因为我们现在用的是以CentOS 7为主,主要使用的防火墙为firewall而不是CentOS 6的Iptables.
阿里云的服务器的防火墙默认是关闭的,请注意我这里说的不是专有网络而是经典网络,所以只要你开放了一个端口,外网就可以访问。
首先启动防火墙
service firewalld start
我们以redis的6379端口为例,配置只允许内网访问,外网不允许访问的配置,假如本机的IP为172.31.27.68,允许访问的IP为172.31.27.67,172.31.27.69。
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.31.27.67" port protocol="tcp" port="6379" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.31.27.69" port protocol="tcp" port="6379" accept"
开放端口段
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.31.27.69" port protocol="tcp" port="30000-31000" accept"
当然如果想让某一个端口可以对公网开放,可以设置
firewall-cmd --zone=public --permanent --add-port=8000/tcp
这样所有的IP地址都可以访问。
重启防火墙
service firewalld restart
我们进入/etc/firewalld/zones可以看到cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<rule family="ipv4">
<source address="172.31.27.67"/>
<port protocol="tcp" port="6379"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="172.31.27.69"/>
<port protocol="tcp" port="6379"/>
<accept/>
</rule>
</zone>
查看配置结果
firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.31.27.67" port port="6379" protocol="tcp" accept
rule family="ipv4" source address="172.31.27.69" port port="6379" protocol="tcp" accept
如果要移除该配置可以设置
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="xx.xx.xx.xx" port protocol="tcp" port="6379" accept"
firewall-cmd --zone= public --remove-port=8000/tcp --permanent
移除后也要重启防火墙
service firewalld restart
