#linux防火墙
Tip
debian12是安装ufw来操作防火墙
#规则
#添加端口到防火墙
centos7
debian12
firewall-cmd --zone=public --add-port=8080/tcp --permanent && firewall-cmd --reload# 简单
ufw allow 80
# 复杂
ufw allow in on ens19 to any port 80 proto tcp#从防火墙移除端口号
centos7
debian12
firewall-cmd --zone=public --remove-port=8080/tcp --permanent && firewall-cmd --reload# 简单
ufw deny 80
# 复杂
ufw deny in on ens19 to any port 80 proto tcp#添加白名单ip
centos7
debian12
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="${ip}/32" accept" && firewall-cmd --reloadufw allow from ${ip}/32#删除白名单ip
centos7
debian12
firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" source address="${ip}/32" accept" && firewall-cmd --reloadufw deny from ${ip}/32#添加对某个ip开放端口
centos7
debian12
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="${ip}/32" port port="3306" protocol="tcp" accept" && firewall-cmd --reloadufw allow from ${ip}/32 to any port 22#删除对某个ip开放端口
centos7
debian12
firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" source address="${ip}/32" port port="3306" protocol="tcp" accept" && firewall-cmd --reloadufw deny from ${ip}/32 to any port 22#查看端口和ip的规则列表
centos7
debian12
firewall-cmd --list-allufw status verbose#防火墙开启转发
centos7
debian12
firewall-cmd --permanent --add-masquerade && firewall-cmd --reload
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p#!/bin/bash
###############################
# debian 开启 ufw 转发上网功能
###############################
# 定义内网和外网网卡名称
INTERNAL_IFACE="ens18"
EXTERNAL_IFACE="ens19"
# 启用 IP 转发
echo "Enabling IP forwarding..."
sudo sysctl -w net.ipv4.ip_forward=1
# 永久启用 IP 转发
echo "Updating sysctl.conf for persistent IP forwarding..."
if ! grep -q "^net.ipv4.ip_forward=1" /etc/sysctl.conf; then
sudo sh -c 'echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf'
fi
sudo sysctl -p
# 配置 UFW 以启用 NAT
echo "Configuring UFW for NAT..."
# 创建备份以防万一
BACKUP_FILE="/etc/ufw/before.rules.bak"
if [ ! -f "$BACKUP_FILE" ]; then
sudo cp /etc/ufw/before.rules "$BACKUP_FILE"
fi
# 添加新的 NAT 配置
if ! grep -q "^# Forward traffic from $INTERNAL_IFACE to $EXTERNAL_IFACE" /etc/ufw/before.rules; then
sudo bash -c "cat >> /etc/ufw/before.rules <<EOF
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic from $INTERNAL_IFACE to $EXTERNAL_IFACE
-A POSTROUTING -o $EXTERNAL_IFACE -j MASQUERADE
COMMIT
EOF"
fi
# 设置 UFW 默认策略
echo "Setting UFW default policies..."
if ! grep -q "^DEFAULT_FORWARD_POLICY=\"ACCEPT\"" /etc/default/ufw; then
sudo sed -i 's/^DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
fi
# 允许转发流量
echo "Allowing traffic on interfaces..."
if ! sudo ufw status verbose | grep -q "$INTERNAL_IFACE"; then
sudo ufw allow in on $INTERNAL_IFACE
fi
if ! sudo ufw status verbose | grep -q "$EXTERNAL_IFACE"; then
sudo ufw allow out on $EXTERNAL_IFACE
fi
# 重启 UFW 以应用更改
echo "Restarting UFW to apply changes..."
sudo ufw disable
sudo ufw enable
# 输出 UFW 状态
echo "UFW status:"
sudo ufw status verbose
echo "Configuration complete."#firewall-cmd高级用法
#✅ 查看已创建的 IP 集合(ipset)
firewall-cmd --permanent --get-ipsets这个命令会列出你创建的所有 IP 集合,比如:
internal-trusted-ipsettrusted-ipset
#✅ 查看某个 IP 集合中的具体条目
firewall-cmd --permanent --ipset=trusted-ipset --get-entries
firewall-cmd --permanent --ipset=internal-trusted-ipset --get-entries可以验证你添加的 IP 和网段是否存在于集合中。
#✅ 查看接口绑定在哪个区域
firewall-cmd --get-active-zones可以看到哪些接口被分配到了哪些区域,比如:
eth0→internaldocker0→docker
#✅ 查看某个区域的详细规则
firewall-cmd --list-all --zone=internal
firewall-cmd --list-all --zone=docker
firewall-cmd --list-all --zone=public可以看到:
- 接口绑定
- 服务(如 ssh 是否允许)
- rich rules(自定义的 IP+端口规则)
- IP 集合引用情况
#✅ 确认规则是否生效
如果你想确保 rich rules 被正确添加,你可以查看:
firewall-cmd --zone=internal --list-rich-rules