您的位置：首页 > 运维架构 > Linux

centos7 关闭firewall安装iptables并配置

2016-10-18 14:24 375 查看

一、配置防火墙，开启80端口、3306端口

CentOS 7.0默认使用的是firewall作为防火墙，这里改为iptables防火墙。

1、关闭firewall：

systemctl stop firewalld.service #停止firewall

systemctl disable firewalld.service #禁止firewall开机启动

2、安装iptables防火墙

yum install iptables-services #安装

vi /etc/sysconfig/iptables #编辑防火墙配置文件

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

:wq! #保存退出

systemctl restart iptables.service #最后重启防火墙使配置生效

systemctl enable iptables.service #设置防火墙开机启动

二、关闭SELINUX

在安装Cobbler和Puppet时需要关闭selinux，但是通常情况下载安装完CentOS7后，默认情况下SElinux是启用状态，

如下所示：

[root@rdo ~]# sestatus

SELinux status:                 enabled

SELinuxfs mount:                /sys/fs/selinux

SELinux root directory:         /etc/selinux

Loaded policy name:             targeted

Current mode:                   enforcing

Mode from config file:          enforcing

Policy MLS status:              enabled

Policy deny_unknown status:     allowed

Max kernel policy version:      28

1、如果要临时关闭，可以执行

setenforce 0

此时的状态如下

[root@rdo ~]# sestatus

SELinux status:                 enabled

SELinuxfs mount:                /sys/fs/selinux

SELinux root directory:         /etc/selinux

Loaded policy name:             targeted

Current mode:                   permissive

Mode from config file:          enforcing

Policy MLS status:              enabled

Policy deny_unknown status:     allowed

Max kernel policy version:      28

2、如果要永久关闭，可以修改配置文件/etc/selinux/config，将SELINU置为disabled。

[root@rdo ~]# cat /etc/selinux/config



# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

#SELINUX=enforcing

SELINUX=disabled

# SELINUXTYPE= can take one of three two values:

#     targeted - Targeted processes are protected,

#     minimum - Modification of targeted policy. Only selected processes are protected.

#     mls - Multi Level Security protection.

SELINUXTYPE=targeted

修改该配置文件也可以执行下面的命令来完成

sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config

修改完成后，保存重启，重启后状态如下：

[root@rdo ~]# sestatus

SELinux status:                 disabled

1
查询端口号：firewall-cmd --query-port=8020/tcp
查询端口号8020 是否开启！
2
开永久端口号：firewall-cmd --add-port=8020/tcp --permanent
这里把8020替换为需要开的端口号， --permanent是指永久的意思。
3
如何执行一行命令开多个端口号？
开永久端口号：firewall-cmd --add-port=8020/tcp --permanent&&开永久端口号：firewall-cmd --add-port=8088/tcp --permanent

内容来自用户分享和网络整理，不保证内容的准确性，如有侵权内容，可联系管理员处理

标签：

相关文章推荐

新的分享

章节导航