CentOS 7.7 配置防火墙
程序员文章站
2022-06-05 18:58:50
...
新装完数据库后,想查看防火墙白名单,但是报错:
[[email protected] ~]# cat /etc/sysconfig/iptables
cat: /etc/sysconfig/iptables: No such file or directory
iptables的相关命令也说没有
[[email protected] ~]# service iptables status
Redirecting to /bin/systemctl status iptables.service
Unit iptables.service could not be found.
[[email protected]weblog ~]# /bin/systemctl status iptables.service
Unit iptables.service could not be found.
查看sysconfig目录下的文件
[[email protected] ~]# cd /etc/sysconfig
[[email protected] sysconfig]# ll
total 184
-rw-r--r--. 1 root root 326 Dec 17 10:43 anaconda
-rw-r--r--. 1 root root 403 Oct 31 2018 atd
-rw-r--r--. 1 root root 484 Dec 17 10:42 authconfig
-rw-r--r--. 1 root root 339 Aug 8 20:06 autofs
drwxr-xr-x. 2 root root 55 Dec 17 10:53 cbq
-rw-r--r--. 1 root root 105 Aug 9 08:14 cgred
-rw-r--r--. 1 root root 46 Aug 8 19:40 chronyd
drwxr-xr-x. 2 root root 10 Aug 9 07:52 console
-rw-r--r--. 1 root root 150 Dec 7 00:00 cpupower
-rw-------. 1 root root 110 Aug 9 07:07 crond
-rw-------. 1 root root 1390 Apr 11 2018 ebtables-config
-rw-r--r--. 1 root root 169 Mar 14 2019 fcoe
-rw-r--r--. 1 root root 73 Oct 19 00:02 firewalld
lrwxrwxrwx. 1 root root 15 Dec 17 10:55 grub -> ../default/grub
-rw-r--r--. 1 root root 798 Aug 9 07:52 init
-rw-------. 1 root root 2134 Aug 8 19:41 ip6tables-config
-rw-------. 1 root root 2116 Aug 8 19:41 iptables-config
-rw-r--r--. 1 root root 903 Aug 6 21:44 irqbalance
-rw-r--r--. 1 root root 1733 Aug 8 19:41 kdump
-rw-r--r--. 1 root root 180 Dec 17 10:42 kernel
-rw-r--r--. 1 root root 168 Sep 14 00:40 ksm
-rw-r--r--. 1 root root 1136 Dec 3 01:48 libvirtd
-rw-r--r--. 1 root root 200 Oct 30 2018 man-db
drwxr-xr-x. 2 root root 10 Aug 9 07:52 modules
-rw-r--r--. 1 root root 634 Aug 9 07:52 netconsole
-rw-r--r--. 1 root root 22 Dec 17 10:55 network
drwxr-xr-x. 2 root root 4096 Dec 17 10:55 network-scripts
-rw-r--r--. 1 root root 1679 Aug 9 09:16 nfs
-rw-r--r--. 1 root root 45 Aug 6 21:44 ntpd
-rw-r--r--. 1 root root 111 Aug 6 21:44 ntpdate
-rw-r--r--. 1 root root 911 Aug 6 21:44 qemu-ga
-rw-r--r--. 1 root root 186 Oct 31 2018 radvd
-rw-r--r--. 1 root root 2915 Aug 6 21:44 raid-check
-rw-r--r--. 1 root root 15 Aug 4 2017 rdisc
-rw-r--r--. 1 root root 905 Aug 9 07:52 readonly-root
-rw-r--r--. 1 root root 73 Aug 8 20:12 rpcbind
-rw-r--r--. 1 root root 395 Aug 6 21:44 rpc-rquotad
-rw-r--r--. 1 root root 12 Apr 26 2019 rsyncd
-rw-r--r--. 1 root root 196 Oct 18 23:48 rsyslog
-rw-r--r--. 1 root root 0 Jun 10 2014 run-parts
-rw-r--r--. 1 root root 428 Dec 3 01:48 samba
-rw-r--r--. 1 root root 429 Apr 11 2018 saslauthd
lrwxrwxrwx. 1 root root 17 Dec 17 10:35 selinux -> ../selinux/config
-rw-r--r--. 1 root root 125 Aug 6 21:44 smartmontools
-rw-r-----. 1 root root 506 Aug 9 09:40 sshd
-rw-r--r--. 1 root root 138 Apr 11 2018 svnserve
-rw-r--r--. 1 root root 474 Aug 9 10:54 sysstat
-rw-r--r--. 1 root root 6228 Aug 9 10:54 sysstat.ioconf
