一、在工作中远程连接经常通过堡垒机连接,不能直接开启防火墙。所以就需要写入配置文件中
编译配置文件 /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="dhcpv6-client"/> <service name="ssh"/> <port protocol="tcp" port="80"/> <port protocol="tcp" port="22"/> <rule family="ipv4"> <source address="172.21.0.16"/> <port protocol="tcp" port="3306"/> <accept/> </rule> </zone>
注释:
#开启端口 <port protocol="tcp" port="443"/> <port protocol="tcp" port="80"/> <port protocol="tcp" port="22"/> #开启ip+端口 <rule family="ipv4"> <source address="172.21.0.16"/> <port protocol="tcp" port="3306"/> <accept/> </rule>
最后重启防火墙就可以了
systemctl restart firewalld.service #查看规则 [root@VM_0_14_centos html]# firewall-cmd --list-all public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client ssh ports: 80/tcp 22/tcp protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules: rule family="ipv4" source address="172.21.0.16" port port="3306" protocol="tcp" accept
二、最主要的ssh端口用配置文件写其他规则就无所谓了!
命令直接写规则
#永久开启9090端口 firewall-cmd --zone=public --add-port=9090/tcp --permanent #Postgresql端口设置。允许192.168.142.166访问5432端口 firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.27.0.2" port protocol="tcp" port="1521" accept"