Centos 防火墙之 iptables

abelethan
1,241 阅读2分钟

今天我们要来说说centos系统防火墙,我选择使用的iptables,那么接下来我们就开始安装、配置、使用

  1. 关闭firewalld防火墙
    [root@jjckj cblog]# systemctl status firewalld.service 
● firewalld.service - firewalld - dynamic firewall daemon
  Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
  Active: inactive (dead)
    Docs: man:firewalld(1)
  2. 安装iptables防火墙
    yum install -y iptables-services
  3. 启动iptables
    [root@jjckj cblog]# systemctl status iptables.service 
● iptables.service - IPv4 firewall with iptables
  Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
  Active: active (exited) since 五 2019-09-06 15:40:17 CST; 47min ago
 Process: 105020 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
 Process: 105086 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 105086 (code=exited, status=0/SUCCESS)
   Tasks: 0
  Memory: 0B
  CGroup: /system.slice/iptables.service

9月 06 15:40:16 jjckj.com systemd[1]: Starting IPv4 firewall with iptables...
9月 06 15:40:17 jjckj.com iptables.init[105086]: iptables: Applying firewall rules: [  确定  ]
9月 06 15:40:17 jjckj.com systemd[1]: Started IPv4 firewall with iptables.
  4. 设置开机自启动
    systemctl enable iptables.service
  5. 配置端口开放
    # sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2122 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080:9999 -j ACCEPT
-A INPUT -s 192.168.31.1/24 -p tcp -m state --state NEW -m multiport --dport 7979,80,3389 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
    1. 22和2212是单独配置的外网可以访问,
    2. 8080:9999配置的是外网可以访问8080与9999中间段的所有端口服务,
    3. 7979,80,3389 配置的是局域网才能访问的端口服务(注意配置多个不连续的端口要加multiport
  6. 配置好保存之后重启iptables服务
    systemctl restart iptables.service

现在就可以测试你的外网是否可以访问及内网访问情况

如果安装了iptables同时也安装了docker在启动服务时报下面这种错

在这里插入图片描述
可以重启一下docker

systemctl restart docker.service

然后docker服务就可以运行了(我也不知道为什么)

avatar
文章
阅读
粉丝