防火墻firewalld

　　關閉selinux

[root@chyuanliuNJ ~]# setenforce 0
setenforce: SELinux is disabled
[root@chyuanliuNJ ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@chyuanliuNJ ~]# getenforce
Disabled

　　centos7之前使用netfilter防火墻，之後開始使用firewalld防火墻，防火墻機制不太一樣，但是工具用法iptables一樣。兩個防火墻都要懂。

　　netfilter使用，可以在7上關閉firewalld開啟netfilter。

[root@chyuanliuNJ ~]# systemctl disable firewalld
[root@chyuanliuNJ ~]# systemctl stop firewalld
[root@chyuanliuNJ ~]# yum install -y iptables-services
... ...
[root@chyuanliuNJ ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@chyuanliuNJ ~]# systemctl start iptables

netfilter5表5鏈介紹

　　netfilter的5個表

　　filter表用於過濾包，最常用的表，有INPUT、FORWARD、OUTPUT三個鏈

　　nat表用於網絡地址轉換，有PREROUTING、OUTPUT、POSTROUTING三個鏈

　　managle表用於給數據包做標記，幾乎用不到

　　raw表可以實現不追蹤某些數據包，不常用。

　　security表在CentOS6中並沒有，用於強制訪問控制(MAC)的網絡規則，不常用。

　　參考文獻 http://www.cnblogs.com/metoy/p/4320813.html

Linux8.3 防火墻