cnetOS7 防火牆配置

firewall

1. 查看firewall開放端口

firewall-cmd --list-ports
複製代碼

2. 開啓端口

firewall-cmd --zone=public --add-port=80/tcp --permanent
複製代碼

3. 命令含義

–zone #做用域

–add-port=80/tcp #添加端口，格式爲：端口/通信協議

–permanent #永久生效，沒有此參數重啓後失效
複製代碼

4. 重啓防火牆

firewall-cmd --reload #重啓firewall
systemctl stop firewalld.service #中止firewall
systemctl disable firewalld.service #禁止firewall開機啓動
複製代碼

iptables

1. 禁用/中止自帶的firewalld服務

#中止firewalld服務
systemctl stop firewalld
#禁用firewalld服務
systemctl mask firewalld
複製代碼

2. 安裝iptables防火牆

#安裝
yum install iptables-services

複製代碼

3. 編輯防火牆配置文件

vi /etc/sysconfig/iptables
複製代碼

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80  -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
#：wq！退出
複製代碼

4. 設置

systemctl restart iptables.service #最後重啓防火牆使配置生效
 
systemctl enable iptables.service #設置防火牆開機啓動

複製代碼