Use firewalld to open and close the firewall and ports
Close the firewall:
systemctl stop firewalld.service
Open the firewall:
systemctl start firewalld.service
If you encounter problems that cannot be opened
Use first: systemctl unmask firewalld.service
and then: systemctl start firewalld.service
to enable booting:
systemctl enable firewalld.service
disable booting to start:
systemctl disable firewalld.service
to view firewall status:
systemctl status firewalld
# or
firewall-cmd --state
to open the port
#(--permanent will take effect permanently, and will fail after restarting without this parameter)
#Note: It can be a port range, such as 1000-2000/tcp
firewall-cmd --zone=public --add-port=80/tcp --permanent
Restart the firewall (reload, update configuration)
firewall-cmd --reload
query whether a port is open
firewall-cmd --query-port=80/tcp
remove port
firewall-cmd --zone=public --remove-port =80/tcp --permanent
firewall-cmd --permanent --remove-port=123/tcp
Query the list of ports that have been opened
firewall-cmd --list-port
command meaning:
--zone #Scope
--add-port=80/tcp #Add port, the format is: port/communication protocol
--remove-port=80/tcp #Remove the port, the format is: port/communication protocol
--permanent #Permanently effective, without this parameter, it will fail after restarting.
systemctl
systemctl is the main tool in the service management tool of CentOS7. It integrates the functions of the previous service and chkconfig into one.
Start a service: systemctl start firewalld.service
Close a service: systemctl stop firewalld.service
Restart a service: systemctl restart firewalld.service
Display the status of a service: systemctl status firewalld.service
Enable a service at boot time: systemctl enable firewalld.service
Disable a service when booting: systemctl disable firewalld.service
Check whether the service starts: systemctl is-enabled firewalld.service
Check the list of enabled services: systemctl list-unit-files|grep enabled
Check the list of services that failed to start: systemctl - -failed
configure firewalld-cmd
view version: firewall-cmd --version
View help: firewall-cmd --help
Show status: firewall-cmd --state
View all open ports: firewall-cmd --zone=public --list-ports
Update firewall rules: firewall-cmd --reload
View zone information: firewall-cmd --get-active-zones
View the zone to which the specified interface belongs: firewall-cmd --get-zone-of-interface=eth0
Deny all packages: firewall-cmd --panic-on
Cancel deny status: firewall-cmd --panic-off
Check if it is rejected: firewall-cmd --query-panic
iptables
install iptables-services:
yum install iptables-services
Enter the following directory to modify:
/etc/sysconfig/iptables
CentOS6
has the following two methods:
1. Service method
Check the firewall status:
[root@centos6 ~]# service iptables status
iptables: The firewall is not running.
Open the firewall:
[root@centos6 ~]# service iptables start
Close the firewall:
[root@centos6 ~]# service iptables stop
will redirect to "/bin/systemctl stop iptables.service"
Two, iptables method
First enter the init.d directory, the command is as follows:
[root@centos6 ~]# cd /etc/init.d/
[root@centos6 init.d]#Then
check the firewall status:
[root@centos6 init.d]# /etc/init.d/iptables status
Temporarily close the firewall:
[root@centos6 init.d]# /etc/init.d/iptables stop
restart iptables:
[root@centos6 init.d]# /etc/init.d/iptables restart
Ubuntu
Ubuntu install UFW firewall
sudo apt-get install ufw
General users only need to set as follows:
sudo apt-get install ufw
sudo ufw enable
sudo ufw default deny
The above three commands are safe enough. If you need to open some services, use sudo ufw allow to open them.
Enable the firewall
sudo ufw enable
sudo ufw default deny
# After running the above two commands, the firewall is enabled, and it is automatically enabled when the system starts.
#Close all external access to this machine, but this machine's access to the outside is normal.
Enable/Disable
sudo ufw allow|deny [service]
Open or close a certain port, for example:
sudo ufw allow smtp #Allow all external IPs to access the 25/tcp (smtp) port of this machine
sudo ufw allow 22/tcp #Allow all The external IP accesses the 22/tcp (ssh) port of this machine
sudo ufw allow 53 #Allow external access to port 53 (tcp/udp)
sudo ufw allow from 192.168.1.100 #Allow this IP to access all local ports
sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53
sudo ufw deny smtp #Forbid external access to smtp service
sudo ufw delete allow smtp #Delete a rule established above
to view firewall status
sudo ufw status
#Supplement: Turn on/off the firewall (the default setting is 'disable')
ufw enable|disable
#Conversion log status
ufw logging on|off
#Set the default policy (such as "mostly open" vs "mostly closed")
ufw default allow|deny
#Allow or block some incoming packets (you can view the service list in "status" [see below])
#Yes Use "protocol: port" to specify a service name that exists in /etc/services, or through the meta-data of the package. The 'allow' parameter will add entries to /etc/ufw/maps, while 'deny' does the opposite. The basic syntax is as follows:
ufw allow|deny [service]
#Display the listening status of firewall and port, see /var/lib/ufw/maps. Numbers in parentheses will not be displayed.
ufw status
1
UFW usage example:
#Allow port 53
$ sudo ufw allow 53
# disable port 53
$ sudo ufw delete allow 53
#Allow port 80
$ sudo ufw allow 80/tcp
# Disable port 80
$ sudo ufw delete allow 80/tcp
#allow smtp port
$ sudo ufw allow smtp
#Delete permission for smtp port
$ sudo ufw delete allow smtp
#Allow a specific IP
$ sudo ufw allow from 192.168.254.254
# delete the above rule
$ sudo ufw delete allow from 192.168.254.254