firewalld 相关链接: https://firewalld.org/
What is firewalld?
Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces.
Changes can be done immediately in the runtime environment. No restart of the service or daemon is needed.
提供三种开通防火墙方式
1. 基于Port
$ firewall-cmd --zone=public --add-port=443/tcp --permanent
2. 基于Service
$ firewall-cmd --zone=public --add-service=https --permanent
3. 基于Rule
$ firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.10.0/24" port protocol="tcp" port="443" accept' --permanent
Rich Rule语法
rule [ family="rule family" ]
[ source [NOT] [address="ip-address"] [mac="mac-address"] [ipset="ipset"] ]
[ destination [NOT] address="ip-address" ]
[ element ]
[ log [prefix="prefix text"] [leve="log level"] [limit value="rate/duration"] ]
[ audit ]
[ action ]
element 字段只能是以下类型:
service, port, protocol, masquerade, icmp-block, forward-port, source-port
service name=<service_name>
port port=<port> protocol=<tcp|udp>
protocol value=<protocol_name_or_id> # 可以参考/etc/protocols文件
msquerade
forward-port port=<port> protocol=<protocol> to-port=<to-port> to-addr=<to-addr>
SNAT配置
# 开启 NAT 转发
$ firewall-cmd --permanent --zone=public --add-masquerade
# 开放 DNS 使用的 53 端口,UDP
# 必须,否则其他机器无法进行域名解析
$ firewall-cmd --zone=public --add-port=80/tcp --permanent
# 检查是否允许 NAT 转发
$ firewall-cmd --query-masquerade
# 禁止防火墙 NAT 转发
$ firewall-cmd --remove-masquerade
DNAT配置
# 将80端口的流量转发至8080
$firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080
# 将80端口的流量转发至192.168.0.1
$ firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1
# 将80端口的流量转发至192.168.0.1的8080端口
$ firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.1:toport=8080