防火墙策略——端口访问
设置步骤
检测端口
如果远程连接不上Mysql,检查下默认的3306端口是否允许访问:
[root@localhost /]# iptables -L -n|grep 3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
允许访问
如果没有,则需要允许此端口访问:
[root@localhost /]# iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
保存策略
这是临时的允许访问,需要保存防火墙的策略:
[root@localhost /]# iptables-save > iptables.rules
禁用firewall
因为Centos7的改动,把firewall禁用:
[root@localhost /]# systemctl stop firewalld.service
[root@localhost /]# systemctl mask firewalld.service
Created symlink from /etc/systemd/system/firewalld.service to /dev/null.
安装iptables
安装iptables-services:
[root@localhost /]# yum install iptables-services.x86_64 -y
Loaded plugins: fastestmirror, langpacks
base | 3.6 kB 00:00:00
extras | 3.4 kB 00:00:00
mysql-connectors-community | 2.5 kB 00:00:00
mysql-tools-community | 2.5 kB 00:00:00
mysql56-community | 2.5 kB 00:00:00
updates | 3.4 kB 00:00:00
Loading mirror speeds from cached hostfile
* base: mirrors.yun-idc.com
* extras: mirrors.cn99.com
* updates: mirrors.zju.edu.cn
Resolving Dependencies
--> Running transaction check
---> Package iptables-services.x86_64 0:1.4.21-17.el7 will be installed
--> Processing Dependency: iptables = 1.4.21-17.el7 for package: iptables-services-1.4.21-17.el7.x86_64
--> Running transaction check
---> Package iptables.x86_64 0:1.4.21-16.el7 will be updated
---> Package iptables.x86_64 0:1.4.21-17.el7 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================================
Package Arch Version Repository Size
===========================================================================================
Installing:
iptables-services x86_64 1.4.21-17.el7 base 50 k
Updating for dependencies:
iptables x86_64 1.4.21-17.el7 base 426 k
Transaction Summary
===========================================================================================
Install 1 Package
Upgrade ( 1 Dependent package)
Total download size: 476 k
Downloading packages:
No Presto metadata available for base
(1/2): iptables-services-1.4.21-17.el7.x86_64.rpm | 50 kB 00:00:00
(2/2): iptables-1.4.21-17.el7.x86_64.rpm | 426 kB 00:00:01
-------------------------------------------------------------------------------------------
Total 251 kB/s | 476 kB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : iptables-1.4.21-17.el7.x86_64 1/3
Installing : iptables-services-1.4.21-17.el7.x86_64 2/3
Cleanup : iptables-1.4.21-16.el7.x86_64 3/3
Verifying : iptables-services-1.4.21-17.el7.x86_64 1/3
Verifying : iptables-1.4.21-17.el7.x86_64 2/3
Verifying : iptables-1.4.21-16.el7.x86_64 3/3
Installed:
iptables-services.x86_64 0:1.4.21-17.el7
Dependency Updated:
iptables.x86_64 0:1.4.21-17.el7
Complete!
开机启动
安装成功后,设置开机启动:
[root@localhost /]# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
加载策略
- 重新加载策略:
[root@localhost /]# iptables-restore iptables.rules
初始化
- 策略初始化保存:
[root@localhost /]# /usr/libexec/iptables/iptables.init save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
总结
分成两部分,一是安装iptables-service,二是修改策略。
安装iptables-service
- 禁用firewall: systemctl stop firewalld.service / systemctl mask firewalld.service;
- 安装iptables-services:yum install iptables-services;
- 开机启动:systemctl enable iptables.service。
修改策略
- 检测端口访问:iptables -L -n|grep 3306;
- 允许访问:iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT;
- 保存策略:iptables-save > iptables.rules;
- 加载策略:iptables-restore iptables.rules;
- 初始化策略:/usr/libexec/iptables/iptables.init save