Firewall-cmd配置端口转发:修订间差异

来自牛奶河Wiki
跳到导航 跳到搜索
无编辑摘要
 
(未显示同一用户的1个中间版本)
第62行: 第62行:
=== Example===
=== Example===
  ## fw.txt
  ## fw.txt
  # win-remote 2
  # win-remote
  port=32010:proto=tcp:toport=3389:toaddr=192.168.33.2
  port=32010:proto=tcp:toport=3389:toaddr=192.168.33.2  
port=32011:proto=tcp:toport=3389:toaddr=192.168.33.5 
  # SSH 22
  # 22
  port=32023:proto=tcp:toport=22:toaddr=192.168.33.3
  port=32023:proto=tcp:toport=22:toaddr=192.168.33.3
port=32024:proto=tcp:toport=22:toaddr=192.168.33.4
port=32026:proto=tcp:toport=22:toaddr=192.168.33.6
port=32027:proto=tcp:toport=22:toaddr=192.168.33.7
port=32028:proto=tcp:toport=22:toaddr=192.168.33.8
port=32035:proto=tcp:toport=22:toaddr=192.168.33.15
port=32036:proto=tcp:toport=22:toaddr=192.168.33.16
port=32045:proto=tcp:toport=22:toaddr=192.168.33.25
port=32046:proto=tcp:toport=22:toaddr=192.168.33.26
port=32053:proto=tcp:toport=22:toaddr=192.168.33.33
  # other
  # other
  port=33010:proto=tcp:toport=5432:toaddr=192.168.33.4
  port=33010:proto=tcp:toport=5432:toaddr=192.168.33.4
第83行: 第73行:
  # web
  # web
  port=33080:proto=tcp:toport=80:toaddr=192.168.33.4
  port=33080:proto=tcp:toport=80:toaddr=192.168.33.4
## M16
# 3389
port=8080:proto=tcp:toport=3389:toaddr=10.10.137.40
port=8081:proto=tcp:toport=3389:toaddr=10.10.137.42
port=8082:proto=tcp:toport=3389:toaddr=10.10.137.202
# 22
port=9016:proto=tcp:toport=22:toaddr=10.10.137.16
port=9033:proto=tcp:toport=22:toaddr=10.10.137.33
port=9088:proto=tcp:toport=22:toaddr=10.10.137.188
# 1521
port=20711:proto=tcp:toport=1521:toaddr=10.10.137.11
port=20771:proto=tcp:toport=1521:toaddr=10.10.137.71
port=20786:proto=tcp:toport=1521:toaddr=10.10.137.186
port=20911:proto=tcp:toport=1521:toaddr=10.10.139.11
port=20912:proto=tcp:toport=1521:toaddr=10.10.139.12
port=20914:proto=tcp:toport=1521:toaddr=10.10.139.14
port=20915:proto=tcp:toport=1521:toaddr=10.10.139.15
port=20939:proto=tcp:toport=1521:toaddr=10.10.139.39
port=20970:proto=tcp:toport=1521:toaddr=10.10.139.70
# 5432
port=21920:proto=tcp:toport=5432:toaddr=10.10.139.20
port=21952:proto=tcp:toport=5432:toaddr=10.10.139.52
port=21507:proto=tcp:toport=5432:toaddr=10.10.105.207
## D81
# 3389
port=8085:proto=tcp:toport=3389:toaddr=172.30.4.73
port=8080:proto=tcp:toport=8080:toaddr=10.10.137.16
port=8081:proto=tcp:toport=8081:toaddr=10.10.137.16
port=8082:proto=tcp:toport=8082:toaddr=10.10.137.16
# 22
port=9016:proto=tcp:toport=9016:toaddr=10.10.137.16
port=9033:proto=tcp:toport=9033:toaddr=10.10.137.16
port=9088:proto=tcp:toport=9088:toaddr=10.10.137.16
# 1521
port=20711:proto=tcp:toport=20711:toaddr=10.10.137.16
port=20771:proto=tcp:toport=20771:toaddr=10.10.137.16
port=20786:proto=tcp:toport=20786:toaddr=10.10.137.16
port=20911:proto=tcp:toport=20911:toaddr=10.10.139.16
port=20912:proto=tcp:toport=20912:toaddr=10.10.139.16
port=20914:proto=tcp:toport=20914:toaddr=10.10.139.16
port=20915:proto=tcp:toport=20915:toaddr=10.10.139.16
port=20939:proto=tcp:toport=20939:toaddr=10.10.139.16
port=20970:proto=tcp:toport=20970:toaddr=10.10.139.16
# 5432
port=21920:proto=tcp:toport=2192:toaddr=10.10.139.16
port=21952:proto=tcp:toport=2195:toaddr=10.10.139.16
port=21507:proto=tcp:toport=2150:toaddr=10.10.105.16


