Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Install iptables Firewall on centos7

2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/03 Report--

CentOS 7 default firewall is not iptables, but firewalle

Check if iptables are installed

service iptables status

#Install iptables

yum install -y iptables

#Upgrade iptables

yum update iptables

#Install iptables-services

yum install iptables-services

Disable/stop built-in firewalld service

#Stop firewalld service

systemctl stop firewalld

#disable firewalld service

systemctl mask firewalld

#View existing iptables rules

iptables -L -n

#Allow everything first, or else it may be a disaster

iptables -P INPUT ACCEPT

#Clear all default rules

iptables -F

#Clear all custom rules

iptables -X

#All counters return to 0

iptables -Z

#Allow packets from the lo interface (local access)

iptables -A INPUT -i lo -j ACCEPT

Anti-web:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP

Set Open Port

#Open 22 port

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#Open Port 21 (FTP)

iptables -A INPUT -p tcp --dport 21 -j ACCEPT

#Open port 80 (HTTP)

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

#Open port 443 (HTTPS)

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

#Allow ping

iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

#Allow return data after accepting native requests RELATED, is set for FTP

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Multiple port settings at once

iptables -A INPUT -p tcp -m multiport --dports 3306,27017,6060:6062,9000:9001, -j ACCEPT

Allow access to a segment: -I parameter is to add the rule to the first line

iptables -I INPUT -s 192.168.3.0/24 -j ACCEPT

Add Firewall-A parameter is to add rules to tail

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 52110 -j ACCEPT

Delete Firewall Rule-D Delete Firewall Rule

iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 52110 -j ACCEPT

#All other inbound entries are discarded

iptables -P INPUT DROP

#All exits are green

iptables -P OUTPUT ACCEPT

#All forwarding is discarded

iptables -P FORWARD DROP

Save Firewall Rules Modify Firewall Rules This command is required

service iptables save

#Start the service

systemctl start iptables.service

#View Status

systemctl status iptables.service

Start, stop and restart of firewall

#Equivalent to previous chkconfig iptables on

systemctl enable iptables.service

#Start the service

systemctl start iptables.service

#View Status

systemctl status iptables.service

#Restart service

systemctl restart iptables.service

Stop serving

systemctl stop iptables.service

Fixed vsftpd not being able to use passive mode when iptables is enabled

1. First modify or add the following in/etc/sysconfig/iptables-config

#Add the following content, note that the order cannot be reversed

IPTABLES_MODULES="ip_conntrack_ftp"

IPTABLES_MODULES="ip_nat_ftp"

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report