Linux防火墙配置(含Redhat、Centos、Suse)
默认配置如下,只限制22端口,其他端口全开放:
Redhat6、CentOS6
1、开启22端口,仅允指定IP主机访问:
iptables -A INPUT -s 11.2.64.32 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 11.2.64.33 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 11.2.64.34 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
2、保存iptables配置
service iptables save
3、重启iptables
service iptables restart
4、查看生成的配置文件
cat /etc/sysconfig/iptables
5、设置开机自动启动防火墙
chkconfig iptables on
---------------------------------------------------------------
---------------------------------------------------------------
SuSE11
1、打开防火墙配置文件
vi /etc/sysconfig/SuSEfirewall2
2、找到FW_SERVICES_EXT_TCP参数,开启所有端口访问规则,改为如下:
FW_SERVICES_EXT_TCP="1:21 23:65535"
3、找到FW_SERVICES_EXT_UDP参数,开启所有端口访问规则,改为如下:
FW_SERVICES_EXT_UDP="1:21 23:65535"
4、然后找到FW_SERVICES_ACCEPT_EXT参数,将指定的IP填写进去,写法如下:
"11.2.64.32 11.2.64.33 11.2.64.34,tcp,22"
5、修改完以后重启防火墙即可
SuSEfirewall2 stop
SuSEfirewall2 start
6、设置开机自动启动防火墙
chkconfig SuSEfirewall2_init on
chkconfig SuSEfirewall2_setup on
---------------------------------------------------------------
---------------------------------------------------------------
CentOS7、Redhat7
查看防火墙状态
firewall-cmd --state
开启防火墙
systemctl start firewalld.service
systemctl enable firewalld.service
1、永久关闭ssh服务
firewall-cmd --permanent --zone=public --add-port=1-21/tcp
firewall-cmd --permanent --zone=public --add-port=23-65535/tcp
firewall-cmd --permanent --zone=public --add-port=1-21/udp
firewall-cmd --permanent --zone=public --add-port=23-65535/udp
firewall-cmd --remove-service=ssh --permanent
2、允许指定IP访问22端口
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=11.2.64.32 port port=22 protocol=tcp accept'
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=11.2.64.33 port port=22 protocol=tcp accept'
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=11.2.64.34 port port=22 protocol=tcp accept'
3、重启防火墙
firewall-cmd --reload
4、查看防火墙具体配置
cat /etc/firewalld/zones/public.xml