本文共 2784 字,大约阅读时间需要 9 分钟。
在RHEL/CentOS 7中,曾经的iptables.service/ip6tables.service已经被firewalld.service所替代。但两者在本质上是一致的,都是通过iptables工具操作Linux kernel的netfilter,实现对IP数据包的过滤。两者只是在实现上有如下不同:
虽然iptables.service/ip6tables.service已经无效,但是他们还存在,只是没有被启用。查看其状态如下:
[root@myhost ~]# systemctl status iptables * iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled) Active: inactive (dead)[root@myhost ~]# systemctl status ip6tables* ip6tables.service - IPv6 firewall with ip6tables Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled; vendor preset: disabled) Active: inactive (dead)
而firewalld.service的状态如下:
[root@myhost ~]# systemctl status firewalld* firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2019-05-10 09:05:38 CEST; 2 days ago Docs: man:firewalld(1) Main PID: 784 (firewalld) Tasks: 2 Memory: 39.1M CGroup: /system.slice/firewalld.service `-784 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid...
对于多数熟悉iptables/ip6tables的开发人员,不习惯使用firewall-cmd配置系统的防火墙,仍然怀念直接使用iptables/ip6tables的日子。在RHEL/CentOS 7中,也提供了这样的过渡实现,示例如下:
首先,如果iptables.service/ip6tables.service真的没有安装,则yum install iptables-services先安装服务。
1. 禁用FirewallD
systemctl disable firewalldsystemctl stop firewalld
2.启用iptables/ip6tables service
systemctl start iptablessystemctl enable iptablessystemctl start ip6tablessystemctl enable ip6tables
3. 查看iptables/ip6tables service
[root@myhost ~]# systemctl status ip6tables* ip6tables.service - IPv6 firewall with ip6tables Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled) Active: active (exited) since Thu 2019-04-04 09:52:58 CEST; 2 minutes ago Main PID: 29101 (code=exited, status=0/SUCCESS) CGroup: /system.slice/ip6tables.serviceApr 04 09:52:58 myhost systemd[1]: Starting IPv6 firewall with ip6tables...Apr 04 09:52:58 myhost ip6tables.init[29101]: ip6tables: Applying firewall rules: [ OK ]Apr 04 09:52:58 myhost systemd[1]: Started IPv6 firewall with ip6tables.
注意,虽然启动了iptables/ip6tables service,但是其状态为active(exited),这是因为该服务只是作为对防火墙的配置,在启动时执行脚本,而无需作为后台进程常驻服务。
出于对RHEL/CentOS 6的兼容,我们还可以通过service操作iptables/ip6tables service,如保存运行时对防火墙的修改如下:
[root@myhost ~]# service iptables saveiptables: Saving firewall rules to /etc/sysconfig/iptable[ OK ][root@myhost ~]# service ip6tables saveip6tables: Saving firewall rules to /etc/sysconfig/ip6table[ OK ]
转载地址:http://ihlai.baihongyu.com/