centos7防火墙iptables配置

发表于 2016-10-19 更新于 2026-04-21 分类于 Linux 阅读次数：

1：Firewalld防火墙

systemctl stop firewalld.service #停止firewall

systemctl disable firewalld.service #禁止firewall开机启动

2：安装iptables

#先检查是否安装了iptables

service iptables status

#安装iptables

yum install -y iptables

#升级iptables

yum update iptables

#安装iptables-services

yum install iptables-services

#停止firewalld服务

systemctl stop firewalld

#禁用firewalld服务

systemctl mask firewalld

#查看iptables现有规则

iptables -L -n

#先允许所有,不然有可能会杯具

iptables -P INPUT ACCEPT

#清空所有默认规则

iptables -F

#清空所有自定义规则

iptables -X

#所有计数器归0

iptables -Z

#允许来自于lo接口的数据包(本地访问)

iptables -A INPUT -i lo -j ACCEPT

#开放22端口

iptables -A INPUT -p tcp –dport 22 -j ACCEPT

#开放21端口(FTP)

iptables -A INPUT -p tcp –dport 21 -j ACCEPT

#开放80端口(HTTP)

iptables -A INPUT -p tcp –dport 80 -j ACCEPT

#开放3306端口(HTTP)

iptables -A INPUT -p tcp –dport 3306 -j ACCEPT

#开放443端口(HTTPS)

iptables -A INPUT -p tcp –dport 443 -j ACCEPT

#允许ping

iptables -A INPUT -p icmp –icmp-type 8 -j ACCEPT

#允许接受本机请求之后的返回数据 RELATED,是为FTP设置的

iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

#其他入站一律丢弃

iptables -P INPUT DROP

#所有出站一律绿灯

iptables -P OUTPUT ACCEPT

#所有转发一律丢弃

iptables -P FORWARD DROP

#如果要添加内网ip信任（接受其所有TCP请求）

iptables -A INPUT -p tcp -s 45.96.174.68 -j ACCEPT

#过滤所有非以上规则的请求

iptables -P INPUT DROP

#要封停一个IP，使用下面这条命令：

iptables -I INPUT -s ... -j DROP

#要解封一个IP，使用下面这条命令:

iptables -D INPUT -s ... -j DROP

#保存上述规则

service iptables save

重新设置iptables设置

iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

=========================================================

    |||||完整iptables配置|||||

==========================================================

#!/bin/sh

iptables -P INPUT ACCEPT

iptables -F

iptables -X

iptables -Z

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p tcp –dport 22 -j ACCEPT

iptables -A INPUT -p tcp –dport 21 -j ACCEPT

iptables -A INPUT -p tcp –dport 80 -j ACCEPT

iptables -A INPUT -p tcp –dport 3306 -j ACCEPT

iptables -A INPUT -p tcp –dport 443 -j ACCEPT

iptables -A INPUT -p icmp –icmp-type 8 -j ACCEPT

iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

service iptables save

systemctl restart iptables.service

=====================================================

或者直接修改文件

vi /etc/sysconfig/iptables #编辑防火墙配置文件

Firewall configuration written by system-config-firewall

Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT

-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT

-A INPUT -m state –state NEW -m tcp -p tcp –dport 3306 -j ACCEPT

-A INPUT -j REJECT –reject-with icmp-host-prohibited

-A FORWARD -j REJECT –reject-with icmp-host-prohibited

COMMIT

:wq! #保存退出

ft0e3USWsR85n12aYF