-rw-r--r--. 1 root root 55 Dec 3 01:48 virtlockd
-rw-r--r--. 1 root root 53 Dec 3 01:48 virtlogd
-rw-r--r--. 1 root root 610 Oct 31 2018 wpa_supplicant
确实没有iptables,原因是需要安装iptables-services包
[[email protected] sysconfig]# yum install iptables-services
Loaded plugins: fastestmirror, langpacks
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Loading mirror speeds from cached hostfile
* base: mirror.bit.edu.cn
* extras: mirror.bit.edu.cn
* updates: mirrors.huaweicloud.com
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package iptables-services.x86_64 0:1.4.21-33.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=====================================================================================================================
Package Arch Version Repository Size
=====================================================================================================================
Installing:
iptables-services x86_64 1.4.21-33.el7 base 52 k
Transaction Summary
=====================================================================================================================
Install 1 Package
Total download size: 52 k
Installed size: 22 k
Is this ok [y/d/N]: y
Downloading packages:
iptables-services-1.4.21-33.el7.x86_64.rpm | 52 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : iptables-services-1.4.21-33.el7.x86_64 1/1
Verifying : iptables-services-1.4.21-33.el7.x86_64 1/1
Installed:
iptables-services.x86_64 0:1.4.21-33.el7
Complete!
安装好iptables之后,sysconfig目录下就有iptables文件了
[[email protected] sysconfig]# ll
total 192
-rw-r--r--. 1 root root 326 Dec 17 10:43 anaconda
-rw-r--r--. 1 root root 403 Oct 31 2018 atd
-rw-r--r--. 1 root root 484 Dec 17 10:42 authconfig
-rw-r--r--. 1 root root 339 Aug 8 20:06 autofs
drwxr-xr-x. 2 root root 55 Dec 17 10:53 cbq
-rw-r--r--. 1 root root 105 Aug 9 08:14 cgred
-rw-r--r--. 1 root root 46 Aug 8 19:40 chronyd
drwxr-xr-x. 2 root root 10 Aug 9 07:52 console
-rw-r--r--. 1 root root 150 Dec 7 00:00 cpupower
-rw-------. 1 root root 110 Aug 9 07:07 crond
-rw-------. 1 root root 1390 Apr 11 2018 ebtables-config
-rw-r--r--. 1 root root 169 Mar 14 2019 fcoe
-rw-r--r--. 1 root root 73 Oct 19 00:02 firewalld
lrwxrwxrwx. 1 root root 15 Dec 17 10:55 grub -> ../default/grub
-rw-r--r--. 1 root root 798 Aug 9 07:52 init
-rw------- 1 root root 635 Aug 8 19:41 ip6tables
-rw-------. 1 root root 2134 Aug 8 19:41 ip6tables-config
-rw------- 1 root root 550 Aug 8 19:41 iptables
-rw-------. 1 root root 2116 Aug 8 19:41 iptables-config
-rw-r--r--. 1 root root 903 Aug 6 21:44 irqbalance
-rw-r--r--. 1 root root 1733 Aug 8 19:41 kdump
-rw-r--r--. 1 root root 180 Dec 17 10:42 kernel
-rw-r--r--. 1 root root 168 Sep 14 00:40 ksm
-rw-r--r--. 1 root root 1136 Dec 3 01:48 libvirtd
-rw-r--r--. 1 root root 200 Oct 30 2018 man-db
drwxr-xr-x. 2 root root 10 Aug 9 07:52 modules
-rw-r--r--. 1 root root 634 Aug 9 07:52 netconsole
-rw-r--r--. 1 root root 22 Dec 17 10:55 network
