Detailed CentOS7 the firewall and the firewall configuration, and the firewall is switched to iptables

Server 2020-03-27 23:34:54 views: null

firewall configuration

Note: valid only after the following operations firewalld restart: service firewalld restart restart

  1. System configuration directory
/usr/lib/firewalld/services

Directory is where the defined network services and port parameters, system parameters can not be modified.

  1. User configuration directory
/etc/firewalld/
  1. How to add a custom port
    users can add ports by modifying the configuration file of the way, you can also add ports by way of command, pay attention to modify the content is also reflected in the configuration files in / etc / firewalld / directory.
  • Add a port-command
firewall-cmd --permanent --add-port=9527/tcp

Parameter Description:

1、firewall-cmd:是Linux提供的操作firewall的一个工具;
2、--permanent:表示设置为持久;
3、--add-port:标识添加的端口;

In addition, firewall Zone in the concept of, you can develop a specific port to a specific zone configuration file.
For example: Adding port 8010

firewall-cmd --zone=public --permanent --add-port=8010/tcp
--zone=public:指定的zone为public;

[root@app-test zones]# more public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="8082"/>
  <port protocol="tcp" port="8080"/>
  <port protocol="tcp" port="8081"/>
</zone>

If -zone = dmz this set, it will be added in a dmz.xml file.

  • Add Port modify configuration files
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas.</description>
  <rule family="ipv4">
    <source address="122.10.70.234"/>
    <port protocol="udp" port="514"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="123.60.255.14"/>
    <port protocol="tcp" port="10050-10051"/>
    <accept/>
  </rule>
 <rule family="ipv4">
    <source address="192.249.87.114"/> 放通指定ip,指定端口、协议
    <port protocol="tcp" port="80"/>
    <accept/>
  </rule>
<rule family="ipv4"> 放通任意ip访问服务器的9527端口
    <port protocol="tcp" port="9527"/>
    <accept/>
  </rule>
</zone>

Above a good profile can be seen:

1、添加需要的规则,开放通源ip为122.10.70.234,端口514,协议tcp;
2、开放通源ip为123.60.255.14,端口10050-10051,协议tcp;/3、开放通源ip为任意,端口9527,协议tcp;

firewall commonly used commands

  1. Restart, shut down, turn firewalld.service service
service firewalld restart 重启
service firewalld start 开启
service firewalld stop 关闭
  1. View firewall service status
systemctl status firewall
  1. View the status of the firewall
firewall-cmd --state
  1. View firewall rule
firewall-cmd --list-all 

[root@app-test firewalld]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp8s0
  sources:
  services: ssh dhcpv6-client
  ports: 8082/tcp 8080/tcp 8081/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Switched to CentOS iptables firewall

Iptables should first switch to turn off the default firewalld, and then install the iptables service.

  1. Close firewall
service firewalld stop
systemctl disable firewalld.service #禁止firewall开机启动
  1. Install iptables firewall
yum install -y iptables-services #安装
  1. Editing iptables firewall configuration
vi /etc/sysconfig/iptables #编辑防火墙配置文件

Below is a complete configuration file:

Firewall configuration written by system-config-firewall

Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

: Wq # Save and exit

service iptables start #开启
systemctl enable iptables.service #设置防火墙开机启动

Use INPUT command to open port services

iptables -I INPUT -p tcp --dport 8011 -j ACCEPT #开启8011端口 
/etc/rc.d/init.d/iptables save #保存配置 
/etc/rc.d/init.d/iptables restart #重启服务 
/etc/init.d/iptables status #查看端口是否已经开放

Guess you like

Origin www.linuxidc.com/Linux/2020-03/162669.htm
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com