防火墙

firewall-cmd —zone=public —add-port=80/tcp —permanent #打开防火墙
firewall-cmd —reload #重启防火墙
firewall-cmd —list-ports # 查看已经开放的端口

iptable

centos 7 设置可保持 ,需要重新安装

yum list -y iptables-services
yum install -y iptables-services.x86_64

systemctl enable iptables
systemctl start iptables

service iptables save

搭配 ipset 使用

yum install -y ipset-service
systemctl enable ipset

重启服务器前保存ip
service ipset save

清理 iptable 之前,必须 设置 默认规则为 接受

iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
单独直接清理 -F 会导致无法重启后无法连接远程主机
iptables -A OUTPUT -j ACCEPT #允许所有本机向外的访问
iptables -A INPUT -j ACCEPT

当设置好允许的ip 规则后,设置默认规则为拒绝, 这样就只允许指定的ip 段访问
iptables -P INPUT DROP

屏蔽IP

iptables -I INPUT -s 123.45.6.7 -j DROP #屏蔽单个IP的命令
iptables -I INPUT -s 123.0.0.0/8 -j DROP #封整个段即从123.0.0.1到123.255.255.254的命令
iptables -I INPUT -s 124.45.0.0/16 -j DROP #封IP段即从123.45.0.1到123.45.255.254的命令
iptables -I INPUT -s 123.45.6.0/24 -j DROP #封IP段即从123.45.6.1到123.45.6.254的命令是

删除已添加的iptables规则

将所有iptables以序号标记显示,执行:
iptables -L -n —line-numbers
比如要删除INPUT里序号为8的规则,执行:
iptables -D INPUT 8

附,刷新 iptables, 禁止所有国外ip

  1. #!/bin/bash
  2. # iptables 限制所有国外ip
  4. yum list -y iptables-services
  5. yum install -y iptables-services.x86_64
  6. systemctl enable iptables
  7. systemctl start iptables
  8. service iptables save
  10. iptables -P INPUT ACCEPT
  12. iptables -F
  13. iptables -X
  14. iptables -Z
  17. cd /tmp
  19. yum install -y ipset-service
  20. systemctl enable ipset
  22. ipset create china hash:net hashsize 10000 maxelem 1000000
  24. rm -f cn.zone
  25. wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone
  26. for i in `cat cn.zone`
  27. do
  28.     ipset add china $i 
  29. done
  33. iptables -A INPUT -m set --match-set china src -j ACCEPT
  35. iptables -A INPUT -m set --match-set china src -p udp -m udp --dport 5032 -j ACCEPT
  37. iptables -A INPUT -m set --match-set china src -j ACCEPT
  39. #解决无法本机访问内网ip
  40. iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
  42. iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  44. iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
  46. iptables -A INPUT -s $(ip addr |grep inet |grep eth0 |awk '{print $2}' |awk -F "/" '{print $1}') -j ACCEPT
  48. iptables -A INPUT -s 127.0.0.1 -j ACCEPT
  50. iptables -I INPUT -s 172.0.0.0/0 -j ACCEPT
  52. iptables -A INPUT -s oss-cn-zhangjiakou-internal.aliyuncs.com -j ACCEPT
  53. iptables -A INPUT -s 91ea94b313-txj46.cn-zhangjiakou.nas.aliyuncs.com -j ACCEPT
  55. iptables -A INPUT -s 169.254.0.3 -j ACCEPT
  57. iptables -P INPUT DROP
  59. service iptables save