CentOS 7 remove firewalld and enable iptables.service
1. 關閉及停止使用 Firewalld:
systemctl status firewalld
systemctl disable firewalld (Loaded: loaded, Active: active)
systemctl mask firewalld (Loaded: masked, Active: active)
systemctl stop firewalld (Loaded: masked, Active: inactive)
sudo reboot -h now
2. 安裝 iptables
yum install iptables-services
3. 啟動及設定開機執行 iptables
systemctl status iptables.service
systemctl enable iptables
systemctl start iptables
現在已經可以用 iptables, 增加及剛除 rules 的方法跟以前 Centos 5, 6 相同.
如果上述命令沒有 lokkit,可以自己用 yum install lokkit 安裝。事實上 lokkit 也只是設定 iptables 把 http 和 ssh 打開,如果原本就有開了也不用執行或手動自己設定 iptables 也可以。
sudo lokkit -s http -s ssh
Reference
https://www.digitalocean.com/community/tutorials/how-to-migrate-from-firewalld-to-iptables-on-centos-7
New iptables default rules:
[ricky@thrift1 bin]$ sudo iptables -S | tee ~/firewalld_iptables_rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
Edit the rule file so accept udp packets so that
sudo vi /etc/sysconfig/iptables
8 -A INPUT -p udp -j ACCEPT
9 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
10 -A INPUT -p icmp -j ACCEPT
11 -A INPUT -i lo -j ACCEPT
12 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
13 -A INPUT -j REJECT --reject-with icmp-host-prohibited
14 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
15 COMMIT
Restart to make it effective
sudo sh -c 'iptables-restore -t < /etc/sysconfig/iptables'
systemctl restart iptables.service
沒有留言:
張貼留言