登录站点

用户名

密码

注册

查看日志|返回日志列表

CentOS7 配置iptables

2018-05-16 14:23
1、检测并关闭firewall
  1. systemctl status firewalld.service #检测是否开启了firewall  
  2. systemctl stop firewalld.service #关闭firewall  
  3. sytsemctl disable firewalld.service #禁止firewall开机自启  
2、检测并安装iptables 
yum install iptables-services  
将规则写入iptables配置文件
  1. vim /etc/sysconfig/iptables  

iptables文件内容:

  1. # Generated by iptables-save v1.4.21 on Fri Jan 6 13:07:39 2017
    *raw
    :PREROUTING ACCEPT [6413:538692]
    :OUTPUT ACCEPT [36:2968]
    COMMIT
    # Completed on Fri Jan 6 13:07:39 2017
    # Generated by iptables-save v1.4.21 on Fri Jan 6 13:07:39 2017
    *mangle
    :PREROUTING ACCEPT [6413:538692]
    :INPUT ACCEPT [16:1344]
    :FORWARD ACCEPT [6397:537348]
    :OUTPUT ACCEPT [36:2968]
    :POSTROUTING ACCEPT [6433:540316]
    COMMIT
    # Completed on Fri Jan 6 13:07:39 2017
    # Generated by iptables-save v1.4.21 on Fri Jan 6 13:07:39 2017
    *filter
    :INPUT ACCEPT [16:1344]
    :FORWARD ACCEPT [6397:537348]
    :OUTPUT ACCEPT [36:2968]
    COMMIT
    # Completed on Fri Jan 6 13:07:39 2017
    # Generated by iptables-save v1.4.21 on Fri Jan 6 13:07:39 2017
    *nat
    :PREROUTING ACCEPT [5:420]
    :INPUT ACCEPT [2:168]
    :OUTPUT ACCEPT [10:812]
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
    -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
    -A POSTROUTING -s 172.16.0.0/12 -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Fri Jan 6 13:07:39 2017

   解决vsftpd在iptables开启后,无法使用被动模式的问题
   在/etc/sysconfig/iptables-config中修改或者添加以下内容

   #添加以下内容,注意顺序不能调换
   IPTABLES_MODULES="ip_conntrack_ftp"
   IPTABLES_MODULES="ip_nat_ftp"

3.启用ip转发

/etc/sysctl.conf 内容

net.ipv4.ip_forward=1
net.netfilter.nf_conntrack_max=2000000
net.netfilter.nf_conntrack_buckets=500000
net.netfilter.nf_conntrack_tcp_timeout_established=7500

重启iptable服务:

  1. systemctl restart iptables.service  

使iptable服务开机自启:

  1. systemctl enable iptables.service    

二、关闭SELINUX

  1. vim /etc/selinux/config  
修改为:
  1. #SELINUX=enforcing #注释掉  
  2.   
  3. #SELINUXTYPE=targeted #注释掉  
  4.   
  5. SELINUX=disabled #增加  

使配置立即生效:

  1. setenforce 0   
分享 810 次阅读 | 0 个评论

留下脚印

评论