CentOS7以下版本防火墙使用的是iptables,CentOS7及以上版本防火墙使用的是firewall,CentOS7防火墙默认使用的是firewall,先来看下firewall开放端囗设置。
1、使用firewall开放端囗
(1)查看防火墙状态
[root@Tracy sysconfig]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
Apr 20 03:33:27 Tracy systemd[1]: Started firewalld - dynamic firewall daemon.
Apr 20 03:33:27 Tracy firewalld[12840]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure co...t now.
Apr 20 03:34:47 Tracy systemd[1]: Stopping firewalld - dynamic firewall daemon...
Apr 20 03:34:47 Tracy systemd[1]: Stopped firewalld - dynamic firewall daemon.
Apr 20 03:37:11 Tracy systemd[1]: Starting firewalld - dynamic firewall daemon...
Apr 20 03:37:11 Tracy systemd[1]: Started firewalld - dynamic firewall daemon.
Apr 20 03:37:11 Tracy firewalld[12982]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure co...t now.
Apr 20 03:40:26 Tracy firewalld[12982]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure co...t now.
Apr 20 03:41:15 Tracy systemd[1]: Stopping firewalld - dynamic firewall daemon...
Apr 20 03:41:15 Tracy systemd[1]: Stopped firewalld - dynamic firewall daemon.
Hint: Some lines were ellipsized, use -l to show in full.
出现以上信息,证明防火墙未开启,进入第(2)步,出现下面信息证明防火墙已开启,进入第(3)步。开放或关闭端囗是在防火墙开启时才能设置,设置完再关闭防火墙。
[root@Tracy sysconfig]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Wed 2022-04-20 03:37:11 CST; 13s ago
Docs: man:firewalld(1)
Main PID: 12982 (firewalld)
CGroup: /system.slice/firewalld.service
└─12982 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
(2)开启防火墙
[root@Tracy sysconfig]# systemctl start firewalld
(3) 设置开放端囗
[root@Tracy sysconfig]# firewall-cmd --zone=public --add-port=5672/tcp --permanent # 开放5672端口
success
若想关闭端囗如下:
[root@Tracy sysconfig]# firewall-cmd --zone=public --remove-port=5672/tcp --permanent #关闭5672端口
success
(4)使配置立即生效
[root@Tracy sysconfig]# firewall-cmd --reload # 配置立即生效
success
(5)关闭防火墙
[root@Tracy sysconfig]# systemctl stop firewalld
(6)测试
使用同网段的另一台机器测试,我使用Windows系统,打开一个命令提示符窗囗
telnet 192.168.237.142 5672
弹出一个新的命令窗囗,表示连接成功。
注:默认使用firewall时没有 /etc/sysconfig/iptables 文件
(7)查看开放的端囗
firewall-cmd --list-ports
[root@Tracy sysconfig]# firewall-cmd --list-ports
5672/tcp
2、使用iptables开放端囗
(1)查看iptables
[root@localhost rungeth]# cat /etc/sysconfig/iptables
cat: /etc/sysconfig/iptables: No such file or directory
若与上面一样,显示iptables文件不存在,查看第2步,否则进入第3步
(2)安装iptables
1)关闭防火墙
[root@localhost rungeth]# systemctl stop firewalld #关闭防火墙
2)安装或者更新服务
[root@localhost rungeth]# yum install -y iptables-services #安装或者更新服务
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 7.2 kB 00:00:00
* base: mirrors.bfsu.edu.cn
* epel: mirrors.bfsu.edu.cn
* extras: mirrors.bfsu.edu.cn
####此处略过许多安装显示信息.....
Installed:
iptables-services.x86_64 0:1.4.21-35.el7
Complete!
3)启动iptables
[root@localhost rungeth]# systemctl enable iptables #启动iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
4)开启iptables
[root@localhost rungeth]# systemctl start iptables #打开iptables
5)查看iptables
[root@localhost rungeth]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
(3)编辑iptables,添加端囗
[root@localhost rungeth]# vi /etc/sysconfig/iptables
1)添加一个端囗
添加一行与22端囗行一样的信息,除端囗号外其它都一样
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8545 -j ACCEPT
2)添加一段连续区间端囗(冒号连接)
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8545:8565 -j ACCEPT
按ESC退出编辑模式,输入:wq保存,关闭文件。
(4)重启iptables
[root@localhost rungeth]# systemctl restart iptables.service
(5)测试
使用同网段的另一台机器测试,我使用Windows系统,打开一个命令提示符窗囗
telnet 192.168.237.142 8545
弹出一个新的命令窗囗,表示连接成功。
(6)查看监听端囗
[root@localhost ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 777/rpcbind
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1454/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1169/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1170/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1494/master
tcp6 0 0 :::111 :::* LISTEN 777/rpcbind
tcp6 0 0 :::22 :::* LISTEN 1169/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1170/cupsd
tcp6 0 0 ::1:25 :::* LISTEN 1494/master
tcp6 0 0 :::8547 :::* LISTEN 24335/geth