa-terminal text-blue-600/i 基础防火墙命令 /h2 div classgrid grid-cols-1 lg:grid-cols-2 gap-6 div h3 classtext-lg font-semibold mb-3 text-gray-700服务管理/h3 div classcommand-box mb-4查看防火墙状态systemctl status firewalld关闭防火墙systemctl stop firewalldsystemctl disable firewallddiv h3 classtext-lg font-semibold mb-3 text-gray-700端口管理/h3 div classcommand-box mb-4查看已开放端口firewall-cmd --zonepublic --list-ports开放端口firewall-cmd --permanent --zonepublic --add-port8484/tcp重启防火墙firewall-cmd --reload!-- 高级规则配置 -- div idrich-rules classbg-white rounded-lg shadow-lg p-6 mb-8 h2 classtext-2xl font-bold mb-4 text-gray-800 i classfas fa-cogs text-purple-600/i 高级规则配置 (Rich Rules) /h2 div classbg-yellow-50 border-l-4 border-yellow-400 p-4 mb-6 p classtext-yellow-700 i classfas fa-lightbulb/i 使用场景只允许特定IP访问特定端口其他IP无法访问 /p /div div classgrid grid-cols-1 lg:grid-cols-2 gap-6 div h3 classtext-lg font-semibold mb-3 text-green-700允许规则/h3 div classcommand-box mb-4添加允许规则firewall-cmd --permanent --add-rich-rule“rule family“ipv4” source address“192.168.1.1” port protocol“tcp” port“3306” accept”移除规则firewall-cmd --permanent --remove-rich-rule“rule family“ipv4” source address“192.168.1.1” port protocol“tcp” port“3306” accept”div h3 classtext-lg font-semibold mb-3 text-red-700拒绝规则/h3 div classcommand-box mb-4添加拒绝规则firewall-cmd --permanent --add-rich-rule“rule familyipv4 source address192.168.1.3 reject”查看规则firewall-cmd --list-all --zonepublic!-- 9个安全区域 -- div idzones classbg-white rounded-lg shadow-lg p-6 mb-8 h2 classtext-2xl font-bold mb-4 text-gray-800 i classfas fa-layer-group text-indigo-600/i 9个安全区域详解 /h2 div classmb-6 div classbg-blue-50 p-4 rounded-lg h3 classtext-lg font-semibold mb-2 text-blue-800区域管理命令/h3 div classcommand-box查看所有区域规则firewall-cmd --list-all-zones查看默认区域firewall-cmd --get-default-zone查看指定区域规则firewall-cmd --list-all --zonepublic查看活跃区域firewall-cmd --get-active-zonediv classgrid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4 !-- Drop区域 -- div classzone-card bg-red-50 border border-red-200 rounded-lg p-4 div classflex items-center mb-2 i classfas fa-ban text-red-600 text-xl mr-2/i h3 classfont-bold text-red-800drop/h3 /div p classtext-sm text-red-700最低信任级别所有传入连接被丢弃无回复/p div classmt-2 text-xs text-red-600信任度: ★☆☆☆☆/div /div !-- Block区域 -- div classzone-card bg-orange-50 border border-orange-200 rounded-lg p-4 div classflex items-center mb-2 i classfas fa-lock text-orange-600 text-xl mr-2/i h3 classfont-bold text-orange-800block/h3 /div p classtext-sm text-orange-700拒绝传入请求发送icmp禁止消息/p div classmt-2 text-xs text-orange-600信任度: ★☆☆☆☆/div /div !-- Public区域 -- div classzone-card bg-yellow-50 border border-yellow-200 rounded-lg p-4 div classflex items-center mb-2 i classfas fa-wifi text-yellow-600 text-xl mr-2/i h3 classfont-bold text-yellow-800public/h3 /div p classtext-sm text-yellow-700不信任的公共网络默认激活状态/p div classmt-2 text-xs text-yellow-600信任度: ★★☆☆☆/div /div !-- External区域 -- div classzone-card bg-blue-50 border border-blue-200 rounded-lg p-4 div classflex items-center mb-2 i classfas fa-globe text-blue-600 text-xl mr-2/i h3 classfont-bold text-blue-800external/h3 /div p classtext-sm text-blue-700外部网络配置NAT转发/p div classmt-2 text-xs text-blue-600信任度: ★★☆☆☆/div /div !-- Internal区域 -- div classzone-card bg-indigo-50 border border-indigo-200 rounded-lg p-4 div classflex items-center mb-2 i classfas fa-network-wired text-indigo-600 text-xl mr-2/i h3 classfont-bold text-indigo-800internal/h3 /div p classtext-sm text-indigo-700内部网络计算机值得信赖/p div classmt-2 text-xs text-indigo-600信任度: ★★★★☆/div /div !