"查看 SELinux 防火墙状态 [root@dl-001 ~]# getenforce Enforcing 说明： Enforcing 为打开状态；Disabled 为关闭状态临时关闭 SELinux 防火墙： [root@dl-001 ...."

dingle

Rpa 36 号会员
Linux专题 • 0 回帖 • 602 浏览 • 2018-10-03 20:20:33

netfilter 防火墙

查看 SELinux 防火墙状态

[root@dl-001 ~]# getenforce 
Enforcing

说明： Enforcing 为打开状态；Disabled 为关闭状态

临时关闭 SELinux 防火墙：

[root@dl-001 ~]# setenforce 0

永久关闭 SELinux 防火墙：

[root@dl-001 ~]# vi /etc/selinux/config    //编辑防火墙的配置文件
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

说明：将 SELINUX=enforcing 改为 disabled 保存，重启系统即可生效。

###netfilter(Firewalld) 防火墙

netfilter 防火墙在 CentOS7 之前用的防火墙，在 CentOS7 上更改了名字为 firewalld。这里主要介绍 netfilter

关闭 firewalld 防火墙

[root@dl-001 ~]# systemctl disable firewalld    //永久关闭firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[root@dl-001 ~]# systemctl stop firewalld    //停止firewalld服务

启用 netfilter

[root@dl-001 ~]# yum install -y iptables-services    //下载工具包iptables，这里的iptables是netfilter的一个工具
[root@dl-001 ~]# systemctl enable iptables    //开启iptables服务
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@dl-001 ~]# systemctl start iptables

说明：安装完成后默认开启 iptables 服务。

查看 iptables 默认规则

[root@dl-001 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   41  2732 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 24 packets, 2184 bytes)
 pkts bytes target     prot opt in     out     source               destination