之前总结的一系列CentOS安装中间件的教程,都是假设在防火墙关闭的情况下进行的,在实战中可能会遇到端口不通等情况,如果是ECS云服务器,可以通过修改安全组策略的方式开启或关闭端口访问,但如果是自己的机器,需要手动关闭防火墙(或开启指定端口的访问),下面就介绍下CentOS 7和CentOS 6防火墙的常用设置
首先,确认服务器操作系统版本:
shell> cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
CentOS 7
1、firewall服务
1)查看状态
Active: active (running),防火墙已开启
shell> systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2020-04-06 00:03:45 CST; 2s ago
Docs: man:firewalld(1)
Main PID: 5463 (firewalld)
CGroup: /system.slice/firewalld.service
└─5463 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Active: inactive (dead),防火墙已关闭
shell> systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
2)启动&停止
启动
shell> systemctl start firewalld
停止
shell> systemctl stop firewalld
重启
shell> systemctl restart firewalld
3)开机自启动
允许开机启动
shell> systemctl enable firewalld
禁止开机启动
shell> systemctl disable firewalld
综上,CentOS 7如果想简单粗暴的彻底关闭防火墙,直接执行:
shell> systemctl stop firewalld
shell> systemctl disable firewalld
2、firewall命令
1)查看状态
running,防火墙已开启
shell> firewall-cmd --state
running
not running,防火墙未开启
shell> firewall-cmd --state
not running
2)查看防火墙规则
shell> firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0
sources:
services: ssh dhcpv6-client
ports: 3888/tcp 2181/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
3)端口控制
查看所有开启的端口
shell> firewall-cmd --list-ports
3888/tcp 2181/tcp
查看指定端口是否开启
shell> firewall-cmd --query-port=3306/tcp
no
shell> firewall-cmd --query-port=2181/tcp
yes
添加端口
shell> firewall-cmd --add-port=2888/tcp --permanent
success
shell> firewall-cmd --add-port=65001-65010/tcp --permanent
shell> firewall-cmd --reload
success
# 查看是否添加成功
shell> firewall-cmd --list-ports
3888/tcp 2181/tcp 2888/tcp
删除端口
shell> firewall-cmd --remove-port=2888/tcp --permanent
success
shell> firewall-cmd --reload
success
# 查看是否删除成功
shell> firewall-cmd --list-ports
3888/tcp 2181/tcp
范围添加
shell> firewall-cmd --add-port=65001-65010/tcp --permanent
success
shell> firewall-cmd --reload
success
shell> firewall-cmd --list-ports
3888/tcp 2181/tcp 65001-65010/tcp
重新加载(修改防火墙规则后需要执行reload)
shell> firewall-cmd --reload
success
CentOS 6
1、查看状态
防火墙已开启
shell> service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9200
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7002
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:15672
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:15672
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8010
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8769
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6379
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5672
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:15672
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2181
16 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
17 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
18 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
21 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7002
23 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8001
24 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8888
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
防火墙已关闭
shell> service iptables status
iptables: Firewall is not running.
2、启动&停止
开启防火墙
shell> service iptables start
iptables: Applying firewall rules: [ OK ]
关闭防火墙
shell> service iptables stop
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
重启防火墙
shell> service iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
3、开机自启动
允许开机启动
shell> chkconfig iptables on
禁止开机启动
shell> chkconfig iptables off
综上,CentOS 6如果想简单粗暴的彻底关闭防火墙,直接执行:
shell> service iptables stop
shell> chkconfig iptables off
4、开放指定端口
shell> vim /etc/sysconfig/iptables
添加以下内容(假设要开放的端口为”2888“)
-A INPUT -p tcp -m tcp --dport 2888 -j ACCEPT
重启防火墙
shell> service iptables restart
shell> service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
...
16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2888
...
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。