Keywords: Linux CentOS firewall iptables
The firewall programs in CentOS are mainly firewall and iptables. The firewall service in CentOS7 has been installed by default, and the iptables service needs to be installed by yum install iptabes-services.
Note: The following demos are all performed in CentOS7 , and other versions are similar
1. Firewall related operations
View firewall status
firewall-cmd --state
turn off firewall
systemctl stop firewalld.service
Turn on firewall
systemctl start firewalld.service
Disable startup firewall
systemctl disable firewalld.service
2, iptables related operations
2.1 General commands
The iptables service needs to be installed by itself, the command is:
yum install iptables-services
As shown in the figure:
The command to open the iptables firewall is:
systemctl start iptables.service
The command to restart the iptables firewall is:
systemctl restart iptables.service
The command to turn off the iptables firewall is:
systemctl stop iptables.service
The command to view the iptables firewall status is:
systemctl status iptables.service
As shown in the figure:
2.2 Open specific ports by editing files
In many cases, the firewall needs to be opened, but some specific ports are released. How to release port 50007 when the firewall is opened? Follow the steps below.
2.2.1 Modifying the rules
It is mainly to edit the /etc/sysconfig/iptables file. There are many editing methods. You can use vim to edit it, or you can directly download the file to the local and edit it with local tools.
Change the original content : INPUTACCEPT [0:0] to : INPUT DROP[0:0]
Change the original content : FORWARDACCEPT [0:0] to : FORWARD DROP[0:0]
Change the original content : OUTPUT ACCEPT [0:0] to : OUTPUTACCEPT [0:480]
2.2.2 Add released ports
At the end of the iptables file are the following three lines:
-A INPUT -j REJECT--reject-with icmp-host-prohibited
-A FORWARD -j REJECT--reject-with icmp-host-prohibited
COMMIT
Add a line before these three lines to release the configuration content of port 50070:
-A INPUT -p tcp -m tcp --dport 50070 -j ACCEPT
Similarly, if you want to release port 80, add a line:
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
After modification, my /etc/sysconfig/iptables file looks like this:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:480]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22-j ACCEPT
-A INPUT -p tcp -m tcp --dport 50070 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
2.2.3重启iptables防火墙
执行重启iptables防火墙的命令,命令是:
systemctl restart iptables.service
如图:
2.2.4测试端口放行效果
在使用命令systemctl stop firewalld.service关闭防火墙,使用命令systemctl start iptables.service开启防火墙,但是为配置/etc/sysconfig/iptables文件,未放行50070端口的情况下,访问以下地址http://192.168.27.134:50070/dfshealth.html#tab-overview
是访问不了的,如图:
在配置了/etc/sysconfig/iptables文件,添加了放行50070端口,并且重启了iptables防火墙的情况下,在访问该地址:http://192.168.27.134:50070/
发现OK了,如图:
2.3使用执行命令的方式开放特定端口
2.3.1执行命令
在不手动修改iptables防火墙的配置文件的情况下,使用命令做到放行某些常用端口,命令集合是:
iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -jACCEPT
iptables -A INPUT -p tcp --dport22 -j ACCEPT
iptables -A INPUT -p tcp --dport21 -j ACCEPT
iptables -A INPUT -p tcp --dport80 -j ACCEPT
iptables -A INPUT -p tcp --dport8080 -j ACCEPT
iptables -A INPUT -p tcp --dport8088 -j ACCEPT
iptables -A INPUT -p tcp --dport443 -j ACCEPT
iptables -A INPUT -p icmp--icmp-type 8 -j ACCEPT
iptables -A INPUT -p tcp --dport50070 -j ACCEPT
iptables -A INPUT -m state --stateRELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
service iptables save
systemctl restart iptables.service
如图:
2.3.2测试
测试方法同2.2.4章节,开放端口的效果是一样的。
https://blog.csdn.net/pucao_cug/article/details/71758883