CentOS 6&7 防火墙设置

之前总结的一系列CentOS安装中间件的教程，都是假设在防火墙关闭的情况下进行的，在实战中可能会遇到端口不通等情况，如果是ECS云服务器，可以通过修改安全组策略的方式开启或关闭端口访问，但如果是自己的机器，需要手动关闭防火墙（或开启指定端口的访问），下面就介绍下CentOS 7和CentOS 6防火墙的常用设置

首先，确认服务器操作系统版本：

shell> cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)

CentOS 7

1、firewall服务

1）查看状态

Active: active (running)，防火墙已开启

shell> systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-04-06 00:03:45 CST; 2s ago
     Docs: man:firewalld(1)
 Main PID: 5463 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─5463 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Active: inactive (dead)，防火墙已关闭

shell> systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

2）启动&停止

启动

shell> systemctl start firewalld

停止

shell> systemctl stop firewalld

重启

shell> systemctl restart firewalld

3）开机自启动

允许开机启动

shell> systemctl enable firewalld

禁止开机启动

shell> systemctl disable firewalld

综上，CentOS 7如果想简单粗暴的彻底关闭防火墙，直接执行：

shell> systemctl stop firewalld
shell> systemctl disable firewalld

2、firewall命令

1）查看状态

running，防火墙已开启

shell> firewall-cmd --state
running

not running，防火墙未开启

shell> firewall-cmd --state
not running

2）查看防火墙规则

shell> firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0
  sources: 
  services: ssh dhcpv6-client
  ports: 3888/tcp 2181/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

3）端口控制

查看所有开启的端口

shell> firewall-cmd --list-ports
3888/tcp 2181/tcp

查看指定端口是否开启

shell> firewall-cmd --query-port=3306/tcp
no
shell> firewall-cmd --query-port=2181/tcp
yes

添加端口

shell> firewall-cmd --add-port=2888/tcp --permanent  
success
shell> firewall-cmd --add-port=65001-65010/tcp --permanent
shell> firewall-cmd --reload
success
# 查看是否添加成功
shell> firewall-cmd --list-ports                   
3888/tcp 2181/tcp 2888/tcp

删除端口

shell> firewall-cmd --remove-port=2888/tcp --permanent   
success
shell> firewall-cmd --reload    
success
# 查看是否删除成功
shell> firewall-cmd --list-ports
3888/tcp 2181/tcp

范围添加

shell> firewall-cmd --add-port=65001-65010/tcp --permanent
success
shell> firewall-cmd --reload
success
shell> firewall-cmd --list-ports
3888/tcp 2181/tcp 65001-65010/tcp

重新加载（修改防火墙规则后需要执行reload）

shell> firewall-cmd --reload    
success

CentOS 6

1、查看状态

防火墙已开启

shell> service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8888 
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9200 
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9000 
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7002 
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:15672 
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:15672 
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8000 
8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8082 
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8010 
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8769 
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6379 
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5672 
14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:15672 
15   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2181 
16   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
17   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
18   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
19   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
20   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
21   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
22   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7002 
23   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8001 
24   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 8888 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

防火墙已关闭

shell> service iptables status
iptables: Firewall is not running.

2、启动&停止

开启防火墙

shell> service iptables start
iptables: Applying firewall rules:                         [  OK  ]

关闭防火墙

shell> service iptables stop
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]

重启防火墙

shell> service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

3、开机自启动

允许开机启动

shell> chkconfig iptables on

禁止开机启动

shell> chkconfig iptables off

综上，CentOS 6如果想简单粗暴的彻底关闭防火墙，直接执行：

shell> service iptables stop
shell> chkconfig iptables off

4、开放指定端口

shell> vim /etc/sysconfig/iptables

添加以下内容（假设要开放的端口为”2888“）

-A INPUT -p tcp -m tcp --dport 2888 -j ACCEPT

重启防火墙

shell> service iptables restart

shell> service iptables status    
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
... 
16   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2888 
...