CentOS防火牆設置

以前總結的一系列CentOS安裝中間件的教程，都是假設在防火牆關閉的狀況下進行的，在實戰中可能會遇到端口不通等狀況，若是是ECS雲服務器，能夠經過修改安全組策略的方式開啓或關閉端口訪問，但若是是本身的機器，須要手動關閉防火牆（或開啓指定端口的訪問），下面就介紹下CentOS 7和CentOS 6防火牆的經常使用設置

首先，確認服務器操做系統版本：

shell> cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
複製代碼

CentOS 7

一、firewall服務

1）查看狀態

Active: active (running)，防火牆已開啓

shell> systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-04-06 00:03:45 CST; 2s ago
     Docs: man:firewalld(1)
 Main PID: 5463 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─5463 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
複製代碼

Active: inactive (dead)，防火牆已關閉

shell> systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)
複製代碼

2）啓動&中止

啓動

shell> systemctl start firewalld
複製代碼

中止

shell> systemctl stop firewalld
複製代碼

重啓

shell> systemctl restart firewalld
複製代碼

3）開機自啓動

容許開機啓動

shell> systemctl enable firewalld
複製代碼

禁止開機啓動

shell> systemctl disable firewalld
複製代碼

綜上，CentOS 7若是想簡單粗暴的完全關閉防火牆，直接執行：

shell> systemctl stop firewalld
shell> systemctl disable firewalld
複製代碼

二、firewall命令

1）查看狀態

running，防火牆已開啓

shell> firewall-cmd --state
running
複製代碼

not running，防火牆未開啓

shell> firewall-cmd --state
not running
複製代碼

2）查看防火牆規則

shell> firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0
  sources: 
  services: ssh dhcpv6-client
  ports: 3888/tcp 2181/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
複製代碼

3）端口控制

查看全部開啓的端口

shell> firewall-cmd --list-ports
3888/tcp 2181/tcp
複製代碼

查看指定端口是否開啓

shell> firewall-cmd --query-port=3306/tcp
no
shell> firewall-cmd --query-port=2181/tcp
yes
複製代碼

添加端口

shell> firewall-cmd --add-port=2888/tcp --permanent  
success
shell> firewall-cmd --add-port=65001-65010/tcp --permanent
shell> firewall-cmd --reload
success
# 查看是否添加成功
shell> firewall-cmd --list-ports                   
3888/tcp 2181/tcp 2888/tcp
複製代碼

刪除端口

shell> firewall-cmd --remove-port=2888/tcp --permanent   
success
shell> firewall-cmd --reload    
success
# 查看是否刪除成功
shell> firewall-cmd --list-ports
3888/tcp 2181/tcp
複製代碼

範圍添加

shell> firewall-cmd --add-port=65001-65010/tcp --permanent
success
shell> firewall-cmd --reload
success
shell> firewall-cmd --list-ports
3888/tcp 2181/tcp 65001-65010/tcp
複製代碼

從新加載（修改防火牆規則後須要執行reload）

shell> firewall-cmd --reload    
success
複製代碼

CentOS 6

一、查看狀態

防火牆已開啓

shell> service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8888 
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9200 
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9000 
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7002 
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:15672 
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:15672 
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8000 
8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8082 
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8010 
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8769 
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6379 
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5672 
14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:15672 
15   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2181 
16   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
17   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
18   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
19   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
20   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
21   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
22   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7002 
23   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8001 
24   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 8888 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
複製代碼

防火牆已關閉

shell> service iptables status
iptables: Firewall is not running.
複製代碼

二、啓動&中止

開啓防火牆

shell> service iptables start
iptables: Applying firewall rules:                         [  OK  ]
複製代碼

關閉防火牆

shell> service iptables stop
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
複製代碼

重啓防火牆

shell> service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
複製代碼

三、開機自啓動

容許開機啓動

shell> chkconfig iptables on
複製代碼

禁止開機啓動

shell> chkconfig iptables off
複製代碼

綜上，CentOS 6若是想簡單粗暴的完全關閉防火牆，直接執行：

shell> service iptables stop
shell> chkconfig iptables off
複製代碼

四、開放指定端口

shell> vim /etc/sysconfig/iptables
複製代碼

添加如下內容（假設要開放的端口爲」2888「）

-A INPUT -p tcp -m tcp --dport 2888 -j ACCEPT
複製代碼

重啓防火牆

shell> service iptables restart
複製代碼

shell> service iptables status    
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
... 
16   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2888 
...
複製代碼