1、关闭firewalld
# 查看firewalld状态
[root@i****Z ~]# firewall-cmd --state
running
# 关闭firewalld
[root@i****Z ~]# service firewalld stop
Redirecting to /bin/systemctl stop firewalld.service
# 禁止firewall开机启动
[root@i****Z ~]# systemctl disable firewalld.service
2、安装iptables防火墙
[root@i****Z ~]# yum install iptables-services
Loaded plugins: fastestmirror
******************
省略中间数据
******************
Total download size: 483 k
Is this ok [y/d/N]: y
Downloading packages:
******************
省略中间数据
******************
Installed:
iptables-services.x86_64 0:1.4.21-24.1.el7_5
Dependency Updated:
iptables.x86_64 0:1.4.21-24.1.el7_5
Complete!
[root@i****Z ~]#
3、编辑iptables防火墙配置文件
解决vsftpd在iptables开启后,无法使用被动模式的问题,先在/etc/sysconfig/iptables-config中修改或者添加以下内容
[root@i****Z ~]# vim /etc/sysconfig/iptables-config
# 添加以下内容
IPTABLES_MODULES="ip_conntrack_ftp"
IPTABLES_MODULES="ip_nat_ftp"
# 保存退出
:wq
编辑配置文件
[root@i****Z ~]# vim /etc/sysconfig/iptables
# 保存以下代码
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3690 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 6379 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# 保存退出
:wq
4、启动iptables防火墙
# 开启防火墙
[root@i****Z ~]# service iptables start
Redirecting to /bin/systemctl start iptables.service
# 查看防火墙状态
[root@i****Z ~]# service iptables status
Redirecting to /bin/systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: active (exited) since Thu 2018-09-13 00:27:40 CST; 2min 0s ago
Process: 18721 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 18721 (code=exited, status=0/SUCCESS)
***************
省略部分内容
***************
[root@i****Z ~]#
# 设置开机启动
[root@i****Z ~]# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@i****Z ~]#
# 重启服务器检查开机启动是否生效
[root@i****Z ~]# reboot
# 查看防火墙状态
[root@i****Z ~]# service iptables status
Redirecting to /bin/systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Thu 2018-09-13 00:34:26 CST; 1min 1s ago
Main PID: 452 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/iptables.service
***************
省略部分内容
***************
[root@i****Z ~]#
5、查看端口
# 查看规则
[root@i****z ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3690
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:6379
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@i****z ~]#
6、安装结束
参考:
https://blog.csdn.net/l1028386804/article/details/50779761
https://blog.csdn.net/xlgen157387/article/details/52672988