# * # Firewall and firewall Detailed configuration and iptables firewall (recommended to enable this firewall, adapt configuration)
1, the official document describes: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Introduction_to_firewalld1
2, CentOS 7 firewall is a very powerful feature, upgrade CentOS 6.5 is carried out in the iptables firewall.
3, firewall configuration
1, the system configuration directory (directory services and network storage port defined parameters, the system parameters can not be modified)
/usr/lib/firewalld/services
2, the user configuration directory
/etc/firewalld/
3, query status, open ports, to enable
Query service status systemctl status firewalld view the status of firewall firewall-cmd --state
find out which ports open
firewall-cmd --list-port query port is open (EG: 80) firewall-cmd = --query-Port 80 / tcp
Open port (EG: 80)
Firewall-cmd = --zone public --add-Port = 80 / TCP --permanent
removal port (EG: 8080)
Firewall --permanent --remove-Port-cmd = 8080 / TCP
Restart the firewall ( after modifying the configuration to restart the firewall)
systemctl Start firewalld.service #firewall start
systemctl enable firewalld.service #firewall boot
systemctl restart firewalld.service // firewall-cmd --reload
close the firewall:
systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service # prohibit firewall boot
Of parameters . 1, firwall- cmd: the operation is a tool provided for Linux firewall; 2, - # scope zone, Zone concept can be developed to a particular port zone configuration file specific complement: If -zone = dmz this set, the file will be added in dmz.xml a 3, - add-port = 80 / tcp # Add port, the format is: port / protocol 4, - permanent: expressed to lasting , permanent no this parameter to restart after failure
4, add the port through a configuration file
cd /etc/firewalld/zones vim public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas.</description>
<rule family="ipv4">
<source address="122.10.70.234"/>
<port protocol="udp" port="514"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="123.60.255.14"/>
<port protocol="tcp" port="10050-10051"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.249.87.114"/>Put on specified IP, designated port, protocol
<Accept />
<= Port Protocol "TCP" Port = "9527" />
</ rule>
<Accept />
<= Port Protocol "TCP" Port = "80" />
9527 port <rule family = "ipv4"> through-put of any access server ip
</rule>
</zone>
------------------------------------------------------------------------------------------------------------------------
4, iptables configuration
1, shut down firewall
systemctl stop firewalld.service firewalld STOP or Service systemctl disable firewalld.service # prohibit firewall boot
2, install iptables
yum install iptables-services #安装
3, edit the configuration
vi /etc/sysconfig/iptables #编辑防火墙配置文件
Firewall configuration written by system-config-firewall
Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT#必须开启,否则nginx无法打开
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 8080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
4, View, enable
iptables -L # to see whether the rules take effect
systemctl start iptables.service or service iptables start # open systemctl enable iptables.service # firewall settings boot
Game Over !