Centos7 Iptables 사용하기

안녕하세요.

JP-Hosting 입니다.

이번에는 Centos7에 적용된 firewalld 대신 기존 사용하던 iptables 를 사용하는 방법에 대한 글입니다.

  • 테스트환경은 Centos 7.8 버전입니다.


[root@localhost ~]# rpm -qa *-release 
centos-release-7-8.2003.0.el7.centos.x86_64

  • Centos7 기본 firewalld 서비스 삭제

  1. 서비스 상태 확인
  2. Firewalld 중지
  3. 서비스 상태 확인


[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2020-05-30 15:01:15 JST; 1 day 7h ago
Docs: man:firewalld(1)
Main PID: 23280 (firewalld)
CGroup: /system.slice/firewalld.service
└─23280 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

May 30 15:01:15 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
May 30 15:01:15 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
May 30 15:01:15 localhost.localdomain firewalld[23280]: WARNING: AllowZoneDrifting is enabled. This is considered an insec... now.
Hint: Some lines were ellipsized, use -l to show in full.
You have new mail in /var/spool/mail/root
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl mask firewalld
Created symlink from /etc/systemd/system/firewalld.service to /dev/null.
[root@localhost ~]# systemctl status firewalld
● firewalld.service
Loaded: masked (/dev/null; bad)
Active: inactive (dead) since Sun 2020-05-31 22:07:36 JST; 3s ago
Main PID: 23280 (code=exited, status=0/SUCCESS)

May 30 15:01:15 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
May 30 15:01:15 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
May 30 15:01:15 localhost.localdomain firewalld[23280]: WARNING: AllowZoneDrifting is enabled. This is considered an insec... now.
May 31 22:07:35 localhost.localdomain systemd[1]: Stopping firewalld - dynamic firewall daemon...
May 31 22:07:36 localhost.localdomain systemd[1]: Stopped firewalld - dynamic firewall daemon.
Hint: Some lines were ellipsized, use -l to show in full.

  • Iptables 서비스 설치

  1. Iptables 서비스 설치
  2. 서비스 시작
  3. 서비스 상태 확인


[root@localhost ~]# yum -y install iptables-services
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: ty1.mirror.newmediaexpress.com
* extras: ty1.mirror.newmediaexpress.com
* updates: ty1.mirror.newmediaexpress.com
Resolving Dependencies
--> Running transaction check
---> Package iptables-services.x86_64 0:1.4.21-34.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================
Installing:
iptables-services x86_64 1.4.21-34.el7 base 52 k

Transaction Summary
==================================================================================================================================
Install 1 Package

Total download size: 52 k
Installed size: 23 k
Downloading packages:
iptables-services-1.4.21-34.el7.x86_64.rpm | 52 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : iptables-services-1.4.21-34.el7.x86_64 1/1
Verifying : iptables-services-1.4.21-34.el7.x86_64 1/1

Installed:
iptables-services.x86_64 0:1.4.21-34.el7

Complete!




[root@localhost ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@localhost ~]# systemctl start iptables




[root@localhost ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Sun 2020-05-31 22:22:21 JST; 6s ago
Process: 26258 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 26258 (code=exited, status=0/SUCCESS)

May 31 22:22:21 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
May 31 22:22:21 localhost.localdomain iptables.init[26258]: iptables: Applying firewall rules: [ OK ]
May 31 22:22:21 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.

  • Iptables 룰 설정


[root@localhost ~]# vi /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
~