查看系统版本
[root@localhost writecardpro]# cat /etc/issue
CentOS release 6.5 (Final)
Kernel \r on an \m
[root@localhost etc]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
CentOS release 6.5 防火墙操作
查看防火墙状态
[root@centos6 ~]# service iptables status
[root@centos6 init.d]# /etc/init.d/iptables status
开启防火墙
[root@centos6 ~]# service iptables start
[root@centos6 init.d]# /etc/init.d/iptables start
关闭防火墙
[root@centos6 ~]# service iptables stop
[root@centos6 init.d]# /etc/init.d/iptables stop
重启防火墙
[root@centos6 ~] service iptables restart
[root@centos6 init.d]# /etc/init.d/iptables restart
开放端口
修改 /etc/sysconfig/iptables 文件
[root@localhost /]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
使用命令
修改防火墙设置,3306可以通过防火墙
[root@localhost etc]# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
关闭端口
[root@localhost /]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 7777 -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
永久关闭防火墙
[root@localhost /]# chkconfig iptables off
永久关闭后启用防火墙
[root@localhost /]# chkconfig iptables on
查看防火墙规则
[root@localhost ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9090
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9001
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9527
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
查看防火墙规则并显示流量状况
[root@localhost ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
198K 98M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
1609 246K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 260 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1478 81160 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
1304 73230 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9000
378 20056 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9090
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9001
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9527
35022 3324K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 305K packets, 309M bytes)
pkts bytes target prot opt in out source destination
CentOS release 7.6 防火墙操作
查看防火墙状态
[root@localhost firewalld]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2019-08-30 18:02:46 CST; 6 days ago
Docs: man:firewalld(1)
Main PID: 5262 (firewalld)
Tasks: 2
CGroup: /system.slice/firewalld.service
└─5262 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Aug 30 18:02:45 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 30 18:02:46 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
[root@localhost firewalld]# firewall-cmd --state
running
开启防火墙
[root@localhost firewalld]# sudo systemctl start firewalld.service
关闭防火墙
[root@localhost firewalld]# sudo systemctl stop firewalld.service
取消开机启动
[root@localhost firewalld]# sudo systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
设置开机启动
[root@localhost firewalld]# sudo systemctl enable firewalld.service
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
重启防火墙
[root@localhost firewalld]# firewall-cmd --reload
success
开放端口
查询端口是否开放
[root@localhost firewalld]# firewall-cmd --query-port=8000/tcp
no
临时开放端口
[root@localhost firewalld]# firewall-cmd --add-port=8000/udp
success
永久开放端口
[root@localhost ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
[root@localhost ~]# firewall-cmd --list-ports
15672/tcp
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-ports
15627/tcp 80/tcp
[root@localhost ~]# vim /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<port protocol="tcp" port="8000"/>
</zone>
关闭端口
[root@localhost firewalld]# firewall-cmd --permanent --remove-port=8000/tcp
success
查看防火墙规则
[root@localhost firewalld]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eno1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@localhost firewalld]# vim /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
</zone>
查看防火墙规则并显示流量状况
上一篇 linux 基础操作(八)
下一篇 linux 基础操作(十)设置固定 ip
