CentOS 7 默认是使用Firewall作为防火墙,这里我们把它改为我们熟悉的iptables!
[root@Centos7~]#iptables-vnL#看着很不舒服,改为我们习惯的iptables ChainINPUT(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination 39434135ACCEPTall--**0.0.0.0/00.0.0.0/0ctstateRELATED,ESTABLISHED 00ACCEPTall--lo*0.0.0.0/00.0.0.0/0 828322INPUT_directall--**0.0.0.0/00.0.0.0/0 828322INPUT_ZONES_SOURCEall--**0.0.0.0/00.0.0.0/0 828322INPUT_ZONESall--**0.0.0.0/00.0.0.0/0 00ACCEPTicmp--**0.0.0.0/00.0.0.0/0 808218REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited ChainFORWARD(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination 00ACCEPTall--**0.0.0.0/00.0.0.0/0ctstateRELATED,ESTABLISHED 00ACCEPTall--lo*0.0.0.0/00.0.0.0/0 00FORWARD_directall--**0.0.0.0/00.0.0.0/0 00FORWARD_IN_ZONES_SOURCEall--**0.0.0.0/00.0.0.0/0 00FORWARD_IN_ZONESall--**0.0.0.0/00.0.0.0/0 00FORWARD_OUT_ZONES_SOURCEall--**0.0.0.0/00.0.0.0/0 00FORWARD_OUT_ZONESall--**0.0.0.0/00.0.0.0/0 00ACCEPTicmp--**0.0.0.0/00.0.0.0/0 00REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited ChainOUTPUT(policyACCEPT41packets,5963bytes) pktsbytestargetprotoptinoutsourcedestination 33135720OUTPUT_directall--**0.0.0.0/00.0.0.0/0 ChainFORWARD_IN_ZONES(1references) pktsbytestargetprotoptinoutsourcedestination 00FWDI_publicall--eno16777728*0.0.0.0/00.0.0.0/0[goto] 00FWDI_publicall--+*0.0.0.0/00.0.0.0/0[goto] ChainFORWARD_IN_ZONES_SOURCE(1references) pktsbytestargetprotoptinoutsourcedestination ChainFORWARD_OUT_ZONES(1references) pktsbytestargetprotoptinoutsourcedestination 00FWDO_publicall--*eno167777280.0.0.0/00.0.0.0/0[goto] 00FWDO_publicall--*+0.0.0.0/00.0.0.0/0[goto] ChainFORWARD_OUT_ZONES_SOURCE(1references) pktsbytestargetprotoptinoutsourcedestination ChainFORWARD_direct(1references) pktsbytestargetprotoptinoutsourcedestination ChainFWDI_public(2references) pktsbytestargetprotoptinoutsourcedestination 00FWDI_public_logall--**0.0.0.0/00.0.0.0/0 00FWDI_public_denyall--**0.0.0.0/00.0.0.0/0 00FWDI_public_allowall--**0.0.0.0/00.0.0.0/0 ChainFWDI_public_allow(1references) pktsbytestargetprotoptinoutsourcedestination ChainFWDI_public_deny(1references) pktsbytestargetprotoptinoutsourcedestination ChainFWDI_public_log(1references) pktsbytestargetprotoptinoutsourcedestination ChainFWDO_public(2references) pktsbytestargetprotoptinoutsourcedestination 00FWDO_public_logall--**0.0.0.0/00.0.0.0/0 00FWDO_public_denyall--**0.0.0.0/00.0.0.0/0 00FWDO_public_allowall--**0.0.0.0/00.0.0.0/0 ChainFWDO_public_allow(1references) pktsbytestargetprotoptinoutsourcedestination ChainFWDO_public_deny(1references) pktsbytestargetprotoptinoutsourcedestination ChainFWDO_public_log(1references) pktsbytestargetprotoptinoutsourcedestination ChainINPUT_ZONES(1references) pktsbytestargetprotoptinoutsourcedestination 152IN_publicall--eno16777728*0.0.0.0/00.0.0.0/0[goto] 00IN_publicall--+*0.0.0.0/00.0.0.0/0[goto] ChainINPUT_ZONES_SOURCE(1references) pktsbytestargetprotoptinoutsourcedestination