How To: Disable Firewall on RHEL / CentOS / RedHat Linux
I
don't want firewall because I only run one http (port 80) public
service. How do I turn off or disable firewall permanently under RHEL /
Fedora Linux / Red Hat Enterprise Linux and CentOS Linux?
iptablesis administration tool / command for IPv4 packet filtering and NAT. You need to use the following tools:
[a] service is a command to run a System V init script. It is use to save / stop / start firewall service.
[b] chkconfig
command is used to update and queries runlevel information for system
service. It is a system tool for maintaining the /etc/rc*.d hierarchy.
Use this tool to disable firewall service at boot time.
How Do I Disable Firewall?
First login as the root user.
Next enter the following three commands to disable firewall.
# service iptables save
# service iptables stop
# chkconfig iptables off
If you are using IPv6 firewall, enter:
# service ip6tables save
# service ip6tables stop
# chkconfig ip6tables off
Iptables命令使用举例
1、链的基本操作
(1)清除所有规则
1)清除预设表filter中所有规则链中的规则
# iptables –F
2)清除预设表filter中使用者自定链中的规则
# iptables –X
3)将指定链中所有规则的包字节计数器清零
#iptables –Z
(2)设置链的默认策略
1)先允许,再禁止
用下面的命令初始化
# iptables –P INPUT ACCEPT
# iptables –P OUTPUT ACCEPT
# iptables –P FORWARDACCEPT
2)先禁止,再允许
用下面的命令初始化
# iptables –P INPUT DROP
# iptables –P OUTPUT DROP
# iptables –P FORWARDDROP
(3)列出表/链中的所有规则
# iptables –L –n
(4)向链中添加规则。下面的语句用于开放网络接口
#iptables –A INPUT –i lo –j ACCEPT
#iptables –A OUTPUT –o lo –j ACCEPT
#iptables –A INPUT –i eth0 –j ACCEPT
#iptables –A OUTPUT –o eth0 –j ACCEPT
#iptables –A FORWARD –i eth0 –j ACCEPT
#iptables –A FORWARD –o eth0 –j ACCEPT
(5)使用用户自定义链
#iptables –N custom
#iptables –A custom –s 0/0 –d 0/0 –p icmp –j DROP
#iptables –A INPUT –s 0/0 –d 0/0 –j custom
2、设置基本的规则匹配(忽略目标动作)
(1)指定协议匹配
1)匹配指定的协议
#iptables –A INPUT –p tcp
2)匹配指定协议之外的所有协议
#iptables –A INPUT –p ! tcp
(2)指定地址匹配
1)指定匹配的主机
#iptables –A INPUT –s 192.168.0.1
2)指定匹配的网络
#iptables –A INPUT –s 192.168.0.0/24
3)匹配指定主机之外的地址
#iptables –A INPUT –s ! 192.168.0.1
4)匹配指定网络之外的网络
#iptables –A INPUT –s ! 192.168.0.1/24
(3)指定网络接口匹配
1)指定单一的网络接口匹配
#iptables –A INPUT –i eth0
# iptables –A FORWARD –o eth0
2)指定同类型的网络接口匹配
#iptables –A FORWARD –o ppp+
(4)指定端口匹配
1)指定单一的端口匹配
#iptables –A INPUT –p tcp –sport wwww
#iptables –A INPUT –p tcp –sport 80
#iptables –A INPUT –p udp –sport 53
# iptables –A INPUT –p udp –dport 53
2)匹配指定端口之外的端口
#iptables –A INPUT –p tcp –dport !22
3)匹配指定的端口范围
#ipbables –A INPUT –p tcp –sport 22:80
4)匹配ICMP端口和ICMP类型
#iptables –A INPUT –p icmp-type 8
(5)指定IP碎片
#iptables –A FORWARD –p tcp –s 192.168.0.0/24 –d 192.168.2.100 –dport 80 –f ACCEPT
#iptables –A FORWARD –f –s 192.168.0.0/24 –d 192.168.2.100 –j ACCEPT
3、设置扩展的规则匹配(忽略目标动作)
(1)多端口匹配扩展
1)匹配多个源端口
#iptables –A INPUT –p tcp –m multiport –source-port 22,53,80,110
2)匹配多个目的端口
#iptables –A INPUT –p tcp –m multiport –destination-port 22,53,80,110
3)匹配多个端口
#iptables –A INPUT –p tcp –m multiport –prot 22,53,80,110
(2)指定TCP匹配扩展
通过使用--tcp-flags选项可以根据TCP包的标志位进行过滤,第一个参数为要检查的标志位;第二个参数是标志位为1的标志
#iptables –A INPUT –p tcp --tcp-flags SYN,FIN,ACK SYN
#iptables –p tcp --syn
表示SYN、ACK、FIN的标志都要检查,但是只有设置了SYN的才匹配
# iptables –A INPUT –p tcp --tcp-flags ALL SYN,ACK
表示ALL(SYN,ACK,FIN,RST,USG,PSH)的标志都要检查,但是只有设置了SYN和ACK的才匹配
(3)limit速率匹配扩展
1)指定单位时间内允许通过的数据包个数
# iptables –A INPUT –m limit --limit 300/hour
表示限制每小时允许通过300个数据包
2)指定触发事件的阀值(默认值是5)
# iptables –A INPUT –m limit --limit-burst 10
表示一次涌入的封包超过10个将被直接丢弃
3)同时指定速率限制和触发阀值
# iptables –A INPUT –p icmp –m limit –limit 3/m –limit-burst 3