firewalld 详解

发表于 | 分类于

官网

https://firewalld.org

使用ipset

## 获取ipset类型(hash:net hash:ip)
firewall-cmd --get-ipset-types

## 创建ipset,名为blacklist, 采用ip hash方式

firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip
firewall-cmd --permanent --add-rich-rule='rule source ipset=blacklist drop'

firewall-cmd --reload

firewall-cmd --ipset=blacklist --add-entry=118.186.17.9 --permanent


## 查看被ipset 中的IP
firewall-cmd --info-ipset=blacklist


## ipv6 

firewall-cmd --permanent --new-ipset=blacklist6 --type=hash:ip --option=family=inet6

firewall-cmd --reload

firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0004
firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0006
firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0008
firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0010

firewall-cmd --add-rich-rule='rule source ipset=blacklist6 drop'


# firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=43.229.53.61 reject"