我们可以将firewalld改成iptables。操作如下:
1、关闭firewall:
# systemctl stop firewalld.service
# systemctl disable firewalld.service 或者systemctl mask firewalld.service
2、安装iptables防火墙
# service iptables status 检测是否已经安装过iptables
# yum install iptables-services
3、编辑防火墙规则
方法1:直接vi /etc/sysconfig/iptables #编辑防火墙配置文件
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT:
方法2:重写规则
iptables -L -n
iptables -P INPUT ACCEPT # 先允许全部,不然小心悲剧发生
iptables -F #清空所有默认规则
iptables -X #清空所有自定义规则
iptables -Z #所有计数器归0
iptables -A INPUT -i lo -j ACCEPT 放行本地回环接口的数据
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 172.16.10/24 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 116.228.235.111 --dport 3306 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT #允许ping
# 下面3行规则是FTP放行通过【此外,还要修改/etc/sysconfig/iptables-config 添加IPTABLES_MODULES="ip_nat_ftp"】
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
service iptables save 赶紧保存下规则,不然不是白写了嘛
4、防火墙的其他参数等
保存防火墙规则
# /usr/libexec/iptables/iptables.init save
或者service iptables save
重启防火墙
# systemctl restart iptables.service
设置防火墙开机启动
# systemctl enable iptables.service
# 查看防火墙状态:
# systemctl status iptables.service 或者service iptables status
