12、Linux防火墙
12.1、SELinux:Linux系统特有的安全机制;一般都是关闭的;
- 临时关闭selinux:setenforce 0
- 永久关闭:更改配置文件 /etc/selinux/config;把SELINUX=enforcing改成SELINUX=disabled;更改后重启系统生效;
[root@aminglinux ~]# setenforce 0 [root@aminglinux ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
12.2、netfilter
centos7之前使用netfilter防火墙; centos7开始使用firewalld防火墙;
- 关闭firewalld开启netfilter方法;
- systemctl stop firewalld 关闭firewalld服务
- systemctl disable firewalled 禁止开机启动firewalld服务
- yum install -y iptables-services 安装iptables-services,可以使用以前版本的iptables
- systemctl enable iptables 开机启动iptables-services
- systemctl start iptables 启动iptables-services
[root@aminglinux ~]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@aminglinux ~]# systemctl start iptables [root@aminglinux ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 28 2004 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination