1. 背景
CentOS7默认的防火墙不是iptables,而是firewalle,现在改为iptables防火墙。
2. 解决办法
- 关闭firewall
#停止firewall
[root@localhost ~]# systemctl stop firewalld.service
#禁止firewall开机启动
[root@localhost ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
#查看默认防火墙状态(关闭后显示notrunning,开启后显示running)
[root@localhost ~]# firewall-cmd --state
not running
[root@localhost ~]#
- 安装iptables
[root@localhost ~]# #1.查看是否安装了iptables
[root@localhost ~]# service iptables status
Redirecting to /bin/systemctl status iptables.service
Unit iptables.service could not be found.
[root@localhost ~]# #上面信息表示未安装iptables
[root@localhost ~]# #2.安装iptables
[root@localhost ~]# yum install -y iptables
已加载插件:fastestmirror
.........
更新完毕:
iptables.x86_64 0:1.4.21-28.el7
完毕!
[root@localhost ~]# #3.安装iptables-services
[root@localhost ~]# yum install iptables-services
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
....
已安装:
iptables-services.x86_64 0:1.4.21-28.el7
完毕!
[root@localhost ~]# #4.查看安装情况
[root@localhost ~]# service iptables status
Redirecting to /bin/systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: active (exited) since 四 2018-12-06 16:45:36 CST; 1min 13s ago
Process: 2065 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 2065 (code=exited, status=0/SUCCESS)
12月 06 16:45:36 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
12月 06 16:45:36 localhost.localdomain iptables.init[2065]: iptables: Applying firewall rules: [ 确定 ]
12月 06 16:45:36 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]# #表示安装成功了
- 启动&关闭iptables
[root@localhost ~]# #设置防火墙开机启动
[root@localhost ~]# systemctl enable iptables.service
[root@localhost ~]# #禁止防火墙开机启动
[root@localhost ~]# systemctl disable iptables.service
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@localhost ~]# #关闭iptables服务
[root@localhost ~]# systemctl stop iptables.service
[root@localhost ~]# #开启iptables服务
[root@localhost ~]# systemctl start iptables.service
[root@localhost ~]# #重启iptables服务
[root@localhost ~]# systemctl restart iptables.service
[root@localhost ~]# #查看iptables状态
[root@localhost ~]# systemctl status iptables.service
- 配置iptables
[root@localhost ~]# #开放9200端口
[root@localhost ~]# iptables -A INPUT -p tcp --dport 9200 -j ACCEPT
[root@localhost ~]# #1.查看iptables现有规则
[root@localhost ~]# iptables -L -n
[root@localhost ~]# #清空所有自定义规则
[root@localhost ~]# iptables -X
[root@localhost ~]# #添加内网ip信任(接受其所有TCP请求)
[root@localhost ~]# iptables -A INPUT -p tcp -s 192.168.24.151 -j ACCEPT
[root@localhost ~]# #过滤所有非以上规则的请求
[root@localhost ~]# iptables -P INPUT DROP
[root@localhost ~]# #封停一个IP
[root@localhost ~]# iptables -I INPUT -s 192.168.24.153 -j DROP
[root@localhost ~]# #要解封一IP
[root@localhost ~]# iptables -D INPUT -s 192.168.24.153 -j DROP
[root@localhost ~]# #保存上述规则
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]