CentOS7 method to install iptables firewall
- 2020-05-17 07:29:24
- OfStack
The default firewall for CentOS7 is not iptables, but firewalle.
Install iptable iptable - service
# Check if it is installed first iptables
service iptables status
# The installation iptables
yum install -y iptables
# upgrade iptables
yum update iptables
# The installation iptables-services
yum install iptables-services
Disable/stop the native firewalld service
# stop firewalld service
systemctl stop firewalld
# disable firewalld service
systemctl mask firewalld
Set existing rules
# To view iptables Existing rules
iptables -L -n
# Allow all , Otherwise it could be a disaster
iptables -P INPUT ACCEPT
# Clear all default rules
iptables -F
# Clear all custom rules
iptables -X
# All counters belong to 0
iptables -Z
# Permission comes from lo Interface packet ( Local access )
iptables -A INPUT -i lo -j ACCEPT
# open 22 port
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# open 21 port (FTP)
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# open 80 port (HTTP)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# open 443 port (HTTPS)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# allow ping
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
# Allows data to be returned after a native request is accepted RELATED, Is for FTP Set up the
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Other inbound 1 Law of discarded
iptables -P INPUT DROP
# All outbound 1 Law of the green light
iptables -P OUTPUT ACCEPT
# All the forwarding 1 Law of discarded
iptables -P FORWARD DROP
Other rule setting
# If you want to add an Intranet ip Trust (accept) what they have TCP Request)
iptables -A INPUT -p tcp -s 45.96.174.68 -j ACCEPT
# Filter all requests that are not part of the above rules
iptables -P INPUT DROP
# To closure 1 a IP , using the following command:
iptables -I INPUT -s ***.***.***.*** -j DROP
# To unlock 1 a IP , using the following command :
iptables -D INPUT -s ***.***.***.*** -j DROP
Save rule Settings
# Save the above rules
service iptables save
Start the iptables service
# registered iptables service
# Equivalent to chkconfig iptables on
systemctl enable iptables.service
# Open the service
systemctl start iptables.service
# Check the status
systemctl status iptables.service
Fixed a problem with vsftpd not being able to use passive mode after iptables is turned on
1. First modify or add the following content in /etc/sysconfig/ iptables-config
# Add the following , Note that the order cannot be reversed
IPTABLES_MODULES="ip_conntrack_ftp"
IPTABLES_MODULES="ip_nat_ftp"
2. Reset iptables Settings
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Here is the complete setup script
#!/bin/sh
iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
service iptables save
systemctl restart iptables.service