centos7 防火墙一些相关设置 开机添加静态路由 特殊的方法

参考文献：

https://access.redhat.com/documentation/zh-cn/red_hat_enterprise_linux/7/html/security_guide/sec-using_firewalls

1、安装firewalld

root执行 # yum install firewalld firewall-config

 

2、运行、停止、禁用firewalld

启动：# systemctl start  firewalld

查看状态：# systemctl status firewalld 或者 firewall-cmd --state

停止：# systemctl disable firewalld

禁用：# systemctl stop firewalld

1. systemctl start firewalld # 启动,
2.  
   systemctl enable firewalld # 开机启动
3.  
   systemctl stop firewalld # 关闭
4.  
   systemctl disable firewalld # 取消开机启动

 防火墙匹配规则

1、匹配IP

2、匹配接口

3、匹配默认

firewall-cmd --state

firewall-cmd --get-active-zones

firewall-cmd --get-default-zone

firewall-cmd --zone=public --list-all

firewall-cmd --zone=public --add-port=80/tcp --permanent

firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent

firewall-cmd --reload

firewall-cmd --add-rich-rule="rule family='ipv4' source address='7.2.1.3' port port='22' protocol='tcp' drop" --permanent

firewall-cmd --remove-rich-rule='rule family='ipv4' source address='7.2.1.3' port port='22' protocol='tcp' drop' --permanent

firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.168.1.1' port port='22' protocol='tcp' accept" --permanent

firewall-cmd --remove-rich-rule='rule family='ipv4' source address='192.168.1.1' port port='22' protocol='tcp' accept' --permanent

firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=public --remove-service=ssh --permanent

firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.168.0.0/16' port port='22' protocol='tcp' accept" --permanent
firewall-cmd --add-rich-rule="rule family='ipv4' source address='2.9.58.24/29' port port='22' protocol='tcp' accept" --permanent
firewall-cmd --add-rich-rule="rule family='ipv4' port port='80' protocol='tcp' accept" --permanent
firewall-cmd --add-rich-rule="rule family='ipv4' port port='443' protocol='tcp' accept" --permanent
firewall-cmd --add-rich-rule='rule protocol value=icmp drop' --permanent

查看firewal-cmd最后的结果iptables -L -n

firewalld 的配置储存在 /usr/lib/firewalld/ 和 /etc/firewalld/ 里的各种 XML 文件里

/usr/lib/firewalld/为默认区域配置，里面都是系统默认配置

/etc/firewalld/ 为当前使用的永久配置文件，重启任然生效,firewall-cmd --permanent以后的结果都在这里

public.xml.old相当于一个备份文件,每次编辑public.xml时,系统会自动将原public.xml内容备份到public.xml.old

vi /etc/ssh/sshd_config
ListenAddress X.X.X.X

关闭sel
sed -i s#SELINUX=enforcing#SELINUX=disable#g /etc/selinux/config

centos7开机添加静态路由的唯一方法！

vi /etc/sysconfig/network-scripts/route-eth0
192.168.0.0/16 via 172.16.16.200
10.0.0.0/8 via 172.16.16.200