六-防火墙
Redhat Enterprise Linux7已经默认使用firewalld作为防火墙,其使用方式已经变化。 基于iptables的防火墙被默认不启动,但仍然可以继续使用。
RHEL7中有几种防火墙共存:firewalld、iptables、ebtables等,默认使用firewalld作为防火墙,管理工具是firewall-cmd。RHEL7的内核版本是3.10,在此版本的内核里防火墙的包过滤机制是firewalld,使用firewalld来管理netfilter,不过底层调用的命令仍然是iptables等。
因为这几种daemon是冲突的,所以建议禁用其他几种服务
[root@via ~]# systemctl status {firewalld,iptables,ip6tables,ebtables}
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2016-07-08 11:10:43 CST; 1h 22min ago
Main PID: 8027 (firewalld)
CGroup: /system.slice/firewalld.service
└─8027 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Jul 08 11:10:41 via systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 08 11:10:43 via systemd[1]: Started firewalld - dynamic firewall daemon.
● iptables.service
Loaded: masked (/dev/null)
Active: inactive (dead) since Fri 2016-07-08 10:51:51 CST; 1h 41min ago
Main PID: 6098 (code=exited, status=0/SUCCESS)
Jul 08 10:51:27 via systemd[1]: Starting IPv4 firewall with iptables...
Jul 08 10:51:27 via iptables.init[6098]: iptables: Applying firewall rules: [ OK ]
Jul 08 10:51:27 via systemd[1]: Started IPv4 firewall with iptables.
Jul 08 10:51:51 via systemd[1]: Stopping IPv4 firewall with iptables...
Jul 08 10:51:51 via iptables.init[6132]: iptables: Setting chains to policy ACCEPT: nat mangle secu...LED]
Jul 08 10:51:51 via iptables.init[6132]: iptables: Flushing firewall rules: [ OK ]
Jul 08 10:51:51 via iptables.init[6132]: iptables: Unloading modules: [ OK ]
Jul 08 10:51:51 via systemd[1]: Stopped IPv4 firewall with iptables.
● ip6tables.service - IPv6 firewall with ip6tables
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled; vendor preset: disabled)
Active: inactive (dead)
● ebtables.service - Ethernet Bridge Filtering tables
Loaded: loaded (/usr/lib/systemd/system/ebtables.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Hint: Some lines were ellipsized, use -l to show in full.
[root@via ~]#
[root@via ~]# systemctl mask {iptables,ip6tables,ebtables}
Created symlink from /etc/systemd/system/ip6tables.service to /dev/null.
Created symlink from /etc/systemd/system/ebtables.service to /dev/null.
[root@via ~]# for service in iptables ip6taboles ebtables;do
> systemctl mask ${service}.service
> done
Created symlink from /etc/systemd/system/ip6taboles.service to /dev/null.
[root@via ~]# systemctl status {firewalld,iptables,ip6tables,ebtables}
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2016-07-08 11:10:43 CST; 1h 25min ago
Main PID: 8027 (firewalld)
CGroup: /system.slice/firewalld.service
└─8027 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Jul 08 11:10:41 via systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 08 11:10:43 via systemd[1]: Started firewalld - dynamic firewall daemon.
● iptables.service
Loaded: masked (/dev/null)
Active: inactive (dead) since Fri 2016-07-08 10:51:51 CST; 1h 43min ago
Main PID: 6098 (code=exited, status=0/SUCCESS)
Jul 08 10:51:27 via systemd[1]: Starting IPv4 firewall with iptables...
Jul 08 10:51:27 via iptables.init[6098]: iptables: Applying firewall rules: [ OK ]
Jul 08 10:51:27 via systemd[1]: Started IPv4 firewall with iptables.
Jul 08 10:51:51 via systemd[1]: Stopping IPv4 firewall with iptables...
Jul 08 10:51:51 via iptables.init[6132]: iptables: Setting chains to policy ACCEPT: nat mangle secu...LED]
Jul 08 10:51:51 via iptables.init[6132]: iptables: Flushing firewall rules: [ OK ]
Jul 08 10:51:51 via iptables.init[6132]: iptables: Unloading modules: [ OK ]
Jul 08 10:51:51 via systemd[1]: Stopped IPv4 firewall with iptables.
● ip6tables.service
Loaded: masked (/dev/null)
Active: inactive (dead)
● ebtables.service
Loaded: masked (/dev/null)
Active: inactive (dead)
Hint: Some lines were ellipsized, use -l to show in full.
[root@via ~]#