drwxr-xr-x. 2 root root 4096 Dec 17 10:55 network-scripts
-rw-r--r--. 1 root root 1679 Aug 9 09:16 nfs
-rw-r--r--. 1 root root 45 Aug 6 21:44 ntpd
-rw-r--r--. 1 root root 111 Aug 6 21:44 ntpdate
-rw-r--r--. 1 root root 911 Aug 6 21:44 qemu-ga
-rw-r--r--. 1 root root 186 Oct 31 2018 radvd
-rw-r--r--. 1 root root 2915 Aug 6 21:44 raid-check
-rw-r--r--. 1 root root 15 Aug 4 2017 rdisc
-rw-r--r--. 1 root root 905 Aug 9 07:52 readonly-root
-rw-r--r--. 1 root root 73 Aug 8 20:12 rpcbind
-rw-r--r--. 1 root root 395 Aug 6 21:44 rpc-rquotad
-rw-r--r--. 1 root root 12 Apr 26 2019 rsyncd
-rw-r--r--. 1 root root 196 Oct 18 23:48 rsyslog
-rw-r--r--. 1 root root 0 Jun 10 2014 run-parts
-rw-r--r--. 1 root root 428 Dec 3 01:48 samba
-rw-r--r--. 1 root root 429 Apr 11 2018 saslauthd
lrwxrwxrwx. 1 root root 17 Dec 17 10:35 selinux -> ../selinux/config
-rw-r--r--. 1 root root 125 Aug 6 21:44 smartmontools
-rw-r-----. 1 root root 506 Aug 9 09:40 sshd
-rw-r--r--. 1 root root 138 Apr 11 2018 svnserve
-rw-r--r--. 1 root root 474 Aug 9 10:54 sysstat
-rw-r--r--. 1 root root 6228 Aug 9 10:54 sysstat.ioconf
-rw-r--r--. 1 root root 55 Dec 3 01:48 virtlockd
-rw-r--r--. 1 root root 53 Dec 3 01:48 virtlogd
-rw-r--r--. 1 root root 610 Oct 31 2018 wpa_supplicant
[[email protected] sysconfig]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
添加白名单
[[email protected] sysconfig]# vi iptables
但是启动服务时报错
[[email protected] sysconfig]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
Job for iptables.service failed because the control process exited with error code. See "systemctl status iptables.service" and "journalctl -xe" for details.
尝试重启服务
[[email protected] sysconfig]# /bin/systemctl restart iptables.service
Job for iptables.service failed because the control process exited with error code. See "systemctl status iptables.service" and "journalctl -xe" for details.
[[email protected] sysconfig]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[[email protected] sysconfig]# systemctl start iptables
Job for iptables.service failed because the control process exited with error code. See "systemctl status iptables.service" and "journalctl -xe" for details.
[[email protected] sysconfig]# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2019-12-18 09:45:45 CST; 24s ago
Process: 9126 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=1/FAILURE)
Main PID: 9126 (code=exited, status=1/FAILURE)
Dec 18 09:45:45 weblog systemd[1]: Starting IPv4 firewall with iptables...
Dec 18 09:45:45 weblog iptables.init[9126]: iptables: Applying firewall rules: iptables-restore: line 15 failed
Dec 18 09:45:45 weblog iptables.init[9126]: [FAILED]
Dec 18 09:45:45 weblog systemd[1]: iptables.service: main process exited, code=exited, status=1/FAILURE
Dec 18 09:45:45 weblog systemd[1]: Failed to start IPv4 firewall with iptables.
Dec 18 09:45:45 weblog systemd[1]: Unit iptables.service entered failed state.
Dec 18 09:45:45 weblog systemd[1]: iptables.service failed.
