[root@v01-svn-test-server online]# iptables -F#清空规则 [root@v01-svn-test-server online]# iptables -L# Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
[root@v01-svn-test-server online]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT /*允许包从22端口进入*/ [root@v01-svn-test-server online]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
[root@v01-svn-test-server online]# iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT #允许从22端口进入的包返回
[root@v01-svn-test-server online]# iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #允许本机访问本机
[root@v01-svn-test-server online]# iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
[root@v01-svn-test-server online]# iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT #允许所以IP访问80端 口 [root@v01-svn-test-server online]# iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
service iptables save
来实现保存到配置文件。
这样重启计算机后,CentOS防火墙默认已经开放了80和22端口。
[root@v01-svn-test-server online]# service iptables save#保存配置 iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@v01-svn-test-server online]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT all -- localhost localhost ACCEPT tcp -- anywhere anywhere tcp dpt:http Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED ACCEPT all -- localhost anywhere ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
[root@v01-svn-test-server online]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Wed Jun 1 20:55:03 2016 *filter :INPUT ACCEPT [50:5062] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -s 127.0.0.1/32 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT COMMIT # Completed on Wed Jun 1 20:55:03 2016
查看防火墙信息:
[root@v01-svn-test-server online]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 2 ACCEPT all -- 127.0.0.1 127.0.0.1 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED 2 ACCEPT all -- 127.0.0.1 0.0.0.0/0 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED