5 月 072018
适用于docker环境的CentOS7 防火墙服务处理
停用默认的firewalld防火墙服务
[root@swarm1 ~]# systemctl stop firewalld [root@swarm1 ~]# systemctl disable firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@swarm1 ~]#
安装iptables防火墙服务
[root@swarm1 ~]# yum install iptables-services
版本和依赖
================================================================================ Package Arch Version Repository Size ================================================================================ Installing: iptables-services x86_64 1.4.21-24.1.el7_5 updates 51 k Updating for dependencies: iptables x86_64 1.4.21-24.1.el7_5 updates 432 k Transaction Summary ================================================================================ Install 1 Package Upgrade ( 1 Dependent package)
启动iptables服务并设置为随系统启动
[root@swarm1 ~]# systemctl status iptables ● iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled) Active: inactive (dead) [root@swarm1 ~]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@swarm1 ~]# systemctl start iptables
查看iptables规则
[root@swarm1 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@swarm1 ~]#
查看iptables规则默认配置文件
[root@swarm1 ~]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [root@swarm1 ~]#