Before use is CentOS6.5, and the apprenticeship is not fine, use what to check what, use to forget. And most of the information on the Web is based on previous versions of CentOS7.
In CentOS7, the default firewall is not iptables, but firewalld. And it needs to be install/update/install service before it can be used.
Disable/stop your own FIREWALLD service:
# first Check if the iptables is installed Service iptables Status # installing iptablesyum Install-y iptables# upgrade iptables# Installing iptables-servicesYum Install iptables-services
iptables Service
# Stop FIREWALLD Service systemctl Stop Firewalld # Disable FIREWALLD service systemctl Mask Firewalld
Disable/Stop your own FIREWALLD service
#View Iptables Existing rulesIptables-l-N#allow it all first, or else it might be a cup.Iptables-P INPUT ACCEPT#Clear all default rulesIptables-F#Clear All custom rulesIptables-X#all counters are classified as 0Iptables-Z#allow packets from the Lo interface (local access)Iptables-a input-i Lo-J ACCEPT#Open 22 PortsIptables-a input-p TCP--dport 22-J ACCEPT#Open 21 Port (FTP)Iptables-a input-p TCP--dport 21-J ACCEPT#Open 80 port (HTTP)Iptables-a input-p TCP--dport 80-J ACCEPT#Open 443 port (HTTPS)Iptables-a input-p TCP--dport 443-J ACCEPT#Allow PingIptables-a input-p ICMP--icmp-type 8-J ACCEPT#The return data related, which is set for FTP, is allowed after the native request is accepted .Iptables-a input-m State--state related,established-J ACCEPT#Discard all other inbound stopsIptables-P INPUT DROP#all the outbound green lightIptables-P OUTPUT ACCEPT#all forwarding is discardedIptables-p FORWARD DROP
set up an existing iptables rule
# If you want to add an intranet IP trust (accept all of its TCP requests)iptables-a input-p tcp-s 45.96.174.68-J Accept# Filter all requests other than the above rules /c4>iptables-P INPUT DROP# to shut down an IP, use this command:iptables-i input-s ***.***.***.***-J Drop # to unlock an IP, use this command:iptables-d input-s ***.***.***.***-j DROP
set other iptables rules
# Save the above rules service iptables Save
Save Rule
# Register iptables Service # equivalent to the previous chkconfig iptables on Systemctl Enable Iptables.service # Open Service systemctl start Iptables.service # view state systemctl status Iptables.service
Open iptables Service
Resolves an issue where vsftpd cannot use passive mode after iptables is turned on
1. First modify or add the following in/etc/sysconfig/iptables-config
# Add the following to note that the order cannot be reversed iptables_modules="ip_conntrack_ftp"iptables_modules="ip_nat_ FTP"
2. Reset Iptables Settings
Iptables-a input-m State--state related,established-j ACCEPT
Full setup script:
#!/bin/shIptables-P INPUT acceptiptables-Fiptables-Xiptables-Ziptables-A input-i lo-J Acceptiptables-A Input-p TCP--dport 22-J Acceptiptables-A Input-p TCP--dport 21-J Acceptiptables-A Input-p TCP--dport 80-J Acceptiptables-A Input-p TCP--dport 443-J Acceptiptables-A input-p ICMP--icmp-type 8-J Acceptiptables-A input-m state--state related,established-J Acceptiptables-P INPUT dropiptables-P OUTPUT acceptiptables-P FORWARD dropservice iptables savesystemctl restart Iptables.service
Reprinted from: http://www.cnblogs.com/kreo/p/4368811.html
CentOS 7 Installation Iptables service, and common commands