Of Stack

CentOS7 method to install iptables firewall

  • 2020-05-17 07:29:24
  • OfStack

The default firewall for CentOS7 is not iptables, but firewalle.

Install iptable iptable - service 


# Check if it is installed first iptables
service iptables status
# The installation iptables
yum install -y iptables
# upgrade iptables
yum update iptables 
# The installation iptables-services
yum install iptables-services

Disable/stop the native firewalld service 


# stop firewalld service 
systemctl stop firewalld
# disable firewalld service 
systemctl mask firewalld

Set existing rules 


# To view iptables Existing rules 
iptables -L -n
# Allow all , Otherwise it could be a disaster 
iptables -P INPUT ACCEPT
# Clear all default rules 
iptables -F
# Clear all custom rules 
iptables -X
# All counters belong to 0
iptables -Z
# Permission comes from lo Interface packet ( Local access )
iptables -A INPUT -i lo -j ACCEPT
# open 22 port 
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# open 21 port (FTP)
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# open 80 port (HTTP)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# open 443 port (HTTPS)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# allow ping
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
# Allows data to be returned after a native request is accepted  RELATED, Is for FTP Set up the 
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Other inbound 1 Law of discarded 
iptables -P INPUT DROP
# All outbound 1 Law of the green light 
iptables -P OUTPUT ACCEPT
# All the forwarding 1 Law of discarded 
iptables -P FORWARD DROP

Other rule setting 


# If you want to add an Intranet ip Trust (accept) what they have TCP Request) 
iptables -A INPUT -p tcp -s 45.96.174.68 -j ACCEPT
# Filter all requests that are not part of the above rules 
iptables -P INPUT DROP
# To closure 1 a IP , using the following command: 
iptables -I INPUT -s ***.***.***.*** -j DROP
# To unlock 1 a IP , using the following command :
iptables -D INPUT -s ***.***.***.*** -j DROP

Save rule Settings 


# Save the above rules 
service iptables save

Start the iptables service 


# registered iptables service 
# Equivalent to chkconfig iptables on
systemctl enable iptables.service
# Open the service 
systemctl start iptables.service
# Check the status 
systemctl status iptables.service

Fixed a problem with vsftpd not being able to use passive mode after iptables is turned on

1. First modify or add the following content in /etc/sysconfig/ iptables-config 


# Add the following , Note that the order cannot be reversed 
IPTABLES_MODULES="ip_conntrack_ftp"
IPTABLES_MODULES="ip_nat_ftp"

2. Reset iptables Settings 


iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Here is the complete setup script 


#!/bin/sh
iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
service iptables save
systemctl restart iptables.service
Related articles: