開啟防火牆

systemctl start firewalld.service

關閉防火牆

systemctl stop firewalld.service

檢視防火牆狀態

systemctl status firewalld.service

開啟開機啟動防火牆

systemctl enable firewalld.service

關閉開機啟動防火牆

systemctl disable firewalld.service

開啟某個埠（80）

firewall-cmd --zone=public --add-port=80/tcp --
 
permanent   //永久
firewall-cmd --zone=public --add-port=80/tcp               //臨時

埠轉發

firewall-cmd --zone=public --add-masquerade --permanent    //開啟IP地址偽裝
//將8080轉發到80
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent

建立黑名單

//建立blacklist ipset
firewall-cmd --permanent --
 
zone=public --new-ipset=blacklist --type=hash:ip
//封禁 blacklist
firewall-cmd --permanent --zone=public --add-rich-rule='rule source ipset=blacklist drop'
//檢視 blacklist
firewall-cmd --ipset=blacklist --get-entries
//新增IP到黑名單
firewall-cmd --permanent --zone=public --ipset=blacklist --add-entry=212.237.51.36
 

firewall-cmd --permanent --zone=public --ipset=blacklist --add-entry=188.226.191.66
firewall-cmd --permanent --zone=public --ipset=blacklist --add-entry=80.211.137.182
firewall-cmd --permanent --zone=public --ipset=blacklist --add-entry=60.191.66.226

禁止被PING（丟棄ICMP包）

firewall-cmd --permanent --zone=public --add-rich-rule='rule protocol value=icmp drop'  

過載防火牆配置

firewall-cmd --reload