linux 基础操作(九) 防火墙操作

查看系统版本

[root@localhost writecardpro]# cat /etc/issue  
CentOS release 6.5 (Final)
Kernel \r on an \m
[root@localhost etc]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core) 

CentOS release 6.5 防火墙操作

查看防火墙状态

[root@centos6 ~]# service iptables status
[root@centos6 init.d]# /etc/init.d/iptables status

开启防火墙

[root@centos6 ~]# service iptables start
[root@centos6 init.d]# /etc/init.d/iptables start

关闭防火墙

[root@centos6 ~]# service iptables stop
[root@centos6 init.d]# /etc/init.d/iptables stop

重启防火墙

[root@centos6 ~] service iptables  restart
[root@centos6 init.d]# /etc/init.d/iptables restart

开放端口

修改 /etc/sysconfig/iptables 文件
[root@localhost /]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
使用命令
修改防火墙设置,3306可以通过防火墙
[root@localhost etc]# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT

关闭端口

[root@localhost /]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 7777 -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

永久关闭防火墙

[root@localhost /]# chkconfig iptables off

永久关闭后启用防火墙

[root@localhost /]# chkconfig iptables on

查看防火墙规则

[root@localhost ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9000 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9090 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9001 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9527 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

查看防火墙规则并显示流量状况

[root@localhost ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 198K   98M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
 1609  246K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    5   260 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
 1478 81160 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
 1304 73230 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9000 
  378 20056 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9090 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9001 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:9527 
35022 3324K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 305K packets, 309M bytes)
 pkts bytes target     prot opt in     out     source               destination 

CentOS release 7.6 防火墙操作

查看防火墙状态

[root@localhost firewalld]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-08-30 18:02:46 CST; 6 days ago
     Docs: man:firewalld(1)
 Main PID: 5262 (firewalld)
    Tasks: 2
   CGroup: /system.slice/firewalld.service
           └─5262 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Aug 30 18:02:45 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 30 18:02:46 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
[root@localhost firewalld]# firewall-cmd --state
running

开启防火墙

[root@localhost firewalld]# sudo systemctl start firewalld.service

关闭防火墙

[root@localhost firewalld]# sudo systemctl stop firewalld.service

取消开机启动

[root@localhost firewalld]# sudo systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

设置开机启动

[root@localhost firewalld]# sudo systemctl enable firewalld.service
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.

重启防火墙

[root@localhost firewalld]# firewall-cmd --reload
success

开放端口

查询端口是否开放
[root@localhost firewalld]# firewall-cmd --query-port=8000/tcp
no
临时开放端口
[root@localhost firewalld]# firewall-cmd  --add-port=8000/udp
success
永久开放端口
[root@localhost firewalld]# firewall-cmd --permanent --add-port=8000/tcp
success

关闭端口

[root@localhost firewalld]# firewall-cmd --permanent --remove-port=8000/tcp
success

查看防火墙规则

[root@localhost firewalld]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno1
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:  
[root@localhost firewalld]# vim /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
</zone>
  

查看防火墙规则并显示流量状况

上一篇 linux 基础操作(八)
下一篇 linux 基础操作(十)设置固定 ip