最新的Linux操作系统,如CentOS/RHEL 7和Fedora 21已经停止使用iptables和现在使用的动态防火墙守护进程firewalld提供了一个动态管理的防火墙启动。它支持网络和区域到信任级别分配到网络,连接和接口。 Firewalld还提供和接口服务或应用程序直接添加防火墙规则。本文将帮助您禁用firewalld服务,然后在CentOS和RedHat 7系统中安装并使用iptables,
点击在这里阅读更多关于firewalld的信息。
禁用Firewalld服务
在CentOS和RedHat 7系统中安装和使用iptables服务之前,我们需要禁用firewalld服务。要完全禁用firewalld服务,使用以下命令。
# systemctl stop firewalld
# systemctl mask firewalld
现在检查firewalld状态
# systemctl status firewalld
firewalld.service
Loaded: masked (/dev/null)
Active: inactive (dead) since Fri 2015-02-27 11:09:37 EST; 56s ago
Main PID: 7411 (code=exited, status=0/SUCCESS)
Feb 27 11:02:18 svr10 systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 27 11:09:36 svr10 systemd[1]: Stopping firewalld - dynamic firewall daemon...
Feb 27 11:09:37 svr10 systemd[1]: Stopped firewalld - dynamic firewall daemon.
在CentOS/RHEL 7中安装iptables服务
现在,使用yum包管理安装iptables服务,使用以下命令。
# yum install iptables-services -y
在安装启用iptables服务后,使用下面的命令启动 iptables。
# systemctl enable iptables
# systemctl start iptables
现在,使用下面的命令来检查iptables服务状态。
# systemctl status iptables
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
Active: active (exited) since Fri 2015-02-27 11:14:12 EST; 14s ago
Process: 7938 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 7938 (code=exited, status=0/SUCCESS)
Feb 27 11:14:12 svr10 iptables.init[7938]: iptables: Applying firewall rules: [ OK ]
Feb 27 11:14:12 svr10 systemd[1]: Started IPv4 firewall with iptables.
要列出iptables规则使用以下命令。
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination