1. test whether the normal use iptables command
Run the following command:
service iptables save
或
# Check whether the installation of iptables service iptables status
CentOS7 in the / etc / sysconfig / iptables no file operation when a port failure do not want to restart the system will be given using 'service iptables save' command when saving the configuration as FIG.
The problem is the lack of service iptables ,
2. Install iptables Service
Need to close CentOS7 firewall command as follows:
# Turn off the firewall
systemctl STOP firewalld
# View firewall status
firewall-cmd --state
Installation iptables Service
#安装iptables yum install -y iptables
#升级iptables yum update iptables
#安装iptables-services yum install iptables-services
After installation use, start to save iptables
# Iptables registered service systemctl enable iptables # open service systemctl Start iptables # view the status of service iptables save
At this point in the / etc / sysconfig iptables will have a file folder
Finally, start the firewall
systemctl start firewalld
Common iptables command to explain:
View existing rules # iptables iptables -L -n # to allow all, or there may be a cup iptables -P the INPUT ACCEPT # emptied all of the default rules iptables -F # Clear all custom rules iptables -X # return all counters 0 iptables the -Z # lo allows data packet from the interface (local access) iptables -A the INPUT -i lo -j ACCEPT # 22 open ports iptables -A 22 --dport the INPUT -p TCP -j ACCEPT # open port 21 (FTP) -A -p TCP --dport the INPUT iptables 21 is -j ACCEPT # open port 80 (the HTTP) iptables -A 80 --dport the INPUT -p TCP -j ACCEPT # open port 443 (the HTTPS) iptables -A the INPUT -p TCP - -j ACCEPT 443 - dport # permit of ping iptables -A ICMP --icmp the INPUT -p-type. 8 -j ACCEPT # allowed to receive return data after RELATED present requests, is set to the FTP -A -m State --state the INPUT iptables The RELATED, the ESTABLISHED -j ACCEPT Other stations will be dropped into the # iptables -P the INPUT DROP # All outbound always green iptables -P the OUTPUT ACCEPT # All forward will be dropped iptables -P FORWARD DROP
It comes with a script file (which can be modified as needed)
#! / bin / SH iptables -P the INPUT ACCEPT iptables -F iptables the -X- iptables the -Z
echo 'lo allow packets from the interface (local access)' iptables -A the INPUT -i lo -j ACCEPT
echo 'open port 22 ' iptables -A --dport 22 is the INPUT -p TCP -j ACCEPT
echo' open port 21 ' iptables -A 21 --dport the INPUT -p TCP -j ACCEPT
echo' open port 80 ' iptables -A the INPUT -p TCP - 80 -j ACCEPT dport
echo 'to open port 443' iptables -A 443 --dport the INPUT -p TCP -j ACCEPT
ceho 'allows of ping' iptables -A ICMP --icmp the INPUT -p-type. 8 -j ACCEPT
echo 'allow acceptance RELATED after this return data requests, is set for the FTP ' iptables -A RELATED --state the INPUT -m State,ESTABLISHED -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT ACCEPT -P the FORWARD DROP iptables
echo 'Save ...' Service iptables the Save
echo 'to restart the service ...' systemctl restart iptables.service