CentOS5/6的防火墙叫netfilter,CentOS7/8的防火墙叫firewalld。
CentOS7/8可以禁用firewalld,使用原来的netfilter:
systemctl stop firewalld
systemctl disable firewalld
操作系统的版本信息:
安装iptables:
[root@centos8 ~]# yum -y install iptables-services
查看iptables的版本:
[root@centos8 ~]# iptables -V
iptables v1.8.4 (nf_tables)
现在启动iptables:
systemctl start iptables
开机自动启动iptables:
systemctl enable iptables
检查是否开机自动启动iptables:
[root@centos8 ~]# systemctl is-enabled iptables
enabled
查看filter表的链的规则:(匹配顺序是从上到下,最后到默认策略;如果遇到匹配的规则,就不会再往下走)
iptables -nL --line
iptables -nL -t filter --line
笺注:如果不指定表名,使用的就是filter表
查看nat表的链的规则:
iptables -nL -t nat --line
防火墙netfilter的配置文件:(原始状态)
[root@centos8 ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
在filter表的INPUT链中插入一条规则,允许连续的IP地址段192.168.168.150-192.168.168.158访问本机的TCP 80端口:
[root@centos8 ~]# iptables -I INPUT -p tcp --dport 80 -j ACCEPT -m iprange --src-range 192.168.168.150-192.168.168.158
保存防火墙规则:(插入的规则会马上生效,但不保存的话,重启防火墙或主机就会失效)
[root@centos8 ~]# iptables-save > /etc/sysconfig/iptables
[root@centos8 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.8.4 on Sat Aug 22 08:53:49 2020
*security
:INPUT ACCEPT [312:21117]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [199:29935]
COMMIT
# Completed on Sat Aug 22 08:53:49 2020
# Generated by iptables-save v1.8.4 on Sat Aug 22 08:53:49 2020
*raw
:PREROUTING ACCEPT [462:36236]
:OUTPUT ACCEPT [199:29935]
COMMIT
# Completed on Sat Aug 22 08:53:49 2020
# Generated by iptables-save v1.8.4 on Sat Aug 22 08:53:49 2020
*mangle
:PREROUTING ACCEPT [462:36236]
:INPUT ACCEPT [461:36188]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [199:29935]
:POSTROUTING ACCEPT [199:29935]
COMMIT
# Completed on Sat Aug 22 08:53:49 2020
# Generated by iptables-save v1.8.4 on Sat Aug 22 08:53:49 2020
*nat
:PREROUTING ACCEPT [151:15171]
:INPUT ACCEPT [1:52]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Aug 22 08:53:49 2020
# Generated by iptables-save v1.8.4 on Sat Aug 22 08:53:49 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [61:12983]
-A INPUT -p tcp -m tcp --dport 80 -m iprange --src-range 192.168.168.150-192.168.168.158 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Aug 22 08:53:49 2020
假如修改了防火墙的配置文件,要其生效,则要重启防火墙:
[root@centos8 ~]# systemctl restart iptables
备份防火墙规则:
[root@centos8 ~]# iptables-save > /my.bak
还原防火墙规则:
mv -f /my.bak /etc/sysconfig/iptables
cat /etc/sysconfig/iptables
systemctl restart iptables
相关文章:
CentOS6_iptables
CentOS8防火墙(firewalld)
CentOS8配置VPN |
