CentOS 7 默认实用的用Firewalld作为防火墙,摒弃了原先的iptables。但是内核还是使用iptable作为管理
参考文档
http://www.myhome.net.tw/2015_02/p10.htm
firewall的启动和关闭命令
#systemctl start firewalld #systemctl enable firewalld #systemctl stop firewalld #systemctl disable firewalld #systemctl status firewalld
1Firewalld目录
/usr/lib/firewalld 这个目录是预设的设定资料,就是最原始的配置。可以在其目录下面看到很多的xml文件。
/etc/firewalld 存放现在正在实用的配置文档,如果下面没有就会采用/usr/lib/firewalld 目录中默认的配置文档。
2Friewall的命令
可以通过GUI界面来管理firewalld ,在有视窗的centos中,Applications->sundry->firewall可以来管理和配置
也可以通过命令行的方式来管理 firewall-cmd来具体的配置,可以实用man命令来了解firewalld相关命令的实用方式
# man firewalld.conf # man firewall-cmd # man firewalld.zone # man firewalld.service # man firewalld.icmptype # man firewalld.direct
常用的命令如下
1 添加http和https服务
# firewall-cmd --permanent --zone=public --add-service=http # firewall-cmd --permanent --zone=public --add-service=https # firewall-cmd --reload(不中断连接加载)
其中 --permanent(翻译:永久)是永久修改
2 修改SSH的端口22到23456
[root@localhost ~]# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ [root@localhost ~]# vi /etc/firewalld/services/ssh.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>SSH</short> <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description> <port protocol="tcp" port="23456"/> </service> [root@localhost ~]# firewall-cmd --complete-reload (中断连接加载) [root@localhost ~]# vi /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Port 23456 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: [root@localhost ~]# systemctl restart sshd [root@localhost ~]# systemctl status sshd sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled) Active: active (running) since Mon 2015-08-31 17:47:22 CST; 25s ago Main PID: 12302 (sshd) CGroup: /system.slice/sshd.service ?..12302 /usr/sbin/sshd -D Aug 31 17:47:22 localhost.localdomain systemd[1]: Started OpenSSH server daemon. Aug 31 17:47:22 localhost.localdomain sshd[12302]: Server listening on 0.0.0.0 port 23456. Aug 31 17:47:22 localhost.localdomain sshd[12302]: Server listening on :: port 23456. Aug 31 17:47:23 localhost.localdomain python[12304]: SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket port 23456. ***** Plugin bind_ports (92.2 confidence) suggests ************************... Hint: Some lines were ellipsized, use -l to show in full. [root@localhost ~]#
本文出自 “站在巨人的肩膀上看世界” 博客,请务必保留此出处http://lixiaotao.blog.51cto.com/985722/1690193
原文地址:http://lixiaotao.blog.51cto.com/985722/1690193
