Linux firewall

Centos 7 firewall ：

1, the basic use of firewalld

Start: systemctl start firewalld

Close: systemctl stop firewalld

View status: systemctl status firewalld 

Power disabled: systemctl disable firewalld

Power On: systemctl enable firewalld

 

 

2.systemctl is CentOS7 service management tool in the main tool before it blends service and chkconfig functions in one.

Start a service: systemctl start firewalld.service
shut down a service: systemctl stop firewalld.service
restart a service: systemctl restart firewalld.service
displays the status of a service: systemctl status firewalld.service
enable a service at boot: systemctl enable firewalld.service
at boot disable a service: systemctl disable firewalld.service
see if the service startup: systemctl is-enabled firewalld.service
view your active list of services: systemctl list-unit-files | grep enabled
to view list of services failed to start: systemctl - -failed

3. Configure firewalld-cmd

View Version: firewall-cmd --version

View help: firewall-cmd --help

Display state: firewall-cmd --state

View all open ports: firewall-cmd --zone = public --list-ports

Update firewall rules: firewall-cmd --reload

Viewing area information: firewall-cmd --get-active-zones

Specifies an interface belongs: firewall-cmd --get-zone-of-interface = eth0

Reject all packets: firewall-cmd --panic-on

Unblock status: firewall-cmd --panic-off

Check whether to reject: firewall-cmd --query-panic

 

How to open a port that it

Add to

cmd-Firewall  --zone = public  --add-Port = 80 / TCP --permanent (--permanent permanent, this does not restart the failed parameter)

Reload

firewall-cmd --reload

View

firewall-cmd --zone= public --query-port=80/tcp

delete

firewall-cmd  --zone= public --remove-port=80/tcp --permanent

 

To adjust the default policies (default deny all access, all changed to allow access):

firewall-cmd --permanent --zone=public --set-target=ACCEPT

firewall-cmd --reload

Open multiple ports on an IP:

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.159.60.29" port protocol="tcp" port="1:65535" accept"

firewall-cmd --reload

 

Centos 6 iptables：

1, the basic use of iptables

Start: service iptables start

Close: service iptables stop

View status: service iptables status

Disable boot: chkconfig iptables off

Power On: chkconfig iptables on

2, open the specified port

-A -I parameters and rules are added to the front end and rules.

#允许本地回环接口(即运行本机访问本机)
iptables -A INPUT -i lo -j ACCEPT
# 允许已建立的或相关连的通行
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#允许所有本机向外的访问
iptables -P INPUT ACCEPT iptables -A OUTPUT -j ACCEPT # 允许访问22端口 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 10.159.1.0/24 --dport 22 -j ACCEPT 
注：-s后可以跟IP段或指定IP地址 #允许访问80端口 iptables -A INPUT -p tcp --dport 80 -j ACCEPT #允许FTP服务的21和20端口 iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 20 -j ACCEPT #如果有其他端口的话，规则也类似，稍微修改上述语句就行 #允许ping iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT #禁止其他未允许的规则访问 iptables -A INPUT -j REJECT #（注意：如果22端口未加入允许规则，SSH链接会直接断开。） iptables -A FORWARD -j REJECT 

3, shielding IP

#如果只是想屏蔽IP的话 “3、开放指定的端口” 可以直接跳过。
#屏蔽单个IP的命令是
iptables -I INPUT -s 123.45.6.7 -j DROP
#封整个段即从123.0.0.1到123.255.255.254的命令 iptables -I INPUT -s 123.0.0.0/8 -j DROP #封IP段即从123.45.0.1到123.45.255.254的命令 iptables -I INPUT -s 124.45.0.0/16 -j DROP #封IP段即从123.45.6.1到123.45.6.254的命令是 iptables -I INPUT -s 123.45.6.0/24 -j DROP 

4, see the added iptables rules

iptables -L -n

N: Displays only the IP address and port number, domain name does not resolve to the IP

Delete an added iptables rules

Reference numerals in all iptables display, perform:

iptables -L -n --line-numbers

For example, to delete the serial number for the rule in the INPUT 8, execute:

iptables -D INPUT 8

5, can also directly edit the configuration file, add the iptables firewall rules:

iptables configuration file to / etc / sysconfig / iptables

Edit the configuration file:

vi /etc/sysconfig/iptables

Configuration rules file and the configuration of iptables commands, syntax similar to:

E.g., by the command iptables configuration that allows access to port 80:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Then, in the configuration file, you only need to remove the iptables beginning of the sentence, add the following:

-A INPUT -p tcp --dport 80 -j ACCEPT

Save and exit.

 

There are two ways to add rules

iptables -A 和iptables -I

Iptables -A rule is added to the last position. As a rule for increasing INPUT chain, into and received from the source address of eth0 192.168.0.0/16 network port destined for the data of the machine.

[root@localhost ~]# iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j ACCEPT

Add the default rule iptables -I added to the first.

If the position number can be specified to insert the rule specified location, use iptables -I.

 

Delete Rule

If you delete the specified use iptables -D command, the command can be accessed by the serial number. Contrast Effect on FIG.

Contact details or iptables -D defined above;

If you want to clear out all the rules, you can use iptables -F.

 

Backup iptabes rules

Use iptables-save command, such as:

[root@localhost ~]# iptables-save > /etc/sysconfig/iptables.save

Restore iptables rules

Use iptables commands, such as:

[root@localhost ~]# iptables-restore < /etc/sysconfig/iptables.save

 

iptables configuration saved

Above do configuration changes, after restart, the configuration will be lost. Using service iptables save to save.

[root@localhost ~]# service iptables save

 

Service iptables restart to take effect:

service iptables save after save to add the rules to restart to take effect.

service iptables restart