其实现在操作系统级的防火墙使用的很少了,iptables 也从 CentOS 里移除了

firewalld

CentOS 7 以后使用的是 firewalld,系统自带,默认开启

1
2
3
4
systemctl start firewalld
systemctl stop firewalld
systemctl restart firewalld
systemctl status firewalld

PS. WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
1
2
3
sed -i 's/AllowZoneDrifting=yes/AllowZoneDrifting=no/g' /etc/firewalld/firewalld.conf
cat /etc/firewalld/firewalld.conf | grep AllowZoneDrifting
systemctl restart firewalld && systemctl status firewalld

通过firewall-cmd命令管理规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#查看版本
firewall-cmd --version
#查看帮助
firewall-cmd --help
#显示状态
firewall-cmd --state
#查看所有打开的端口
firewall-cmd --zone=public --list-ports
#开启 3306 端口
firewall-cmd --zone=public --add-port=3306/tcp --permanent
firewall-cmd --zone=public --add-port=3306-3307/tcp --permanent
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.1" port protocol="tcp" port="3306" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.0" port protocol="tcp" port="3306" accept"
#关闭 3306 端口
firewall-cmd --zone=public --remove-port=3306/tcp --permanent
#更新防火墙规则
firewall-cmd --reload
#查看所有包
firewall-cmd --list-all
#查看区域信息
firewall-cmd --get-active-zones
#查看指定接口所属区域
firewall-cmd --get-zone-of-interface=eth0
#拒绝所有包
firewall-cmd --panic-on
#取消拒绝状态
firewall-cmd --panic-off
#查看是否拒绝
firewall-cmd --query-panic

iptables