-- DMZ区域 -- div classzone-card bg-purple-50 border border-purple-200 rounded-lg p-4 div classflex items-center mb-2 i classfas fa-shield-alt text-purple-600 text-xl mr-2/i h3 classfont-bold text-purple-800dmz/h3 /div p classtext-sm text-purple-700隔离区域仅允许特定传入连接/p div classmt-2 text-xs text-purple-600信任度: ★★★☆☆/div /div !-- Work区域 -- div classzone-card bg-green-50 border border-green-200 rounded-lg p-4 div classflex items-center mb-2 i classfas fa-briefcase text-green-600 text-xl mr-2/i h3 classfont-bold text-green-800work/h3 /div p classtext-sm text-green-700工作环境信任大多数计算机/p div classmt-2 text-xs text-green-600信任度: ★★★★☆/div /div !-- Home区域 -- div classzone-card bg-teal-50 border border-teal-200 rounded-lg p-4 div classflex items-center mb-2 i classfas fa-home text-teal-600 text-xl mr-2/i h3 classfont-bold text-teal-800home/h3 /div p classtext-sm text-teal-700家庭环境信任其他计算机/p div classmt-2 text-xs text-teal-600信任度: ★★★★☆/div /div !-- Trusted区域 -- div classzone-card bg-emerald-50 border border-emerald-200 rounded-lg p-4 div classflex items-center mb-2 i classfas fa-check-circle text-emerald-600 text-xl mr-2/i h3 classfont-bold text-emerald-800trusted/h3 /div p classtext-sm text-emerald-700完全信任最开放的区域/p div classmt-2 text-xs text-emerald-600信任度: ★★★★★/div /div /div /div !-- 高级配置策略 -- div classbg-white rounded-lg shadow-lg p-6 mb-8 h2 classtext-2xl font-bold mb-4 text-gray-800 i classfas fa-user-shield text-red-600/i 高级安全策略配置 /h2 div classgrid grid-cols-1 lg:grid-cols-2 gap-6 !-- 严格策略 -- div classbg-red-50 border border-red-200 rounded-lg p-6 h3 classtext-xl font-bold mb-4 text-red-800 i classfas fa-lock/i 严格策略 /h3 p classtext-red-700 mb-4默认拒绝所有只允许白名单/p div classcommand-box mb-4切换到drop区域firewall-cmd --set-default-zonedropfirewall-cmd --get-active-zone配置网卡到drop区域firewall-cmd --permanent --change-interfaceens33 --zonedropfirewall-cmd --reload添加白名单IP到trusted区域firewall-cmd --permanent --add-source192.168.4.111 --zonetrustedfirewall-cmd --permanent --zonetrusted --add-port80/tcpfirewall-cmd --reload!-- 宽松策略 -- div classbg-green-50 border border-green-200 rounded-lg p-6 h3 classtext-xl font-bold mb-4 text-green-800 i classfas fa-unlock/i 宽松策略 /h3 p classtext-green-700 mb-4默认允许所有只拒绝黑名单/p div classcommand-box mb-4切换到trusted区域firewall-cmd --set-default-zonetrusted将拒绝的IP加入drop区域firewall-cmd --permanent --add-source192.168.1.100 --zonedropfirewall-cmd --reload!-- 实用工具 -- div classbg-white rounded-lg shadow-lg p-6 h2 classtext-2xl font-bold mb-4 text-gray-800 i classfas fa-tools text-orange-600/i 实用检查工具 /h2 div classgrid grid-cols-1 md:grid-cols-2 gap-6 div h3 classtext-lg font-semibold mb-3 text-gray-700区域检查/h3 div classcommand-box检查当前配置firewall-cmd --list-allfirewall-cmd --list-all-zonesfirewall-cmd --get-active-zonediv h3 classtext-lg font-semibold mb-3 text-gray-700规则验证/h3 div classcommand-box验证规则是否生效firewall-cmd --list-rich-rulesfirewall-cmd --list-portsfirewall-cmd --list-sources!-- 页脚 -- div classtext-center mt-8 text-gray-600 p本文来源a hrefhttps://blog.csdn.net/weixin_43741718/article/details/136552674 classtext-blue-600 hover:underline target_blankCentos7 防火墙策略-9个区域-限制ip及白名单/a/p /div /div script // 平滑滚动 document.querySelectorAll(a[href^#]).forEach(anchor { anchor.addEventListener(click, function (e) { e.preventDefault(); document.querySelector(this.getAttribute(href)).scrollIntoView({ behavior: smooth }); }); }); // 命令复制功能 document.querySelectorAll(.command-box).forEach(box { box.addEventListener(click, function() { navigator.clipboard.writeText(this.textContent.trim()); // 创建提示 const toast document.createElement(div); toast.className fixed top-4 right-4 bg-green-500 text-white px-4 py-2 rounded-lg shadow-lg; toast.textContent 命令已复制到剪贴板; document.body.appendChild(toast); setTimeout(() { toast.remove(); }, 2000); }); // 添加悬停提示 box.title 点击复制命令; box.style.cursor pointer; }); /script