CentOS防火墻操作：開(kāi)啟端口、開(kāi)啟、關(guān)閉、配置

一、基本使用

啟動(dòng)： systemctl start firewalld

關(guān)閉： systemctl stop firewalld

查看狀態(tài)： systemctl status firewalld

開(kāi)機(jī)禁用 ： systemctl disable firewalld

開(kāi)機(jī)啟用 ： systemctl enable firewalld

systemctl是CentOS7的服務(wù)管理工具中主要的工具，它融合之前service和chkconfig的功能于一體

啟動(dòng)一個(gè)服務(wù)：systemctl start firewalld.service

關(guān)閉一個(gè)服務(wù)：systemctl stop firewalld.service

重啟一個(gè)服務(wù)：systemctl restart firewalld.service

顯示一個(gè)服務(wù)的狀態(tài)：systemctl status firewalld.service

在開(kāi)機(jī)時(shí)啟用一個(gè)服務(wù)：systemctl enable firewalld.service

在開(kāi)機(jī)時(shí)禁用一個(gè)服務(wù)：systemctl disable firewalld.service

查看服務(wù)是否開(kāi)機(jī)啟動(dòng)：systemctl is-enabled firewalld.service

查看已啟動(dòng)的服務(wù)列表：systemctl list-unit-files|grep enabled

查看啟動(dòng)失敗的服務(wù)列表：systemctl --failed

二、 配置firewalld-cmd

查看版本： firewall-cmd --version

查看幫助： firewall-cmd --help

顯示狀態(tài)： firewall-cmd --state

查看所有打開(kāi)的端口： firewall-cmd --zone=public --list-ports

更新防火墻規(guī)則： firewall-cmd --reload

查看區(qū)域信息: firewall-cmd --get-active-zones

查看指定接口所屬區(qū)域： firewall-cmd --get-zone-of-interface=eth0

拒絕所有包：firewall-cmd --panic-on

取消拒絕狀態(tài)： firewall-cmd --panic-off

查看是否拒絕： firewall-cmd --query-panic

三、開(kāi)啟防火墻端口

比如，需打開(kāi)防火墻80和3306端口

步驟1：設(shè)置開(kāi)放的端口號(hào)

firewall-cmd --add-service=http --permanent

sudo firewall-cmd --add-port=80/tcp --permanent

sudo firewall-cmd --add-port=3060/tcp --permanent

–permanent永久生效，沒(méi)有此參數(shù)重啟后失效

步驟2：重啟防火墻

firewall-cmd --reload

步驟3：查看開(kāi)放端口號(hào)

firewall-cmd --list-all

四、docker 端口

1.查詢?nèi)萜鞯亩丝?/p>

docker ps --format "table {{.ID}}\t{{.Names}}\t{{.Ports}}" 

2..容器端口映射,刪除容器的映射

一、安裝sshd服務(wù)

進(jìn)入容器

[root@node01 ~]# docker exec -it c00dfd401fa3 bash

安裝sshd服務(wù)

[root@test /]# yum install -y openssh-server

啟動(dòng)并允許sshd自動(dòng)啟動(dòng)

[root@test /]# systemctl start sshd

[root@test /]# systemctl enable sshd

二、增加sshd使用的22映射端口

1.關(guān)閉容器

[root@node01 ~]# docker stop c00dfd401fa3

2.關(guān)閉docker服務(wù)

[root@node01 ~]# systemctl stop docker

3.獲取container_id

[root@node01 ~]# docker inspect c00dfd401fa3 | grep Id

        "Id": "c00dfd401fa3e907f266695c60d823671caff3ff3ef422152a226064f4342ef8",

4.修改容器配置文件hostconfig.json

vi /var/lib/docker/containers/c00dfd401fa3e907f266695c60d823671caff3ff3ef422152a226064f4342ef8/hostconfig.json

修改配置項(xiàng)"PortBindings":{}為"PortBindings":{"22/tcp":[{"HostIp":"","HostPort":"10022"}]}

5.修改容器配置文件hostconfig.json

vi /var/lib/docker/containers/c00dfd401fa3e907f266695c60d823671caff3ff3ef422152a226064f4342ef8/config.v2.json

修改配置項(xiàng)"ExposedPorts":{}為"ExposedPorts":{"22/tcp":{}}

6.啟動(dòng)docker服務(wù)

[root@node01 ~]# systemctl start docker

7.啟動(dòng)容器

[root@node01 ~]# docker start c00dfd401fa3

8.驗(yàn)證連接容器

外部網(wǎng)絡(luò)通過(guò)10022端口連接容器

C:\Users\yang>ssh root@192.168.162.128 -p 10022

The authenticity of host '[192.168.162.128]:10022 ([192.168.162.128]:10022)' can't be established.

ECDSA key fingerprint is SHA256:DcwfgepkosH8q1N8Kp8XD0iNFL8h1sVKO0Al2Bs4hiE.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added '[192.168.162.128]:10022' (ECDSA) to the list of known hosts.

root@192.168.162.128's password:

Last login: Sun Oct 24 04:34:08 2021 from gateway

[root@test ~]#

容器所在的宿主機(jī)連接容器

[root@node01 ~]# ssh root@172.17.0.2 -p 22

root@172.17.0.2's password:

Last login: Sun Oct 24 04:34:02 2021 from 192.168.162.1