Example of how Centos7 opens a port
- 2020-12-26 06:17:52
- OfStack
The default firewall for CentOS7 is not iptables, but firewalle.
Install iptable iptable - service
# Check to see if it is installed iptables
service iptables status
# The installation iptables
yum install -y iptables
# upgrade iptables
yum update iptables
# The installation iptables-services
yum install iptables-services
Disable/stop the built-in firewalld service
# stop firewalld service
systemctl stop firewalld
# disable firewalld service
systemctl mask firewalld
Set existing rules
# To view iptables Existing rules
iptables -L -n
# Allow all , Otherwise it might be a disaster
iptables -P INPUT ACCEPT
# Clear all default rules
iptables -F
# Clear all custom rules
iptables -X
# All counters return to 0
iptables -Z
# Permission to come from lo Interface packets ( Local access )
iptables -A INPUT -i lo -j ACCEPT
# open 22 port
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# open 21 port (FTP)
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# open 80 port (HTTP)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# open 443 port (HTTPS)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# allow ping
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
# Allows data to be returned after accepting a native request RELATED, Is for FTP Set up the
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Other inbound 1 Law of discarded
iptables -P INPUT DROP
# All outbound 1 Law of the green light
iptables -P OUTPUT ACCEPT
# All the forwarding 1 Law of discarded
iptables -P FORWARD DROP
Other rule setting
# If you want to add an Intranet ip Trust (accept what you have TCP Request)
iptables -A INPUT -p tcp -s 45.96.174.68 -j ACCEPT
# Filter all requests that are not in the above rules
iptables -P INPUT DROP
# To closure 1 a IP , use the following command:
iptables -I INPUT -s ***.***.***.*** -j DROP
# To unlock 1 a IP , use the following command :
iptables -D INPUT -s ***.***.***.*** -j DROP
Save rule Settings
# Save the above rule
service iptables save
Start iptables
# registered iptables service
# As before chkconfig iptables on
systemctl enable iptables.service
# Open the service
systemctl start iptables.service
# Check the status
systemctl status iptables.service
Fixed an issue where vsftpd was unable to use passive mode after iptables was turned on
1. First, modify or add the following contents in /etc/sysconfig/ ES35en-ES36en
Add the following. Note that the order cannot be reversed
IPTABLES_MODULES="ip_conntrack_ftp"
IPTABLES_MODULES="ip_nat_ftp"
2. Reset the iptables Settings
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
The following is the complete setup script
#!/bin/sh
iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
service iptables save