centos7 firewall

firewall端口策略以及转发

firewall-cmd --add-service=mysql # 开放mysql端口
firewall-cmd --remove-service=http # 阻止http端口
firewall-cmd --list-services # 查看开放的服务

firewall-cmd --add-port=3306/tcp # 开放通过tcp访问3306
firewall-cmd --remove-port=80tcp # 阻止通过tcp访问3306
firewall-cmd --add-port=233/udp # 开放通过udp访问233
firewall-cmd --list-ports

firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 # 将80端口的流量转发至8080
firewall-cmd --add-forward-port=proto=80:proto=tcp:toaddr=192.168.1.0.1 # 将80端口的流量转发至192.168.0.1
firewall-cmd --add-forward-port=proto=80:proto=tcp:toaddr=192.168.0.1:toport=8080 # 将80端口的流量转发至192.168.0.1的8080端口

注意点:
firewall 的转发首先要修改下面的参数
#cat /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p

systemctl start firewalld
firewall-cmd --version
firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --add-forward-port=port=90:proto=tcp:toaddr=10.24.5.71:toport=90
firewall-cmd --list-all