Firewall-cmd配置端口转发:修订间差异
跳到导航
跳到搜索
无编辑摘要 |
(→参考) |
||
| (未显示同一用户的2个中间版本) | |||
| 第3行: | 第3行: | ||
=== 重新加载防火墙 === | === 重新加载防火墙 === | ||
firewall-cmd | firewall-cmd --reload | ||
=== Rule List === | ===Rule List=== | ||
firewall-cmd | firewall-cmd --list-all | ||
=== 设置 === | ===设置=== | ||
==== 检查是否允许伪装IP ==== | ====检查是否允许伪装IP==== | ||
firewall-cmd | firewall-cmd --query-masquerade | ||
*firewall-cmd | *firewall-cmd --add-masquerade --permanent | ||
* | *--add-masquerade # 允许防火墙伪装IP | ||
* | *--remove-masquerade# 禁止防火墙伪装IP | ||
==== 永久生效 ==== | ====永久生效==== | ||
* | * --permanent 永久生效,否则重启/reload失效 | ||
==== 开放端口 ==== | ====开放端口==== | ||
*firewall-cmd | *firewall-cmd --zone=public --add-port=32000-32099/tcp | ||
*firewall-cmd | *firewall-cmd --zone=public --add-port=33000-33099/udp | ||
*firewall-cmd | *firewall-cmd --zone=public --remove-port=32000-32099/tcp | ||
==== 转发 ==== | ====转发==== | ||
*firewall-cmd | * firewall-cmd --add-forward-port=port=32010:proto=tcp:toport=3389:toaddr=193.122.104.2 | ||
*firewall-cmd | *firewall-cmd --remove-forward-port=port=32010:proto=tcp:toport=3389:toaddr=193.122.104.2 | ||
==== 批量添加端口映射 ==== | ====批量添加端口映射==== | ||
## fw.sh | ## fw.sh | ||
#!/bin/sh | #!/bin/sh | ||
| 第60行: | 第60行: | ||
done | done | ||
=== Example === | === Example=== | ||
## fw.txt | ## fw.txt | ||
# win-remote | # win-remote | ||
port=32010:proto=tcp:toport=3389:toaddr=192.168.33.2 | port=32010:proto=tcp:toport=3389:toaddr=192.168.33.2 | ||
# SSH 22 | |||
# 22 | |||
port=32023:proto=tcp:toport=22:toaddr=192.168.33.3 | port=32023:proto=tcp:toport=22:toaddr=192.168.33.3 | ||
# other | # other | ||
port=33010:proto=tcp:toport=5432:toaddr=192.168.33.4 | port=33010:proto=tcp:toport=5432:toaddr=192.168.33.4 | ||
| 第83行: | 第73行: | ||
# web | # web | ||
port=33080:proto=tcp:toport=80:toaddr=192.168.33.4 | port=33080:proto=tcp:toport=80:toaddr=192.168.33.4 | ||
== 参考 == | |||
# [https://www.cnblogs.com/gongjingyun123--/p/12018442.html 防火墙富规则、内部上网] | |||
# [https://sspai.com/post/79278 CloudFlare Tunnel 免费内网穿透的简明教程] | |||
[[分类:Develop]] | [[分类:Develop]] | ||
[[分类:Linux]] | [[分类:Linux]] | ||
2023年12月18日 (一) 09:16的最新版本
firewall status
systemctl status firewalld.service
重新加载防火墙
firewall-cmd --reload
Rule List
firewall-cmd --list-all
设置
检查是否允许伪装IP
firewall-cmd --query-masquerade
- firewall-cmd --add-masquerade --permanent
- --add-masquerade # 允许防火墙伪装IP
- --remove-masquerade# 禁止防火墙伪装IP
永久生效
- --permanent 永久生效,否则重启/reload失效
开放端口
- firewall-cmd --zone=public --add-port=32000-32099/tcp
- firewall-cmd --zone=public --add-port=33000-33099/udp
- firewall-cmd --zone=public --remove-port=32000-32099/tcp
转发
- firewall-cmd --add-forward-port=port=32010:proto=tcp:toport=3389:toaddr=193.122.104.2
- firewall-cmd --remove-forward-port=port=32010:proto=tcp:toport=3389:toaddr=193.122.104.2
批量添加端口映射
## fw.sh
#!/bin/sh
if [ "$1" == "add" ]; then
OT="add"
elif [ "$1" == "remove" ]; then
OT="remove"
else
echo "Not Parameter."
exit 1
fi
if [ "$2" == "" ]; then
LN_NAME="fw.txt"
else
LN_NAME=$2
fi
cat ${LN_NAME} | while read LN
do
LN=`echo ${LN} |awk -F"#" '{print \$1}'`
if [ "${LN}" == "" ]; then
echo ${OT} ${LN}
else
echo ${OT} ${LN}
firewall-cmd --${OT}-forward-port=${LN}
firewall-cmd --${OT}-forward-port=${LN} --permanent
fi
done
Example
## fw.txt # win-remote port=32010:proto=tcp:toport=3389:toaddr=192.168.33.2 # SSH 22 port=32023:proto=tcp:toport=22:toaddr=192.168.33.3 # other port=33010:proto=tcp:toport=5432:toaddr=192.168.33.4 port=33011:proto=tcp:toport=9200:toaddr=192.168.33.28 port=33020:proto=tcp:toport=8123:toaddr=192.168.33.36 port=33021:proto=tcp:toport=9000:toaddr=192.168.33.36 # web port=33080:proto=tcp:toport=80:toaddr=192.168.33.4