如何将centos7自带的firewall防火墙更换为iptables防火墙
用惯了centos6的iptables防火墙,对firewall太无感了,那么如何改回原来熟悉的iptables防火墙呢?
1、关闭firewall防火墙
[root@centos7 html]# systemctl stop firewalld #停止firewall防火墙 [root@centos7 html]# systemctl disable firewalld #禁止firewall开机启动 [root@centos7 html]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) Aug 18 22:22:51 centos7 systemd[1]: Starting firewalld - dynamic firewall daemon... Aug 18 22:22:53 centos7 systemd[1]: Started firewalld - dynamic firewall daemon. Aug 18 23:13:56 centos7 systemd[1]: Stopping firewalld - dynamic firewall daemon... Aug 18 23:14:06 centos7 systemd[1]: Stopped firewalld - dynamic firewall daemon. Aug 18 23:34:07 centos7 systemd[1]: Starting firewalld - dynamic firewall daemon... Aug 18 23:34:09 centos7 systemd[1]: Started firewalld - dynamic firewall daemon. Aug 18 23:34:19 centos7 systemd[1]: Stopping firewalld - dynamic firewall daemon... Aug 18 23:34:26 centos7 systemd[1]: Stopped firewalld - dynamic firewall daemon. [root@centos7 html]#
2、安装iptables防火墙
[root@centos7 html]# yum install -y iptables iptables-services Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.163.com * extras: mirrors.sohu.com * updates: mirrors.163.com Package iptables-1.4.21-17.el7.x86_64 already installed and latest version Package iptables-services-1.4.21-17.el7.x86_64 already installed and latest version Nothing to do [root@centos7 html]# systemctl start iptables [root@centos7 html]# systemctl status iptables ● iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled) Active: active (exited) since Fri 2017-08-18 23:39:14 CST; 14s ago Process: 3494 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS) Main PID: 3494 (code=exited, status=0/SUCCESS) Aug 18 23:39:13 centos7 systemd[1]: Starting IPv4 firewall with iptables... Aug 18 23:39:14 centos7 iptables.init[3494]: iptables: Applying firewall rules: [ OK ] Aug 18 23:39:14 centos7 systemd[1]: Started IPv4 firewall with iptables. [root@centos7 html]# service iptables status Redirecting to /bin/systemctl status iptables.service ● iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled) Active: active (exited) since Fri 2017-08-18 23:39:14 CST; 28s ago Process: 3494 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS) Main PID: 3494 (code=exited, status=0/SUCCESS) Aug 18 23:39:13 centos7 systemd[1]: Starting IPv4 firewall with iptables... Aug 18 23:39:14 centos7 iptables.init[3494]: iptables: Applying firewall rules: [ OK ] Aug 18 23:39:14 centos7 systemd[1]: Started IPv4 firewall with iptables. [root@centos7 html]#
3、查看iptables配置文件
[root@centos7 html]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@centos7 html]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [root@centos7 html]#
4、、设置iptables开机启动
[root@centos7 html]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@centos7 html]# systemctl status iptables ● iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled) Active: active (exited) since Fri 2017-08-18 23:41:19 CST; 2min 22s ago Main PID: 3603 (code=exited, status=0/SUCCESS) Aug 18 23:41:19 centos7 systemd[1]: Starting IPv4 firewall with iptables... Aug 18 23:41:19 centos7 iptables.init[3603]: iptables: Applying firewall rules: [ OK ] Aug 18 23:41:19 centos7 systemd[1]: Started IPv4 firewall with iptables. [root@centos7 html]#