Of Stack

Example of how Centos7 opens a port

  • 2020-12-26 06:17:52
  • OfStack

The default firewall for CentOS7 is not iptables, but firewalle.

Install iptable iptable - service 


# Check to see if it is installed iptables
service iptables status
# The installation iptables
yum install -y iptables
# upgrade iptables
yum update iptables 
# The installation iptables-services
yum install iptables-services

Disable/stop the built-in firewalld service 


# stop firewalld service 
systemctl stop firewalld
# disable firewalld service 
systemctl mask firewalld

Set existing rules 


# To view iptables Existing rules 
iptables -L -n
# Allow all , Otherwise it might be a disaster 
iptables -P INPUT ACCEPT
# Clear all default rules 
iptables -F
# Clear all custom rules 
iptables -X
# All counters return to 0
iptables -Z
# Permission to come from lo Interface packets ( Local access )
iptables -A INPUT -i lo -j ACCEPT
# open 22 port 
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# open 21 port (FTP)
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# open 80 port (HTTP)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# open 443 port (HTTPS)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# allow ping
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
# Allows data to be returned after accepting a native request  RELATED, Is for FTP Set up the 
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Other inbound 1 Law of discarded 
iptables -P INPUT DROP
# All outbound 1 Law of the green light 
iptables -P OUTPUT ACCEPT
# All the forwarding 1 Law of discarded 
iptables -P FORWARD DROP

Other rule setting 


# If you want to add an Intranet ip Trust (accept what you have TCP Request) 
iptables -A INPUT -p tcp -s 45.96.174.68 -j ACCEPT
# Filter all requests that are not in the above rules 
iptables -P INPUT DROP
# To closure 1 a IP , use the following command: 
iptables -I INPUT -s ***.***.***.*** -j DROP
# To unlock 1 a IP , use the following command :
iptables -D INPUT -s ***.***.***.*** -j DROP

Save rule Settings 


# Save the above rule 

service iptables save

Start iptables 


# registered iptables service 
# As before chkconfig iptables on
systemctl enable iptables.service
# Open the service 
systemctl start iptables.service
# Check the status 
systemctl status iptables.service

Fixed an issue where vsftpd was unable to use passive mode after iptables was turned on

1. First, modify or add the following contents in /etc/sysconfig/ ES35en-ES36en

Add the following. Note that the order cannot be reversed 


IPTABLES_MODULES="ip_conntrack_ftp"
IPTABLES_MODULES="ip_nat_ftp"

2. Reset the iptables Settings 


iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

The following is the complete setup script 


#!/bin/sh
iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
service iptables save
Related articles: