CentOS 7配置 默认 防火墙 Firewall

Centos7 下默认的防火墙是 Firewall,替代了之前的 iptables,Firewall 有图形界面管理和命令行管理两种方式,本文简要介绍命令 行Firewall 的使用。

进入系统之后,Centos7 默认是已安装了 Firewall,但是没有启动的,所以需要先启动下 Firewall,同时设置开机自启动

systemctl start firewalld       ##启动Firewall
systemctl enable firewalld.service  ##设置开机自启动

 

ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.service'

常用命令

firewall-cmd --state                           ##查看防火墙状态,是否是running
firewall-cmd --reload                          ##重新载入配置,比如添加规则之后,需要执行此命令
firewall-cmd --get-zones                       ##列出支持的zone
firewall-cmd --get-services                    ##列出支持的服务,在列表中的服务是放行的
firewall-cmd --query-service ftp               ##查看ftp服务是否支持,返回yes或者no
firewall-cmd --add-service=ftp                 ##临时开放ftp服务
firewall-cmd --add-service=ftp --permanent     ##永久开放ftp服务
firewall-cmd --remove-service=ftp --permanent  ##永久移除ftp服务
firewall-cmd --add-port=80/tcp --permanent     ##永久添加80端口 
iptables -L -n                                 ##查看规则,这个命令是和iptables的相同的
firewall-cmd --list-all                        ##列出所有已设置的规则
man firewall-cmd                               ##查看帮助


对特定ip 禁止访问shh服务  (ip  shh可以自己改别的  最后面的reject是禁止的意思也可以换成允许的英文,)
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.10.0/24" service name="ssh" reject" 


附赠一下IP黑名单(观察服务器日志,以下IP一直在网络上暴力破解root密码)
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="180.235.231.127/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="212.83.138.11/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="101.201.209.126 /24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.76.248.208/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="31.23.35.48/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="202.65.138.134/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="54.169.123.247/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="59.110.163.87/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="123.57.67.230/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="79.41.172.12/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="115.28.157.41/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="36.83.157.222/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="118.178.194.187/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="114.55.134.103/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.77.71.96/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.27.230.111/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.25.206.153/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="112.74.78.11/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.76.153.252/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.25.221.227/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="140.205.201.37/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="125.62.17.201/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.24.229.221/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="121.42.152.49/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="122.148.47.60/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="5.42.229.145/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.26.89.112/24" service name="ssh" reject"


firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.26.126.157/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="112.126.89.5/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.24.232.16/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.25.78.221/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.77.170.203/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="140.205.225.188/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.24.0.227/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="190.152.109.253/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="47.88.77.115/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="119.23.250.71/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="47.92.82.165/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="140.205.225.187/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.27.24.207/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="47.92.92.87/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="121.40.215.91/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="115.29.246.216/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.24.157.214/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.26.12.12/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.24.251.143/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="117.203.48.108/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="112.135.49.88/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.24.190.131/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="190.214.115.3/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="121.199.46.136/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="101.200.57.200/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.77.177.190/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="112.124.19.171/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="140.205.225.188/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="114.55.32.224/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="120.24.6.133/24" service name="ssh" reject"
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="106.14.3.80/24" service name="ssh" reject"
 使用命令查看你开了哪些系统端口:
netstat -an | grep -i listen