== 参考 ==
== 参考 ==


# [https://www.cnblogs.com/gongjingyun123--/p/12018442.html 防火墙富规则、内部上网]
# [https://www.cnblogs.com/gongjingyun123--/p/12018442.html 防火墙富规则、内部上网]
# [https://sspai.com/post/79278 CloudFlare Tunnel 免费内网穿透的简明教程]


[[分类:Develop]]
[[分类:Develop]]
[[分类:Linux]]
[[分类:Linux]]

2023年12月18日 (一) 09:16的最新版本

firewall status

systemctl status firewalld.service

重新加载防火墙

firewall-cmd --reload

Rule List

firewall-cmd --list-all

设置

检查是否允许伪装IP

firewall-cmd --query-masquerade

  • firewall-cmd --add-masquerade --permanent
  • --add-masquerade  # 允许防火墙伪装IP
  • --remove-masquerade# 禁止防火墙伪装IP

永久生效

  • --permanent 永久生效,否则重启/reload失效

开放端口

  • firewall-cmd --zone=public --add-port=32000-32099/tcp
  • firewall-cmd --zone=public --add-port=33000-33099/udp
  • firewall-cmd --zone=public --remove-port=32000-32099/tcp

转发

  • firewall-cmd --add-forward-port=port=32010:proto=tcp:toport=3389:toaddr=193.122.104.2
  • firewall-cmd --remove-forward-port=port=32010:proto=tcp:toport=3389:toaddr=193.122.104.2

批量添加端口映射

## fw.sh
#!/bin/sh

if [ "$1" == "add" ]; then
    OT="add"
elif [ "$1" == "remove" ]; then
    OT="remove"
else
    echo "Not Parameter."
    exit 1
fi

if [ "$2" == "" ]; then
    LN_NAME="fw.txt"
else
    LN_NAME=$2
fi

cat ${LN_NAME} | while read LN
do
    LN=`echo ${LN} |awk -F"#" '{print \$1}'`
    if [ "${LN}" == "" ]; then
        echo ${OT} ${LN}
    else
        echo ${OT} ${LN}
        firewall-cmd --${OT}-forward-port=${LN}
        firewall-cmd --${OT}-forward-port=${LN} --permanent
    fi
done

Example

## fw.txt
# win-remote
port=32010:proto=tcp:toport=3389:toaddr=192.168.33.2 
# SSH 22
port=32023:proto=tcp:toport=22:toaddr=192.168.33.3
# other
port=33010:proto=tcp:toport=5432:toaddr=192.168.33.4
port=33011:proto=tcp:toport=9200:toaddr=192.168.33.28
port=33020:proto=tcp:toport=8123:toaddr=192.168.33.36
port=33021:proto=tcp:toport=9000:toaddr=192.168.33.36
# web
port=33080:proto=tcp:toport=80:toaddr=192.168.33.4

参考

  1. 防火墙富规则、内部上网
  2. CloudFlare Tunnel 免费内网穿透的简明教程