2015/09/26

關閉 centos7 防火牆 firewalld 改用傳統的 iptables


----
關閉 centos7 防火牆 firewalld 改用傳統的 iptables
----
ref: http://www.liquidweb.com/kb/how-to-stop-and-disable-firewalld-on-centos-7/
# 關閉防火牆(Firewall on RHEL / CentOS / RedHat Linux 7)


# 預設開機不啟動
[root@hnamenode2 ~]# systemctl disable firewalld
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
rm '/etc/systemd/system/basic.target.wants/firewalld.service'

# 立即停止
[root@hnamenode2 ~]# systemctl stop firewalld

# 狀態檢查
[root@hnamenode2 ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
   Active: inactive (dead)

 9月 14 18:48:27 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
 9月 14 18:48:33 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
 9月 26 21:00:53 hnamenode2 systemd[1]: Stopping firewalld - dynamic firewall daemon...
 9月 26 21:00:54 hnamenode2 systemd[1]: Stopped firewalld - dynamic firewall daemon.

# iptables 檢查
[root@hnamenode2 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

----
# 改用傳統的 iptables-services , 安裝
----
[root@hnamenode2 ~]# yum install iptables-utils iptables-services

# 可以重新啟動 iptables
[root@hnamenode2 ~]# systemctl restart  iptables.service
# 看看目前系統中的規則
[root@hnamenode2 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

# 停止 iptables 服務帶出的規則
[root@hnamenode2 ~]# systemctl stop  iptables.service
# 規則就會清空
[root@hnamenode2 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

# 把清空的規則儲存 , 預設存在 /etc/sysconfig/iptables
[root@hnamenode2 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

# 可以檢查看看
[root@hnamenode2 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Sat Sep 26 21:05:46 2015
*filter
:INPUT ACCEPT [13:832]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9:1420]
COMMIT
# Completed on Sat Sep 26 21:05:46 2015

# 就算在重新啟動,規則也就清空了。
[root@hnamenode2 ~]# systemctl restart  iptables.service
[root@hnamenode2 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


張貼留言