CentOS 7 default firewall is not iptables, but firewall
Install iptable iptable-service
# First check whether the installation of iptables
service iptables status
# install iptables
yum install-y iptables
# upgrade iptables
yum update iptables
# install iptables-services
yum install iptables-services
Disable / stop the built-in firewalld service
# Stop the firewalld service
systemctl stop firewalld
# Disable the firewalld service
systemctl mask firewalld
Set up existing rules
# View iptables existing rules
iptables -L-n
# first allow all, otherwise there may be a cup
iptables -P INPUT ACCEPT
# clear all default rules
iptables-F
# clear all custom rules
iptables-X
# all counters 0
iptables -Z
# Allows packets from the lo interface (local access)
iptables -A INPUT -i lo -j ACCEPT
# open 22 port
iptables -A INPUT -p tcp -dport 22 -j ACCEPT
# open 21 port (FTP)
-A -p TCP –dport the INPUT iptables 21 is -j ACCEPT
# open port 80 (the HTTP)
iptables -A 80 –dport the INPUT -p TCP -j ACCEPT
# open port 443 (the HTTPS)
iptables -A the INPUT -p TCP – -dport 443 -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp –icmp-type 8 -j ACCEPT
# Allow the return data after the native request RELATED, which is set for FTP
iptables -A INPUT -m state –state RELATED, ESTABLISHED -j ACCEPT
# other inbound discarded
iptables -P INPUT DROP
# all outbound all green
iptables -P OUTPUT ACCEPT
# all forwarded
iptables -P FORWARD DROP
Other rules set
Iptables -P INPUT
-p tcp -s 45.96.174.68 -j ACCEPT
# Filter all requests that are not above rules
iptables -P INPUT DROP
# To block an IP, if you want to add an intranet ip trusted (accept all of its TCP requests) Use the following command:
iptables -I INPUT -s ***. ***. ***. *** -j DROP
# To unblock an IP, use the following command:
iptables -D INPUT -s * **. ***. ***. *** -j DROP
Save the rule settings
# Save the above rules
service iptables save
Open the iptables service
# Register iptables service
# equivalent to the previous chkconfig iptables on
systemctl enable iptables.service
# Open service
systemctl start iptables.service
# View status
systemctl status iptables.service
Solve vsftpd iptables open, can not use the passive mode of the problem
1. First modify or add the following in / etc / sysconfig / iptables-config
# Add the following, note that the order can not be exchanged
IPTABLES_MODULES = “ip_conntrack_ftp”
IPTABLES_MODULES = “ip_nat_ftp”
2. Reset the iptables settings
iptables -A INPUT -m state –state RELATED, ESTABLISHED -j ACCEPT
The following is a complete setup script
#! / bin / SH
iptables -P the INPUT ACCEPT
iptables -F
iptables the -X-
iptables the -Z
iptables -A the INPUT LO -i -j ACCEPT
iptables -A –dport 22 is the INPUT -p TCP -j ACCEPT
iptables -A the INPUT -p tcp –dport 21 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -j ACCEPT
iptables -A INPUT -p icmp –icmp-type 8 – j ACCEPT
iptables -A INPUT -m state –state RELATED, ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
service iptables save
systemctl restart iptables.service
Recent Comments