1

之前总结的一系列CentOS安装中间件的教程,都是假设在防火墙关闭的情况下进行的,在实战中可能会遇到端口不通等情况,如果是ECS云服务器,可以通过修改安全组策略的方式开启或关闭端口访问,但如果是自己的机器,需要手动关闭防火墙(或开启指定端口的访问),下面就介绍下CentOS 7和CentOS 6防火墙的常用设置

首先,确认服务器操作系统版本:

shell> cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)

CentOS 7

1、firewall服务

1)查看状态
Active: active (running),防火墙已开启
shell> systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-04-06 00:03:45 CST; 2s ago
     Docs: man:firewalld(1)
 Main PID: 5463 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─5463 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Active: inactive (dead),防火墙已关闭
shell> systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)
2)启动&停止
启动
shell> systemctl start firewalld
停止
shell> systemctl stop firewalld
重启
shell> systemctl restart firewalld
3)开机自启动
允许开机启动
shell> systemctl enable firewalld
禁止开机启动
shell> systemctl disable firewalld

综上,CentOS 7如果想简单粗暴的彻底关闭防火墙,直接执行:

shell> systemctl stop firewalld
shell> systemctl disable firewalld

2、firewall命令

1)查看状态
running,防火墙已开启
shell> firewall-cmd --state
running
not running,防火墙未开启
shell> firewall-cmd --state
not running
2)查看防火墙规则
shell> firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0
  sources: 
  services: ssh dhcpv6-client
  ports: 3888/tcp 2181/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
3)端口控制
查看所有开启的端口
shell> firewall-cmd --list-ports
3888/tcp 2181/tcp
查看指定端口是否开启
shell> firewall-cmd --query-port=3306/tcp
no
shell> firewall-cmd --query-port=2181/tcp
yes
添加端口
shell> firewall-cmd --add-port=2888/tcp --permanent  
success
shell> firewall-cmd --add-port=65001-65010/tcp --permanent
shell> firewall-cmd --reload
success
# 查看是否添加成功
shell> firewall-cmd --list-ports                   
3888/tcp 2181/tcp 2888/tcp
删除端口
shell> firewall-cmd --remove-port=2888/tcp --permanent   
success
shell> firewall-cmd --reload    
success
# 查看是否删除成功
shell> firewall-cmd --list-ports
3888/tcp 2181/tcp
范围添加
shell> firewall-cmd --add-port=65001-65010/tcp --permanent
success
shell> firewall-cmd --reload
success
shell> firewall-cmd --list-ports
3888/tcp 2181/tcp 65001-65010/tcp
重新加载(修改防火墙规则后需要执行reload)
shell> firewall-cmd --reload    
success

CentOS 6

1、查看状态
防火墙已开启
shell> service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8888 
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9200 
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9000 
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7002 
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:15672 
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:15672 
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8000 
8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8082 
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8010 
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8769 
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6379 
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5672 
14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:15672 
15   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2181 
16   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
17   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
18   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
19   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
20   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
21   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
22   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7002 
23   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8001 
24   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 8888 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
防火墙已关闭
shell> service iptables status
iptables: Firewall is not running.
2、启动&停止
开启防火墙
shell> service iptables start
iptables: Applying firewall rules:                         [  OK  ]
关闭防火墙
shell> service iptables stop
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
重启防火墙
shell> service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
3、开机自启动
允许开机启动
shell> chkconfig iptables on
禁止开机启动
shell> chkconfig iptables off

综上,CentOS 6如果想简单粗暴的彻底关闭防火墙,直接执行:

shell> service iptables stop
shell> chkconfig iptables off
4、开放指定端口
shell> vim /etc/sysconfig/iptables

添加以下内容(假设要开放的端口为”2888“)

-A INPUT -p tcp -m tcp --dport 2888 -j ACCEPT

重启防火墙

shell> service iptables restart
shell> service iptables status    
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
... 
16   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2888 
...

tianranll
68 声望2 粉丝