The firewall programs in CentOS are mainly firewall and iptables. The firewall service in CentOS7 has been installed by default, and the iptables service needs to be installed by yum install iptabes-services.
Note: The following demos are all performed in CentOS7 , and other versions are similar
1. Firewall related operations
View firewall status
firewall-cmd --state
turn off firewall
systemctl stop firewalld.service
Turn on firewall
systemctl start firewalld.service
Disable startup firewall
systemctl disable firewalld.service
How to open a port
Add to
firewall-cmd --zone=public --add-port=80/tcp --permanent (--permanent takes effect permanently, it will fail after restart without this parameter)
reload
firewall-cmd --reload
Check
firewall-cmd --zone= public --query-port=80/tcp
delete
firewall-cmd --zone= public --remove-port=80/tcp --permanent
2, iptables related operations
2.1 General commands
The iptables service needs to be installed by itself, the command is:
yum install iptables-services
As shown in the figure:
The command to open the iptables firewall is:
systemctl start iptables.service
The command to restart the iptables firewall is:
systemctl restart iptables.service
The command to turn off the iptables firewall is:
systemctl stop iptables.service
The command to view the iptables firewall status is:
systemctl status iptables.service
As shown in the figure:
2.2 Open specific ports by editing files
In many cases, the firewall needs to be opened, but some specific ports are released. How to release port 50007 when the firewall is opened? Follow the steps below.
2.2.1 Modifying the rules
Mainly edit the /etc/sysconfig/iptables file
Change the original content : INPUTACCEPT [0:0] to : INPUT DROP[0:0]
Change the original content : FORWARDACCEPT [0:0] to : FORWARD DROP[0:0]
Change the original content : OUTPUT ACCEPT [0:0] to : OUTPUTACCEPT [0:480]
2.2.2 Add released ports
At the end of the iptables file are the following three lines:
-A INPUT -j REJECT--reject-with icmp-host-prohibited
-A FORWARD -j REJECT--reject-with icmp-host-prohibited
COMMIT
Add a line before these three lines to release the configuration content of port 50070:
-A INPUT -p tcp -m tcp --dport 50070 -j ACCEPT
Similarly, if you want to release port 80, add a line:
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
After modification, my /etc/sysconfig/iptables file looks like this:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:480]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22-j ACCEPT
-A INPUT -p tcp -m tcp --dport 50070 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
2.2.3 Restart iptables firewall
Execute the command to restart the iptables firewall, the command is:
systemctl restart iptables.service