Firewall settings
- # View firewall service status systemctl status firewalld
- # View the status of firewall firewall-cmd --state
- # View firewall rules firewall-cmd --list-all
- # Start firewalld.service service systemctl firewalld start
- # Restart firewalld.service service systemctl firewalld restart
- # Close firewalld.service service systemctl firewalld stop
- # Query whether the irewalld port is open firewall-cmd --query-port=8080/tcp
- # Open port 80 firewall-cmd --permanent --add-port=80/tcp
- # Unopen port 8080 firewall-cmd --permanent --remove-port=8080/tcp
- # Refresh the firewall configuration (refresh the firewall after modifying the configuration) firewall-cmd --reload
Starting from CentOS7, there is no iptables by default, but firewall is used. Now we block the firewall and use iptables.
Install iptables-service
1. Stop and block firewalld service
停止:systemctl stop firewalld
屏蔽:systemctl mask firewalld
2. Install the iptables-service package
yum install iptables-services
3. Enable iptables service at boot
systemctl enable iptables
4. Start the iptables service
systemctl start iptables
5. Save firewall rules
service iptables save
Configure iptables
vim /etc/sysconfig/iptables
1. Linux firewall Iptable settings only allow access to port 80
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
2. Only allow 192.168.11.124 to access port 8080 of the machine
-A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.11.124 --dport 80 -j ACCEPT
3. Restart iptables
service iptables restart
4. Check whether iptables takes effect
iptables -L
Port forwarding configuration
1. The first thing you should do is net.ipv4.ip_forward = 1 in the /etc/sysctl.conf configuration file. The default is 0. This allows iptalbes FORWARD.
2, service iptables stop close the firewall
3. Reconfigure the rules
Forward native 80 to 8090
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8090
#iptables -t nat -A PREROUTING --dst 61.144.14.72 -p tcp --dport 3389 -j DNAT --to-destination 116.6.73.229:3389
#iptables -t nat -A POSTROUTING --dst 116.6.73.229 -p tcp --dport 3389 -j SNAT --to-source 61.144.14.72
4. Save the current rules to the configuration file (/etc/sysconfig/iptables)
service iptables save
You can also directly modify the configuration file content configuration rules, the file content:
# Generated by iptables-save v1.4.7 on Thu Feb 20 18:05:24 2020
*nat
:PREROUTING ACCEPT [33:3209]
:POSTROUTING ACCEPT [18:1206]
:OUTPUT ACCEPT [18:1206]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8090
COMMIT
# Completed on Thu Feb 20 18:05:24 2020