systemctl status firewalld # 查看firewall服务状态 systemctl start firewalld # 启动 service firewalld restart # 重启 systemctl stop firewalld # 关闭 systemctl disable firewalld # 开机禁用 systemctl enable firewalld # 开机启用 firewall-cmd --zone=public --permanent ... # 指定区域、永久的命令 firewall-cmd --list-all # 查看防火墙规则 firewall-cmd --runtime-to-permanent # 永久化规则 firewall-cmd --reload # 重启防火墙(修改配置后要重启防火墙) firewall-cmd --list-ports # 查看防火墙的开放的端口 firewall-cmd --query-port=8080/tcp # 查询端口是否开放 firewall-cmd --add-port=80/tcp # 开放80端口 firewall-cmd --add-port=8080-8085/tcp firewall-cmd --remove-port=8080/tcp # 移除端口 # 白名单 IP 访问端口 # 允许客户端 192.168.1.100 访问服务器 200 端口 firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port port="200" protocol="tcp" accept' firewall-cmd --remove-rich-rule='规则' # 删除规则 firewall-cmd --permanent --remove-rich-rule='规则' # 删除规则(某些情况不带 --permanent 会出错) firewall-cmd --list-rich-rules # 列表(临时+永久) firewall-cmd --permanent --list-rich-rules # 列表(永久) # 允许客户端 192.168.1.100 访问服务器 200 端口 并转发到 192.168.1.115:3306 firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.100" forward-port port="200" protocol="tcp" to-port="3306" to-addr="192.168.1.115"' # 端口转发 firewall-cmd --add-masquerade # 开启伪装IP firewall-cmd --add-forward-port=port=100:proto=tcp:toport=200:toaddr=192.168.1.115 # 添加转发,端口 100 => 192.168.1.115:200 firewall-cmd --remove-forward-port=port=100:proto=tcp:toport=200:toaddr=192.168.1.115 # 删除转发 # help https://www.fcblog.cn/post/52.html https://blog.csdn.net/qq_41153478/article/details/83033688 systemctl status iptables # 查看状态 systemctl stop iptables # 停止 systemctl start iptables # 启动 systemctl restart iptables # 重启 systemctl disable iptables.service # 永久关闭 systemctl enable iptables.service # 永久关闭后启用 vi /etc/sysconfig/iptables # 配置文件路径