一、前文

• 基础知识请查阅：Linux系统firewalld防火墙的基本操作
• 进阶知识请查阅：Linux系统firewalld防火墙的进阶操作（日志保存 IP网段 ssh服务）
• 应用实操请查阅：Linux系统firewalld防火墙的应用实操（对外端口开放使用，对内端口限制ip地址使用，不使用端口默认关闭）
• 应用实操请查阅：Linux系统firewalld防火墙的应用实操（禁止屏蔽海外国外IP访问）

二、打开日志

2.1 修改配置

vim /etc/firewalld/firewalld.conf
1

LogDenied=all
1

• 重启firewalld

systemctl restart firewalld
systemctl status firewalld
1
2

2.2 测试验证

• 切换个WiFi，查询本机IP地址
• 使用DataGrip查询下MySQL

[root@iZ2ze30dygwd6yh7gu6lskZ ~]# dmesg | grep -i reject
[47097724.295920] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=173.82.163.104 DST=172.20.125.57 LEN=64 TOS=0x14 PREC=0x00 TTL=105 ID=55127 DF PROTO=TCP SPT=24717 DPT=3306 WINDOW=29200 RES=0x00 SYN URGP=0 
[47097724.305959] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=173.82.163.104 DST=172.20.125.57 LEN=64 TOS=0x14 PREC=0x00 TTL=91 ID=27553 DF PROTO=TCP SPT=56131 DPT=3389 WINDOW=64240 RES=0x00 SYN URGP=0 
[47097734.793855] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=45.77.32.235 DST=172.20.125.57 LEN=64 TOS=0x14 PREC=0x00 TTL=95 ID=15043 DF PROTO=TCP SPT=14917 DPT=3389 WINDOW=64240 RES=0x00 SYN URGP=0 
[47097734.802632] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=45.77.32.235 DST=172.20.125.57 LEN=64 TOS=0x14 PREC=0x00 TTL=93 ID=35103 DF PROTO=TCP SPT=4657 DPT=3306 WINDOW=29200 RES=0x00 SYN URGP=0 
[47097735.945460] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=45.77.32.235 DST=172.20.125.57 LEN=64 TOS=0x14 PREC=0x00 TTL=87 ID=65303 DF PROTO=TCP SPT=27778 DPT=3306 WINDOW=29200 RES=0x00 SYN URGP=0 
[47097735.945936] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=45.77.32.235 DST=172.20.125.57 LEN=64 TOS=0x14 PREC=0x00 TTL=91 ID=4503 DF PROTO=TCP SPT=33155 DPT=3389 WINDOW=29200 RES=0x00 SYN URGP=0 
[47097738.009845] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=45.77.32.235 DST=172.20.125.57 LEN=64 TOS=0x14 PREC=0x00 TTL=87 ID=65303 DF PROTO=TCP SPT=27778 DPT=3306 WINDOW=29200 RES=0x00 SYN URGP=0 
[47097738.010305] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=45.77.32.235 DST=172.20.125.57 LEN=64 TOS=0x14 PREC=0x00 TTL=91 ID=4503 DF PROTO=TCP SPT=33155 DPT=3389 WINDOW=29200 RES=0x00 SYN URGP=0 
[47097960.728848] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=27.149.45.24 DST=172.20.125.57 LEN=52 TOS=0x14 PREC=0x00 TTL=114 ID=47356 DF PROTO=TCP SPT=9096 DPT=3306 WINDOW=64240 RES=0x00 SYN URGP=0 
[47097961.752929] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=27.149.45.24 DST=172.20.125.57 LEN=52 TOS=0x14 PREC=0x00 TTL=114 ID=47357 DF PROTO=TCP SPT=9096 DPT=3306 WINDOW=64240 RES=0x00 SYN URGP=0 
[47097963.768618] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=27.149.45.24 DST=172.20.125.57 LEN=52 TOS=0x14 PREC=0x00 TTL=114 ID=47358 DF PROTO=TCP SPT=9096 DPT=3306 WINDOW=64240 RES=0x00 SYN URGP=0 
[47097965.402544] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=65.108.245.43 DST=172.20.125.57 LEN=64 TOS=0x14 PREC=0x00 TTL=112 ID=31227 DF PROTO=TCP SPT=569 DPT=3389 WINDOW=64240 RES=0x00 SYN URGP=0 
[47097965.626134] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=65.108.245.43 DST=172.20.125.57 LEN=64 TOS=0x14 PREC=0x00 TTL=112 ID=31227 DF PROTO=TCP SPT=569 DPT=3389 WINDOW=64240 RES=0x00 SYN URGP=0 
[47097967.768565] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=27.149.45.24 DST=172.20.125.57 LEN=52 TOS=0x14 PREC=0x00 TTL=114 ID=47366 DF PROTO=TCP SPT=9096 DPT=3306 WINDOW=64240 RES=0x00 SYN URGP=0 
[47097975.768955] FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=27.149.45.24 DST=172.20.125.57 LEN=52 TOS=0x14 PREC=0x00 TTL=114 ID=47367 DF PROTO=TCP SPT=9099 DPT=3306 WINDOW=64240 RES=0x00 SYN URGP=0 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

