Firewall related commands in CentOS7

      

        The firewall programs in CentOS are mainly firewall and iptables. The firewall service in CentOS7 has been installed by default, and the iptables service needs to be installed by yum install iptabes-services.

       Note: The following demos are all performed in CentOS7 , and other versions are similar

 

1. Firewall related operations

 

    View firewall status

firewall-cmd    --state

 

turn off firewall

systemctl  stop   firewalld.service

 

Turn on firewall

systemctl  start   firewalld.service

 

Disable startup firewall

systemctl   disable   firewalld.service

 

How to open a port

Add to

firewall-cmd --zone=public --add-port=80/tcp --permanent (--permanent takes effect permanently, it will fail after restart without this parameter)

reload

firewall-cmd --reload

Check

firewall-cmd --zone= public --query-port=80/tcp

delete

firewall-cmd --zone= public --remove-port=80/tcp --permanent

 

 

2, iptables related operations

 

2.1 General commands

       The iptables service needs to be installed by itself, the command is:

yum install  iptables-services

As shown in the figure: 

        

 

         The command to open the iptables firewall is:

systemctl  start  iptables.service

        The command to restart the iptables firewall is:

systemctl  restart  iptables.service

The command to turn off the iptables firewall is:

systemctl  stop  iptables.service

The command to view the iptables firewall status is:

systemctl  status  iptables.service

As shown in the figure:

   

2.2 Open specific ports by editing files

         In many cases, the firewall needs to be opened, but some specific ports are released. How to release port 50007 when the firewall is opened? Follow the steps below.

2.2.1 Modifying the rules

    Mainly edit the /etc/sysconfig/iptables file

    Change the original content     : INPUTACCEPT [0:0]    to      : INPUT DROP[0:0]

    Change the original content     : FORWARDACCEPT [0:0]   to     : FORWARD DROP[0:0]

   Change the original content      : OUTPUT ACCEPT [0:0]     to         : OUTPUTACCEPT [0:480]

2.2.2 Add released ports

          At the end of the iptables file are the following three lines:

 

-A INPUT -j REJECT--reject-with icmp-host-prohibited

-A FORWARD -j REJECT--reject-with icmp-host-prohibited

COMMIT

          Add a line before these three lines to release the configuration content of port 50070:

-A INPUT -p tcp -m tcp --dport 50070 -j ACCEPT

          Similarly, if you want to release port 80, add a line:

-A INPUT -p tcp -m tcp --dport  80 -j ACCEPT

 

          After modification, my /etc/sysconfig/iptables file looks like this:

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [0:480]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22-j ACCEPT

-A INPUT -p tcp -m tcp --dport 50070 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

2.2.3 Restart iptables firewall

      Execute the command to restart the iptables firewall, the command is:

       systemctl  restart  iptables.service