centos7安装防火墙firewalld

2019独角兽企业重金招聘Python工程师标准>>>

centos7已经将防火墙改为firewalld,默认的centos7 minimal是不自带firewalld，下面来安装吧

# yum install -y firewalld
# systemctl start firewalld
# systemctl enable  firewalld

那我们访问原来的elasticsearch的head插件，发现已经不可以访问了

注：elasticsearch需要开放9200,9300两个端口

# firewall-cmd --add-port=9200/tcp --permanent  #永久开放9200端口
# firewall-cmd --add-port=9300/tcp --permanent  #永久开放9300端口
# firewall-cmd --reload  #重新加载
# firewall-cmd --list-all #查看防火墙配置
public (default)
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports: 9200/tcp 9300/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

再访问head插件

然后我们再禁用此端口

# firewall-cmd --remove-port=9200/tcp --permanent
# firewall-cmd --add-port=9300/tcp --permanent 
# firewall-cmd --reload  #重新加载
#  firewall-cmd --list-all #查看防火墙配置，可知9200端口已经被禁用
public (default)
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

再次访问head插件

80端口一般是我们开放http服务的端口，下面我们来看看怎么配置吧

# ss -lpt | grep http  #查看http端口，由此可知nginx在占用
LISTEN     0      128        *:http                     *:*                     users:(("nginx",pid=1363,fd=6),("nginx",pid=1359,fd=6))

查看防火墙可配置的服务

# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https

对外公开http服务

# firewall-cmd --add-service=http --permanent
# firewall-cmd --reload

直接访问ip

禁用http服务

# firewall-cmd  firewall-cmd --remove-service=http --permanent
# firewall-cmd --reload
# firewall-cmd --list-services
dhcpv6-client ssh

直接访问ip

转载于:https://my.oschina.net/weidedong/blog/760867