2.3 日志保存到本地

• 创建firewalld的运行时日志文件

[root@iZ2ze30dygwd6yh7gu6lskZ ~]# vim /etc/rsyslog.d/firewalld.conf
1

kern.* /var/log/firewalld.log
1

• 修改日志管理工具

[root@iZ2ze30dygwd6yh7gu6lskZ ~]# vim /etc/logrotate.d/syslog
1

/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/firewalld.log
/var/log/spooler
{
    missingok
    sharedscripts
    postrotate
        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
    endscript
}
1
2
3
4
5
6
7
8
9
10
11
12
13

• 重启日志服务
• 打开firewalld.log日志

[root@iZ2ze30dygwd6yh7gu6lskZ ~]# systemctl restart rsyslog.service
[root@iZ2ze30dygwd6yh7gu6lskZ ~]# more /var/log/firewalld.log
Aug 16 00:14:39 iZ2ze30dygwd6yh7gu6lskZ kernel: FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:2e:3a:9e:ee:ff:ff:ff:ff:ff:08:00 SRC=120.48.155.162 DST=172.20.125.57 LEN=60 TOS=0x14 PREC=0x00 TTL=52 ID=18745 DF PROTO=TCP SPT=46710 DPT=6379 WINDOW=29200 RES=0x00 SYN URGP=0 
1
2
3

1

三、允许IP网段

• 早上才查询了办公室的IP是：117.30.82.11
• 下午一测就发现访问不了服务器的数据库了，再查IP，就发现IP变了
• 所以，我们允许IP访问的时候，不能只允许单个IP，应该允许某个IP网段
• IP网段知识点学习请查阅：IP网段知识点学习（IP地址/数字 IP地址段 IP网段 Linux子网掩码 子网/掩码位 IP段起始 IP段结束）
• 操作如下

[root@iZ2ze30dygwd6yh7gu6lskZ log]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 80/tcp 8080/tcp 443/tcp 8443/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="59.61.25.232" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="59.61.25.232" port port="3306" protocol="tcp" accept
	rule family="ipv4" source address="59.61.25.232" port port="6379" protocol="tcp" accept
	rule family="ipv4" source address="117.30.82.11" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="117.30.82.11" port port="3306" protocol="tcp" accept
	rule family="ipv4" source address="117.30.82.11" port port="6379" protocol="tcp" accept
	
[root@iZ2ze30dygwd6yh7gu6lskZ log]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="117.30.82.11" port port="6379" protocol="tcp" accept'
success
[root@iZ2ze30dygwd6yh7gu6lskZ log]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="117.30.82.11" port port="22" protocol="tcp" accept'
success
[root@iZ2ze30dygwd6yh7gu6lskZ log]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="117.30.82.11" port port="3306" protocol="tcp" accept'
success
[root@iZ2ze30dygwd6yh7gu6lskZ log]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="117.30.82.0/24" port port="3306" protocol="tcp" accept'
success
[root@iZ2ze30dygwd6yh7gu6lskZ log]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="117.30.82.0/24" port port="22" protocol="tcp" accept'
success
[root@iZ2ze30dygwd6yh7gu6lskZ log]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="117.30.82.0/24" port port="6379" protocol="tcp" accept'
success
[root@iZ2ze30dygwd6yh7gu6lskZ log]# firewall-cmd --reload
success
[root@iZ2ze30dygwd6yh7gu6lskZ log]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 80/tcp 8080/tcp 443/tcp 8443/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="117.30.82.0/24" port port="3306" protocol="tcp" accept
	rule family="ipv4" source address="117.30.82.0/24" port port="22" protocol="tcp" accept
	rule family="ipv4" source address="117.30.82.0/24" port port="6379" protocol="tcp" accept
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

四、关闭ssh

• 慎用！慎用！慎用！重要的事情说三遍！
• firewalld防火墙默认开启ssh服务，而如果我们需要ssh限制特定ip才能使用
• 那么就需要关闭ssh service

觉得好，就一键三连呗（点赞+收藏+关注）