https://yq.aliyun.com/ziliao/33590
adapt the preamble or docker angered recently made systems are brought centos7 system on a series of new environmental
Make a note of: using oracle vmbox virtual centos7 when bridged network selection when we must remember to plug the network cable, wireless so bad (a waste of a morning lesson time)
can be done inside and outside the network interworking, or only part of segment figured out and can not get outside the network
specific ip ip add instructions
on setting a static ip static ip settings to see centos6.4 problem is still easy to use eth1
Back to the firewall problem :( installed after the cause of direct ssh access denied)
CentOS7 this version of the firewall using the default firewall, iptables with the previous version is not the same, easy to configure the firewall as follows:
1. Turn off the firewall: sudo systemctl stop firewalld.service
2. Turn off the boot: sudo systemctl disable firewalld.service
3. Install a firewall iptables
Execute the following command to install the iptables firewall: sudo yum install iptables-services
4. Configure iptables firewall, open the specified port (specifically, like previous versions, many online introduction, there is little introduction)
5. Set the iptables firewall boot: sudo systemctl enable iptables
Redis open port, modify the firewall configuration file vi / etc / sysconfig / iptables
Join Port Configuration
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6379 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6379: 7000 -j ACCEPT // open ports between 6379-7000
service iptables save
service iptables restart
CentOS 7.0 is the default firewall as a firewall, iptables firewall here instead.
1, shut down firewall:
systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service # prohibit firewall boot
Firewall rules
netfilter firewall rules always susceptible to the order, as a rule there is no fixed position in the chain. Add or delete a rule will change the position of this rule before the rule. In the static firewall model, change the firewall is to rebuild a clean and perfect firewall settings, and is limited to system-config-firewall / lokkit direct support functions. There is no integration with other applications to create firewall rules, and if the custom rules file functions not in use sc-fw / lokkit do not know them. The default chain is usually no way to add security without affecting other rules or delete rules.
There are additional dynamic firewall firewall features chain. These particular in order of the chain has been defined, and thus add rules to the chain will not interfere with the previously rejected and call dropping rule. In order to facilitate the creation of a more reasonable and perfect firewall configuration.
Here are some rules created by the daemon, filter list is enabled support for ssh, mdns and ipp-client in public areas:
*filter
:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:FORWARD_ZONES - [0:0]:FORWARD_direct - [0:0]:INPUT_ZONES - [0:0]:INPUT_direct - [0:0]:IN_ZONE_public - [0:0]:IN_ZONE_public_allow - [0:0]:IN_ZONE_public_deny - [0:0]:OUTPUT_direct - [0:0]-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_ZONES
-A FORWARD -p icmp -j ACCEPT
The FORWARD -j REJECT --reject--A with ICMP-Host-Prohibited
-A -j OUTPUT_direct the OUTPUT
-A -j IN_ZONE_public_deny IN_ZONE_public
-A -j IN_ZONE_public_allow IN_ZONE_public
-A IN_ZONE_public_allow -p TCP TCP -m -m --dport 22 is the conntrack NEW -j ACCEPT --ctstate
-A IN_ZONE_public_allow 224.0.0.251/32 -d -p UDP -m -m UDP --dport the conntrack --ctstate 5353 NEW -j ACCEPT
-A IN_ZONE_public_allow -m -p UDP UDP --dport 631 -m conntrack --ctstate NEW -j ACCEPT
using deny / allow model to build a clear behavior (the best there is no conflict rules). For example: ICMP blocks will IN_ZONE_public_deny chain (if the common area is then set), and the process before IN_ZONE_public_allow chain.
This model makes the rule to add or delete a particular block without disturbing other blocks of the case easier.
These are the contents of the small series of carefully prepared for you Yunqi community, in Yunqi community blog, Q & A, public numbers, characters, courses and other columns and some related content, please continue to use the Search button to search the top right model, configuration port centos iptables firewall, turn off iptables firewall, centos7 enable iptables, centos enable iptables, centos 7 firewall is enabled, in order to obtain more knowledge to you.