Disable and enable iptables for Centos7 firewall

The previous sequence or docker caused the latest system to adapt to a series of new environments brought by centos7.

Note: When using the oracle vmbox virtual centos7 to bridge the network, you must remember to plug in the network cable. The wireless connection is poor (a waste of lessons from the morning)
You can connect the intranet and the Internet. Otherwise, only some CIDR blocks can be connected and the Internet cannot be obtained.
Specific ip commands are ip add
For more information about static IP settings, see centos6.4. eth1.

Back to the firewall: (ssh access is denied after installation)

The firewall of CentOS7 uses firewall by default, which is different from the previous version using iptables. Configure the firewall as follows:

1. Disable the firewall: sudo systemctl stop firewalld. service

2. disable startup: sudo systemctl disable firewalld. service

3. Install iptables firewall

Run the following command to install the iptables firewall: sudo yum install iptables-services

4. Configure the iptables firewall and open the specified port (similar to the previous version, there are many introductions on the Internet, but I will not discuss them here)

5. Set iptables to enable firewall boot: sudo systemctl enable iptables

Enable the redis port and modify the firewall configuration file vi/etc/sysconfig/iptables

Add port configuration

-A RH-Firewall-1-INPUT-m state -- state NEW-m tcp-p tcp -- dport 6379-j ACCEPT

-A RH-Firewall-1-INPUT-m state -- state NEW-m tcp-p tcp -- dport 6379: 7000-j ACCEPT // open the port between 6379 and 7000

Service iptables save

Service iptables restart

CentOS 7.0 uses firewall as the firewall by default. Here, it is changed to iptables firewall.

1. Disable firewall:

Systemctl stop firewalld. service # stop firewall

Systemctl disable firewalld. service # disable firewall startup

Firewall rules

The netfilter firewall is always vulnerable to rule order, because a rule does not have a fixed position in the chain. Adding or deleting a rule before a rule changes the rule location. In the static firewall model, changing the firewall is to recreate a clean and complete firewall setting, and is restricted by the functions directly supported by system-config-firewall/lokkit. No firewall rules have been integrated with other applications, and they are not known if the custom rule file function is not using s-c-fw/lokkit. The default chain usually does not have a safe way to add or delete rules without affecting other rules.
A dynamic firewall has an additional firewall function chain. These special links are called in the defined order. Therefore, adding rules to the chain does not interfere with the deny or discard rules of previous calls. This facilitates the creation of more reasonable and complete firewall configurations.

The following are some rules created by the Daemon. Support for ssh, mdns, and ipp-client in public regions is enabled in the filter list:

* Filter
: Input accept [0: 0]: forward accept [0: 0]: output accept [0: 0]: FORWARD_ZONES-[0: 0]: FORWARD_direct-[0: 0]: INPUT_ZONES-[0: 0]: INPUT_direct-[0: 0]: IN_ZONE_public-[0: 0]: IN_ZONE_public_allow-[0: 0]: bytes-[0: 0, ESTABLISHED-j ACCEPT
-A input-I lo-j ACCEPT
-A input-j INPUT_direct
-A input-j INPUT_ZONES
-A input-p icmp-j ACCEPT
-A input-j REJECT -- reject-with icmp-host-prohibited
-A forward-m conntrack -- ctstate RELATED, ESTABLISHED-j ACCEPT
-A forward-I lo-j ACCEPT
-A forward-j FORWARD_direct
-A forward-j FORWARD_ZONES
-A forward-p icmp-j ACCEPT
-A forward-j REJECT -- reject-with icmp-host-prohibited
-A output-j OUTPUT_direct
-A IN_ZONE_public-j IN_ZONE_public_deny
-A IN_ZONE_public-j IN_ZONE_public_allow
-A IN_ZONE_public_allow-p tcp-m tcp -- dport 22-m conntrack -- ctstate NEW-j ACCEPT
-A IN_ZONE_public_allow-d 224.0.0.133/32-p udp-m udp -- dport 5353-m conntrack -- ctstate NEW-j ACCEPT
-A IN_ZONE_public_allow-p udp-m udp -- dport 631-m conntrack -- ctstate NEW-j ACCEPT
Use the deny/allow model to build a clear behavior (preferably without conflicting rules ). For example, an ICMP block will enter the IN_ZONE_public_deny chain (if it is set for a public Region) and be processed before the IN_ZONE_public_allow chain.
This model makes it easier to add or delete rules to a specific block without interfering with other blocks.