centos7 关闭默认firewall启用iptables防火

1. 背景

CentOS7默认的防火墙不是iptables,而是firewalle，现在改为iptables防火墙。

2. 解决办法

• 关闭firewall

#停止firewall
[root@localhost ~]# systemctl stop firewalld.service 
#禁止firewall开机启动
[root@localhost ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
#查看默认防火墙状态（关闭后显示notrunning，开启后显示running）
[root@localhost ~]# firewall-cmd --state
not running
[root@localhost ~]# 

• 安装iptables

[root@localhost ~]# #1.查看是否安装了iptables
[root@localhost ~]# service iptables status 
Redirecting to /bin/systemctl status iptables.service
Unit iptables.service could not be found.
[root@localhost ~]# #上面信息表示未安装iptables


[root@localhost ~]# #2.安装iptables
[root@localhost ~]# yum install -y iptables
已加载插件：fastestmirror
.........
更新完毕:
  iptables.x86_64 0:1.4.21-28.el7                                                                          

完毕！
[root@localhost ~]# #3.安装iptables-services
[root@localhost ~]# yum install iptables-services
已加载插件：fastestmirror
Loading mirror speeds from cached hostfile
....
已安装:
  iptables-services.x86_64 0:1.4.21-28.el7                                                                 

完毕！


[root@localhost ~]# #4.查看安装情况
[root@localhost ~]# service iptables status
Redirecting to /bin/systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: active (exited) since 四 2018-12-06 16:45:36 CST; 1min 13s ago
  Process: 2065 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 2065 (code=exited, status=0/SUCCESS)

12月 06 16:45:36 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
12月 06 16:45:36 localhost.localdomain iptables.init[2065]: iptables: Applying firewall rules: [  确定  ]
12月 06 16:45:36 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.

[root@localhost ~]# #表示安装成功了

• 启动&关闭iptables

[root@localhost ~]# #设置防火墙开机启动
[root@localhost ~]# systemctl enable iptables.service

[root@localhost ~]# #禁止防火墙开机启动
[root@localhost ~]# systemctl disable iptables.service
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.

[root@localhost ~]# #关闭iptables服务
[root@localhost ~]# systemctl stop iptables.service

[root@localhost ~]# #开启iptables服务
[root@localhost ~]# systemctl start iptables.service

[root@localhost ~]# #重启iptables服务
[root@localhost ~]# systemctl restart iptables.service

[root@localhost ~]# #查看iptables状态
[root@localhost ~]# systemctl status iptables.service

• 配置iptables

[root@localhost ~]# #开放9200端口
[root@localhost ~]# iptables -A INPUT -p tcp --dport 9200 -j ACCEPT

[root@localhost ~]# #1.查看iptables现有规则
[root@localhost ~]# iptables -L -n

[root@localhost ~]# #清空所有自定义规则
[root@localhost ~]# iptables -X

[root@localhost ~]# #添加内网ip信任（接受其所有TCP请求）
[root@localhost ~]# iptables -A INPUT -p tcp -s 192.168.24.151 -j ACCEPT

[root@localhost ~]# #过滤所有非以上规则的请求
[root@localhost ~]# iptables -P INPUT DROP

[root@localhost ~]# #封停一个IP
[root@localhost ~]# iptables -I INPUT -s 192.168.24.153 -j DROP

[root@localhost ~]# #要解封一IP
[root@localhost ~]# iptables -D INPUT -s 192.168.24.153 -j DROP

[root@localhost ~]# #保存上述规则
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  确定  ]