ChainINPUT_direct(1references) pktsbytestargetprotoptinoutsourcedestination ChainIN_public(2references) pktsbytestargetprotoptinoutsourcedestination 828322IN_public_logall--**0.0.0.0/00.0.0.0/0 828322IN_public_denyall--**0.0.0.0/00.0.0.0/0 828322IN_public_allowall--**0.0.0.0/00.0.0.0/0 ChainIN_public_allow(1references) pktsbytestargetprotoptinoutsourcedestination 2104ACCEPTtcp--**0.0.0.0/00.0.0.0/0tcpdpt:22ctstateNEW ChainIN_public_deny(1references) pktsbytestargetprotoptinoutsourcedestination ChainIN_public_log(1references) pktsbytestargetprotoptinoutsourcedestination ChainOUTPUT_direct(1references) pktsbytestargetprotoptinoutsourcedestination [root@Centos7~]#yum-yinstalliptables#安装iptables,基本上都是存在的 [root@Centos7~]#yum-yinstalliptables-services#安装iptables-services服务 [root@Centos7~]#systemctlstopfirewalld.service#停止firealld服务 [root@Centos7~]#systemctldisablefirewalld.service#禁止firealld服务自动启动 Removedsymlink/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removedsymlink/etc/systemd/system/basic.target.wants/firewalld.service. [root@Centos7~]#systemctlenableiptables.service#开启iptables自动启动 Createdsymlinkfrom/etc/systemd/system/basic.target.wants/iptables.serviceto/usr/lib/systemd/system/iptables.service. [root@Centos7~]#systemctlstartiptables.service#开启iptables服务 [root@Centos7~]#iptables-vnL#使用iptables查看,胡三汉回来了!~ ChainINPUT(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination ChainFORWARD(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination ChainOUTPUT(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination [root@Centos7~]#iptables-save#加载配置文件的规则 #Generatedbyiptables-savev1.4.21onSunOct2302:34:482016 *filter :INPUTACCEPT[0:0] :FORWARDACCEPT[0:0] :OUTPUTACCEPT[121:22068] -AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT -AINPUT-picmp-jACCEPT -AINPUT-ilo-jACCEPT -AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-jACCEPT -AINPUT-jREJECT--reject-withicmp-host-prohibited -AFORWARD-jREJECT--reject-withicmp-host-prohibited COMMIT #CompletedonSunOct2302:34:482016 [root@Centos7~]#iptables-vnL#查看状态 ChainINPUT(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination 17913428ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED 00ACCEPTicmp--**0.0.0.0/00.0.0.0/0 00ACCEPTall--lo*0.0.0.0/00.0.0.0/0 00ACCEPTtcp--**0.0.0.0/00.0.0.0/0stateNEWtcpdpt:22 00REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited ChainFORWARD(policyACCEPT0packets,0bytes) pktsbytestargetprotoptinoutsourcedestination 00REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited ChainOUTPUT(policyACCEPT135packets,23948bytes) pktsbytestargetprotoptinoutsourcedestination [root@Centos7~]#iptables-F#清空规则 [root@Centos7~]#iptables-save#保持规则 #Generatedbyiptables-savev1.4.21onSunOct2302:35:052016 *filter :INPUTACCEPT[14:1096] :FORWARDACCEPT[0:0] :OUTPUTACCEPT[11:1156] COMMIT #CompletedonSunOct2302:35:052016 [root@Centos7~]#serviceiptablessave#也可以使用这个保持规则 iptables:Savingfirewallrulesto/etc/sysconfig/iptables:[OK] [root@Centos7~]#