CentOS7 配置iptables
2018-05-16 14:23
1、检测并关闭firewall- systemctl status firewalld.service #检测是否开启了firewall
- systemctl stop firewalld.service #关闭firewall
- sytsemctl disable firewalld.service #禁止firewall开机自启
2、检测并安装iptables yum install iptables-services
- vim /etc/sysconfig/iptables
iptables文件内容:
- # Generated by iptables-save v1.4.21 on Fri Jan 6 13:07:39 2017
*raw
:PREROUTING ACCEPT [6413:538692]
:OUTPUT ACCEPT [36:2968]
COMMIT
# Completed on Fri Jan 6 13:07:39 2017
# Generated by iptables-save v1.4.21 on Fri Jan 6 13:07:39 2017
*mangle
:PREROUTING ACCEPT [6413:538692]
:INPUT ACCEPT [16:1344]
:FORWARD ACCEPT [6397:537348]
:OUTPUT ACCEPT [36:2968]
:POSTROUTING ACCEPT [6433:540316]
COMMIT
# Completed on Fri Jan 6 13:07:39 2017
# Generated by iptables-save v1.4.21 on Fri Jan 6 13:07:39 2017
*filter
:INPUT ACCEPT [16:1344]
:FORWARD ACCEPT [6397:537348]
:OUTPUT ACCEPT [36:2968]
COMMIT
# Completed on Fri Jan 6 13:07:39 2017
# Generated by iptables-save v1.4.21 on Fri Jan 6 13:07:39 2017
*nat
:PREROUTING ACCEPT [5:420]
:INPUT ACCEPT [2:168]
:OUTPUT ACCEPT [10:812]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/12 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jan 6 13:07:39 2017
解决vsftpd在iptables开启后,无法使用被动模式的问题
在/etc/sysconfig/iptables-config中修改或者添加以下内容
#添加以下内容,注意顺序不能调换
IPTABLES_MODULES="ip_conntrack_ftp"
IPTABLES_MODULES="ip_nat_ftp"
3.启用ip转发
/etc/sysctl.conf 内容
net.ipv4.ip_forward=1
net.netfilter.nf_conntrack_max=2000000
net.netfilter.nf_conntrack_buckets=500000
net.netfilter.nf_conntrack_tcp_timeout_established=7500
重启iptable服务:
- systemctl restart iptables.service
使iptable服务开机自启:
- systemctl enable iptables.service
二、关闭SELINUX
修改为:
- #SELINUX=enforcing #注释掉
-
- #SELINUXTYPE=targeted #注释掉
-
- SELINUX=disabled #增加
使配置立即生效:
评论