CentOS7 install iptables firewall
The default firewall of CentOS7 is not iptables, but firewalle.
Install iptable iptable-service
# First check if iptables is installed
service iptables status
# Install iptables
yum install -y iptables
# Upgrade iptables
yum update iptables
# Install iptables-services
yum install iptables-services
Disable/stop the built-in firewalld service
# Stop firewalld service
systemctl stop firewalld
# Disable firewalld service
systemctl mask firewalld
Set up existing rules
# View iptables existing rules
iptables -L -n
# Allow all first,Otherwise, there may be cups
iptables -P INPUT ACCEPT
# Clear all default rules
iptables -F
# Clear all custom rules
iptables -X
# All counters return to 0
iptables -Z
# Allow data packets from the lo interface(Local access)
iptables -A INPUT -i lo -j ACCEPT
# Open port 22
iptables -A INPUT -p tcp --dport 22-j ACCEPT
# Open port 21(FTP)
iptables -A INPUT -p tcp --dport 21-j ACCEPT
# Open port 80(HTTP)
iptables -A INPUT -p tcp --dport 80-j ACCEPT
# Open port 443(HTTPS)
iptables -A INPUT -p tcp --dport 443-j ACCEPT
# Allow ping
iptables -A INPUT -p icmp --icmp-type 8-j ACCEPT
# Allow the return data RELATED after accepting the request of the machine,Is set for FTP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# All other inbound will be discarded
iptables -P INPUT DROP
# Green light for all outbound stations
iptables -P OUTPUT ACCEPT
# All forwards are discarded
iptables -P FORWARD DROP
Other rule settings
# If you want to add intranet ip trust (accept all its TCP requests)
iptables -A INPUT -p tcp -s 45.96.174.68-j ACCEPT
# Filter all requests other than the above rules
iptables -P INPUT DROP
# To block an IP, use the following command:
iptables -I INPUT -s ***.***.***.***-j DROP
# To unblock an IP, use the following command:
iptables -D INPUT -s ***.***.***.***-j DROP
Save rule settings
# Save the above rules
service iptables save
Open iptables service
# Register iptables service
# Equivalent to the previous chkconfig iptables on
systemctl enable iptables.service
# Open service
systemctl start iptables.service
# Check status
systemctl status iptables.service
Solve the problem that vsftpd cannot use passive mode after iptables is turned on
- First modify or add the following content in /etc/sysconfig/iptables-config
# Add the following,Note that the order cannot be reversed
IPTABLES_MODULES="ip_conntrack_ftp"
IPTABLES_MODULES="ip_nat_ftp"
- Reset iptables settings
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
The following is the complete setup script
#! /bin/sh
iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22-j ACCEPT
iptables -A INPUT -p tcp --dport 21-j ACCEPT
iptables -A INPUT -p tcp --dport 80-j ACCEPT
iptables -A INPUT -p tcp --dport 443-j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8-j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
service iptables save
systemctl restart iptables.service
Category: Linux
Recommended Posts