从centos7开始,centos就默认firewalld作为系统的防火墙。但在一些情况下,我们就不得不换回iptables。
安装iptables并启动它
1
2
3
4
| yum install iptables -y
yum update iptables -y
yum install iptables-services -y
/usr/sbin/iptables
|
禁用自带的firewalld服务
1
2
| systemctl stop firewalld
systemctl mask firewalld
|
设置iptables规则
1
2
3
4
5
6
7
8
9
10
11
12
13
| iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
|
保存iptables
启用iptables服务
1
2
| systemctl enable iptables.service
systemctl start iptables.service
|
补充
如果想快速设置默认规则,也可以直接编辑/etc/sysconfig/iptables,并加入如下内容:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| # Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:syn-flood - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
-A INPUT -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN
-A syn-flood -j REJECT --reject-with icmp-port-unreachable
COMMIT
|
保存后,启用iptables服务后后刷新重启iptables(先不要使用service iptables save保存,否则会被清空),然后重启系统。
1
2
3
4
| systemctl enable iptables.service #centos7的用法
chkconfig --level 3 iptables on #centos7以下的用法
service iptables restart
reboot
|