CentOS Linux release 7 64位 iptables 防火墙及firewalld防火墙
iptables 防火墙
CentOS 7.0,这个版本的防火墙,默认使用的是firewall,与之前的版本使用iptables是不一样的,这点很重要!
所以如果要配置防火墙,开启端口的话,可以用如下做法:
1、关闭firewall:
- systemctl stop firewalld.service #停止firewall
- systemctl disable firewalld.service #禁止firewall开机启动
- firewall-cmd --state #查看默认防火墙状态(关闭后显示notrunning,开启后显示running)
2、安装iptables防火墙
- yum install iptables-services #安装
- 查看当前所有的iptables配置
- iptables -L -n
接下来的事情就和用iptables是一样的了,若要开启某端口,则(80端口为例,红色为添加的规则):
- vi /etc/sysconfig/iptables
- -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT #允许80端口通过防火墙
############################## 添加后防火墙规则如下所示 ##############################
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
备注:这里使用80和8080端口为例。***部分一般添加到“-A INPUT -p tcp -m state --state NEW -m tcp--dport 22 -j ACCEPT”行的上面或者下面,切记不要添加到最后一行,否则防火墙重启后不生效。
- systemctl restart iptables.service #最后重启防火墙使配置生效
- systemctl enable iptables.service #设置防火墙开机启动
- systemctl start iptables.service #启动防火墙
- systemctl stop iptables.service #关闭防火墙
firewalld防火墙
系统升级到centos7.0使用之前的方法开通防火墙端口是无效的。无法使用iptables控制Linux的端口,firewalld代替了原来的iptables。
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface’s assigned zone can be changed by NetworkManager or via the firewall-config tool which can open the relevant NetworkManager window for you.
The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. They are listed here with a brief explanation:
drop :任何传入的网络数据包都被删除,没有应答。只有外向的网络连接是可能的。
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block : 任何传入的网络连接都会被拒绝,因为IPv4和IPv6禁止使用icmp-host—消息。只有从系统内部发起的网络连接是可能的。
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
public : 用于公共场所。你不相信网络上的其他计算机不会伤害你的计算机。只接受选定的传入连接。
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
external : 用于伪装的外部网络,特别是路由器。你不相信网络上的其他电脑不会伤害你的电脑。只接受选定的传入连接。
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz :对于在您的非军事化区域的计算机,可以公开访问,但只能有限地访问您的内部网络。只接受选定的传入连接。
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work : 用于工作区域。你最信任的是网络上的其他计算机不会伤害你的计算机。只接受选定的传入连接。
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home : 用于家庭地区。你最信任的是网络上的其他计算机不会伤害你的计算机。只接受选定的传入连接。
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal :用于内部网络。你最信任的是网络上的其他计算机不会伤害你的计算机。只接受选定的传入连接。
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted : 接受所有网络连接。
All network connections are accepted.
It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone.
1、firewall 防火墙命令
- systemctl stop firewalld.service #停止firewall
- systemctl start firewalld.service #开启firewall
- systemctl restart firewalld.service #重启firewall
- systemctl enable firewalld.service #firewall开机启动
- systemctl disable firewalld.service #禁止firewall开机启动
- firewall-cmd --state #查看默认防火墙状态(关闭后显示notrunning,开启后显示running)
开启端口:
- firewall-cmd –zone=public –add-port=80/tcp –permanent
如果是开启一个段:
- firewall-cmd –zone=public –add-port=80-88/tcp –permanent
命令含义:
- –zone #作用域
- –add-port=80/tcp #添加端口,格式为:端口/通讯协议
- –permanent #永久生效,没有此参数重启后失效
重启防火墙即可:
- firewall-cmd –reload
相关文章: