firewall-cmd

```
# 开启防火墙
systemctl start firewalld.service

# 防火墙开机启动
systemctl enable firewalld.service

# 关闭防火墙
systemctl stop firewalld.service

# 查看防火墙状态
firewall-cmd --state

# 查看现有的规则
iptables -nL
firewall-cmd --zone=public --list-ports

# 重载防火墙配置
firewall-cmd --reload

# 添加单个单端口
firewall-cmd --permanent --zone=public --add-port=81/tcp

# 添加多个端口
firewall-cmd --permanent --zone=public --add-port=8080-8083/tcp

# 删除某个端口
firewall-cmd --permanent --zone=public --remove-port=81/tcp

# 针对某个 IP开放端口
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.142.166" port protocol="tcp" port="6379" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.233" accept"

# 删除某个IP
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.1.51" accept"

# 针对一个ip段访问
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.0/16" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="9200" accept"

# 添加操作后别忘了执行重载
firewall-cmd --reload
```

## 端口转发
通过外网代理访问内网数据库

- 外网代理
  - 外网ip 1.1.1.1
  - 内网IP 2.2.2.1

- 内网数据库
  - 内网ip 2.2.2.2

```
# 允许端口转发(iptables -I INPUT FORWARD -j ACCEPT)
firewall-cmd --permanent --zone=public --add-masquerade
# 检查是否允许 NAT 转发
firewall-cmd --query-masquerade
# 禁止防火墙 NAT 转发
firewall-cmd --remove-masquerade

# 使用nat
firewall-cmd --permanent --direct --passthrough ipv4  -t nat -I PREROUTING -i eth1 -p tcp --dst 1.1.1.1--dport 11521 -j DNAT --to-destination 2.2.2.2:1521

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -d 2.2.2.2 -j SNAT --to 2.2.2.1

# 端口转发
firewall-cmd --add-forward-port=proto=11521:proto=tcp:toaddr=2.2.2.2:toport=1521
```