# 先确认并开启firewalld服务 $ sudo systemctl status firewalld $ sudo systemctl enable firewalld $ sudo systemctl start firewalld # 直接编辑xml配置文件,比用firewall-cmd命令更方便其实(CentOS7里面默认就一个public.xml配置文件) # Ubuntu系统中的默认public.xml配置文件位于/usr/lib/firewalld/zones $ sudo vim /etc/firewalld/zones/public.xml
配置文件修改内容,移除所有<service>标签内容,然后添加允许访问的IP或IP段:
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <!-- 允许单个IP地址访问本服务器所有端口 --> <rule family="ipv4"> <source address="10.1.1.13/32"/> <accept/> </rule> <!-- 允许IP段访问本服务器所有端口 --> <rule family="ipv4"> <source address="10.1.2.0/24"/> <accept/> </rule> <!-- 允许IP段访问本服务器指定端口 --> <rule family="ipv4"> <source address="10.1.3.0/24"/> <port protocol="tcp" port="22"/> <accept/> </rule> <!-- 允许IP段访问本服务器指定端口范围 --> <rule family="ipv4"> <source address="10.1.4.0/24"/> <port protocol="tcp" port="1000-1200"/> <accept/> </rule> <!-- 禁止指定IP访问本服务器 --> <rule family="ipv4"> <source address="10.1.1.1"/> <reject/> </rule> </zone>
改完配置文件后重载一下防火墙服务
firewall-cmd --reload