原因是active的状态是failed,查找资料,原来是需要开启filewall服务
[[email protected] sysconfig]# service iptables start
Redirecting to /bin/systemctl start iptables.service
Job for iptables.service failed because the control process exited with error code. See "systemctl status iptables.service" and "journalctl -xe" for details.
[[email protected] sysconfig]# systemctl start firewalld.service
[[email protected] sysconfig]# service iptables start
Redirecting to /bin/systemctl start iptables.service
Job for iptables.service failed because the control process exited with error code. See "systemctl status iptables.service" and "journalctl -xe" for details.
但是依旧报错
[[email protected] sysconfig]# systemctl start iptables
Job for iptables.service failed because the control process exited with error code. See "systemctl status iptables.service" and "journalctl -xe" for details.
[[email protected] sysconfig]# journalctl -xe
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit iptables.service has failed.
--
-- The result is failed.
Dec 18 09:48:37 weblog systemd[1]: Unit iptables.service entered failed state.
Dec 18 09:48:37 weblog systemd[1]: iptables.service failed.
Dec 18 09:48:37 weblog polkitd[2152]: Unregistered Authentication Agent for unix-process:9521:8187404 (system bus nam
Dec 18 09:49:24 weblog polkitd[2152]: Registered Authentication Agent for unix-process:9597:8192106 (system bus name
Dec 18 09:49:24 weblog systemd[1]: Starting IPv4 firewall with iptables...
-- Subject: Unit iptables.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit iptables.service has begun starting up.
Dec 18 09:49:24 weblog iptables.init[9603]: iptables: Applying firewall rules: iptables-restore: line 15 failed
Dec 18 09:49:24 weblog iptables.init[9603]: [FAILED]
Dec 18 09:49:24 weblog systemd[1]: iptables.service: main process exited, code=exited, status=1/FAILURE
Dec 18 09:49:24 weblog systemd[1]: Failed to start IPv4 firewall with iptables.
-- Subject: Unit iptables.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit iptables.service has failed.
--
-- The result is failed.
Dec 18 09:49:24 weblog systemd[1]: Unit iptables.service entered failed state.
Dec 18 09:49:24 weblog systemd[1]: iptables.service failed.
Dec 18 09:49:24 weblog polkitd[2152]: Unregistered Authentication Agent for unix-process:9597:8192106 (system bus nam
Dec 18 09:50:01 weblog systemd[1]: Started Session 174 of user root.
-- Subject: Unit session-174.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-174.scope has finished starting up.
--
-- The start-up result is done.
Dec 18 09:50:01 weblog CROND[9648]: (root) CMD (/usr/lib64/sa/sa1 1 1)
从这里可以看出是iptables文件错误,修改iptables文件后重新启动iptables服务
[[email protected] network-scripts]# cd /etc/sysconfig/
[[email protected] sysconfig]# mv iptables iptables.bak
[[email protected] sysconfig]# vi iptables
[[email protected] sysconfig]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[[email protected] sysconfig]# systemctl restart iptables.service
[[email protected] sysconfig]# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Wed 2019-12-18 09:56:07 CST; 7s ago
Process: 10072 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
Process: 10092 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 10092 (code=exited, status=0/SUCCESS)
Dec 18 09:56:07 weblog systemd[1]: Starting IPv4 firewall with iptables...
Dec 18 09:56:07 weblog iptables.init[10092]: iptables: Applying firewall rules: [ OK ]
Dec 18 09:56:07 weblog systemd[1]: Started IPv4 firewall with iptables.
文件出错时之前没想到的,iptables文件的内容是根据别的服务器的文件配的,但是格式不一样了。CentoOS 7.7和6.9的格式一样
相关命令
-
停止和开启防火墙
|命令||
|–|--|
|systemctl start firewalld.service | 启动|
|systemctl enable firewalld.service | 开机启动|
|systemctl stop firewalld.service | 停止|
|systemctl disable firewalld.service | 禁止开机启动|
|systemctl status firewalld.service | 查看状态| -
查看白名单
# iptables -L