Install iptables firewall on CentOS7

CentOS7 installs iptables firewall

The default firewall of CentOS7 is not iptables, but firewalle.

Install iptable iptable-service


#Check whether iptables
service is installed iptables status #Install
iptables
yum install -y iptables #Upgrade
iptables
yum update iptables #Install
iptables-services
yum install iptables-services

Disable/stop the built-in firewalld

service #Stop firewalld service
systemctl stop firewalld #Disable
firewalld service
systemctl mask firewalld
Set existing rules


#View existing rules
of iptables iptables -L -n #Allow
all first, otherwise it may be Cup with
iptables -P INPUT ACCEPT #Clear
all default rules
iptables -F
#Clear all custom rules
iptables -X #All
counters return to 0
iptables -Z
#Allow packets from the lo interface (local access)
iptables -A INPUT -i lo -j ACCEPT #Open
port 22
iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Open
port 21 (FTP)
iptables - A INPUT -p tcp --dport 21 -j ACCEPT #Open
port 80 (HTTP)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT #Open
port 443 (HTTPS)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT #Allow
ping
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT #Allow
the return data RELATED after accepting the local request, which is the
iptables set for FTP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Other
inbound will be discarded
iptables -P INPUT DROP #All
outbound will be green light
iptables -P OUTPUT ACCEPT #All
forwarding will be discarded
iptables -P FORWARD DROPOther

rule settings


#If you want to add intranet ip trust (accept all its TCP requests)
iptables -A INPUT -p tcp -s 45.96.174.68 -j ACCEPT #Filter
all requests that are not the above rules
iptables -P INPUT DROP #To block
an IP, Use this command:
iptables -I INPUT -s ***.***.***.*** -j DROP
#To unblock an IP, use this command:
iptables -D INPUT -s * **.***.***.*** -j DROP

save rule settings

#Save the above rules
service iptables saveOpen
iptables service


#Register iptables service #equivalent
to the previous chkconfig iptables on
systemctl enable iptables.service
#Open Service
systemctl start iptables.service
#View
status systemctl status iptables.service



Solve the problem that vsftpd cannot use passive mode after iptables is turned on

1. First modify or add the following content in /etc/sysconfig/iptables-config #Add the

following content, Note that the order cannot be reversed
IPTABLES_MODULES="ip_conntrack_ftp"
IPTABLES_MODULES="ip_nat_ftp"
2.重新设置iptables设置

iptables -A INPUT -m state --state  RELATED,ESTABLISHED -j ACCEPT


以下为完整设置脚本


#!/bin/sh
iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
service iptables save
systemctl restart iptables.service