CentOS7 开放端囗（使用firewall或iptables设置）

CentOS7以下版本防火墙使用的是iptables，CentOS7及以上版本防火墙使用的是firewall，CentOS7防火墙默认使用的是firewall，先来看下firewall开放端囗设置。

1、使用firewall开放端囗

（1）查看防火墙状态

[root@Tracy sysconfig]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

Apr 20 03:33:27 Tracy systemd[1]: Started firewalld - dynamic firewall daemon.
Apr 20 03:33:27 Tracy firewalld[12840]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure co...t now.
Apr 20 03:34:47 Tracy systemd[1]: Stopping firewalld - dynamic firewall daemon...
Apr 20 03:34:47 Tracy systemd[1]: Stopped firewalld - dynamic firewall daemon.
Apr 20 03:37:11 Tracy systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 20 03:37:11 Tracy systemd[1]: Started firewalld - dynamic firewall daemon.
Apr 20 03:37:11 Tracy firewalld[12982]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure co...t now.
Apr 20 03:40:26 Tracy firewalld[12982]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure co...t now.
Apr 20 03:41:15 Tracy systemd[1]: Stopping firewalld - dynamic firewall daemon...
Apr 20 03:41:15 Tracy systemd[1]: Stopped firewalld - dynamic firewall daemon.
Hint: Some lines were ellipsized, use -l to show in full.

出现以上信息，证明防火墙未开启，进入第（2）步，出现下面信息证明防火墙已开启，进入第（3）步。开放或关闭端囗是在防火墙开启时才能设置，设置完再关闭防火墙。

[root@Tracy sysconfig]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Wed 2022-04-20 03:37:11 CST; 13s ago
     Docs: man:firewalld(1)
 Main PID: 12982 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─12982 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

 （2）开启防火墙

[root@Tracy sysconfig]# systemctl start firewalld

（3） 设置开放端囗

[root@Tracy sysconfig]# firewall-cmd --zone=public --add-port=5672/tcp --permanent   # 开放5672端口
success

若想关闭端囗如下：

[root@Tracy sysconfig]# firewall-cmd --zone=public --remove-port=5672/tcp --permanent  #关闭5672端口
success

（4）使配置立即生效

[root@Tracy sysconfig]# firewall-cmd --reload   # 配置立即生效
success

（5）关闭防火墙

[root@Tracy sysconfig]# systemctl stop firewalld

（6）测试

使用同网段的另一台机器测试，我使用Windows系统，打开一个命令提示符窗囗

telnet 192.168.237.142 5672

弹出一个新的命令窗囗，表示连接成功。

注：默认使用firewall时没有 /etc/sysconfig/iptables 文件

（7）查看开放的端囗

firewall-cmd --list-ports

[root@Tracy sysconfig]# firewall-cmd --list-ports
5672/tcp

2、使用iptables开放端囗

（1）查看iptables

[root@localhost rungeth]# cat /etc/sysconfig/iptables
cat: /etc/sysconfig/iptables: No such file or directory

若与上面一样，显示iptables文件不存在，查看第2步，否则进入第3步

（2）安装iptables

1）关闭防火墙

[root@localhost rungeth]# systemctl stop firewalld         #关闭防火墙

2）安装或者更新服务

[root@localhost rungeth]# yum install -y iptables-services #安装或者更新服务
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                                                              | 7.2 kB  00:00:00     
 * base: mirrors.bfsu.edu.cn
 * epel: mirrors.bfsu.edu.cn
 * extras: mirrors.bfsu.edu.cn
####此处略过许多安装显示信息.....

Installed:
  iptables-services.x86_64 0:1.4.21-35.el7                                                                               

Complete!

3）启动iptables

[root@localhost rungeth]# systemctl enable iptables        #启动iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.

4）开启iptables

[root@localhost rungeth]# systemctl start iptables         #打开iptables

5）查看iptables

[root@localhost rungeth]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

（3）编辑iptables，添加端囗

[root@localhost rungeth]# vi /etc/sysconfig/iptables

1）添加一个端囗

添加一行与22端囗行一样的信息，除端囗号外其它都一样

-A INPUT -p tcp -m state --state NEW -m tcp --dport 8545 -j ACCEPT

2）添加一段连续区间端囗（冒号连接）

 -A INPUT -p tcp -m state --state NEW -m tcp --dport 8545:8565 -j ACCEPT

 按ESC退出编辑模式，输入:wq保存，关闭文件。

（4）重启iptables

[root@localhost rungeth]# systemctl restart iptables.service

（5）测试

使用同网段的另一台机器测试，我使用Windows系统，打开一个命令提示符窗囗

telnet 192.168.237.142 8545

弹出一个新的命令窗囗，表示连接成功。

（6）查看监听端囗

[root@localhost ~]# netstat -lntp 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      777/rpcbind         
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1454/dnsmasq        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1169/sshd           
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1170/cupsd          
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1494/master         
tcp6       0      0 :::111                  :::*                    LISTEN      777/rpcbind         
tcp6       0      0 :::22                   :::*                    LISTEN      1169/sshd           
tcp6       0      0 ::1:631                 :::*                    LISTEN      1170/cupsd          
tcp6       0      0 ::1:25                  :::*                    LISTEN      1494/master         
tcp6       0      0 :::8547                 :::*                    LISTEN      24335/geth