Shutting down the firewall from the configuration menu is not working, simply do not install the firewall at the time of installation
To view the firewall status:
/etc/init.d/iptables status
To temporarily turn off the firewall:
/etc/init.d/iptables stop
Restart Iptables:
/etc/init.d/iptables restart
Immediate effect, fail after reboot
Service mode
Open: Service iptables start
Close: Service iptables stop
Effective after reboot
Open: Chkconfig iptables on
OFF: chkconfig iptables off or/sbin/chkconfig--level 2345 iptables off
1. Add a command in the file, before confirming that all the ports are not closed, the iptables load command is sequential, loading the previous command, so the following command must be in front of all forbidden commands
Vim/etc/sysconfig/iptables
In the system's original configuration: The Rh-firewall-1-input rule chain adds a line like this:
-A rh-firewall-1-input-m state--state new-m tcp-p TCP--dport 39764-j ACCEPT
(Some versions of Linux:-a input-m State--state new-m tcp-p TCP--dport 39764-j ACCEPT)
-A rh-firewall-1-input-m state--state new-m udp-p UDP--dport 39764-j ACCEPT
If you find the original-j reject a class of statements, the above two sentences to put in front of it
2. Open the network port command line mode for external access:
/sbin/iptables-i input-p TCP--dport 80-j ACCEPT #开启80端口
/etc/rc.d/init.d/iptables Save #保存配置
/etc/rc.d/init.d/iptables Restart #重启服务
3. See if the Linux view port is occupied
Netstat-lntup
Displays all the ports and all the corresponding programs, using the GREP pipeline to filter out the key fields you want.
In the Linux operating system, the netstat command is used to display statistics related to IP, TCP, UDP, and ICMP protocols, and is typically used to verify the network connectivity of each port on the machine.
Netstat is a program that accesses the network and related information in the kernel, and it provides reports on TCP connections, TCP and UDP snooping, and process memory management.
If the computer sometimes receives datagrams that cause error data or failures, it is not surprising that TCP/IP can tolerate these types of errors and be able to automatically re-send datagrams.
But if the cumulative number of errors accounts for a significant percentage of the IP datagram received, or if its number is increasing rapidly, then you should use Netstat to find out why these situations occur.
-L or –listening displays the socket of the server in the monitor
-N or –numeric directly using the IP address, not through the domain name server
-T or –tcp shows the connection status of the TCP transport protocol
-U or –UDP shows the connection status of the UDP transport protocol
-P or –programs shows the program identification code and program name that are using the socket
For 22 Port-occupied programs:
[Email protected] tmp]# NETSTAT-TUNLP |grep 22
TCP 0 0 0.0.0.0:42957 0.0.0.0:* LISTEN 2230/rpc.statd
TCP 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2443/sshd
TCP 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2292/cupsd
TCP 0 0::: $:::* LISTEN 2443/sshd
TCP 0 0:: 1:631:::* LISTEN 2292/CUPSD
TCP 0 0::: 57609:::* LISTEN 2230/rpc.statd
UDP 0 0 0.0.0.0:5353 0.0.0.0:* 2211/avahi-daemon
UDP 0 0 0.0.0.0:631 0.0.0.0:* 2292/cupsd
UDP 0 0 0.0.0.0:37167 0.0.0.0:* 2230/rpc.statd
UDP 0 0 0.0.0.0:52291 0.0.0.0:* 2211/avahi-daemon
UDP 0 0 0.0.0.0:68 0.0.0.0:* 2207/dhclient
UDP 0 0 0.0.0.0:710 0.0.0.0:* 2230/rpc.statd
UDP 0 0::: 39834:::* 2230/rpc.statd
To view the occupancy of an end port: lsof-i: Port number
[Email protected] ~]# lsof-i:21
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
PURE-FTPD 2651 Root 4u IPv4 7047 TCP *:ftp (LISTEN)
PURE-FTPD 2651 root 5u IPv6 7048 TCP *:ftp (LISTEN)
This shows that port 21st is being used by PURE-FTPD and the state is listen
4.netstat Output Analysis
[Email protected] ~]# netstat
Active Internet connections (w/o servers)
Proto recv-q send-q Local address Foreign address state
TCP 0 268 192.168.120.204:SSH 10.2.0.68:62420 established
UDP 0 0 192.168.120.204:4371 10.58.119.119:domain established
Active UNIX domain sockets (w/o servers)
Proto refcnt Flags Type State I-node Path
UNIX 2 [] Dgram 1491 @/org/kernel/udev/udevd
UNIX 4 [] Dgram 7337/dev/log
UNIX 2 [] Dgram 708823
UNIX 2 [] Dgram 7539
UNIX 3 [] STREAM CONNECTED 7287
UNIX 3 [] STREAM CONNECTED 7286
As a whole, the output of Netstat can be divided into two parts:
One is the active Internet connections, called the active TCP connection, where "recv-q" and "Send-q" refer to the Receive queue and the send queue. These figures are generally supposed to be 0. If not, the package is queued
In the stack. This situation can only be seen in very few cases.
The other is the active UNIX domain sockets, known as the active UNIX Domains socket interface (as with network sockets, but only for native communication, which can be increased by one-fold performance).
Proto shows the protocol used by the connection, refcnt represents the process number connected to this set of interfaces, types shows the type of the socket interface, state shows the current status of the socket interface, and path represents the pathname used by other processes connected to the socket.
Set of interface types:
-t:tcp
-u:udp
-raw:raw type
--unix:unix Domain type
--AX25:AX25 type
--IPX:IPX type
--netrom:netrom type
How to turn off firewalls, view current status, open ports under Linux