3,035 瀏覽數

CentOS 7 – Firewall , SELinux

因為實驗室單純試 Linux 下的某些功能,所以為了避免影響測試,我們會將 Firewall 以及 SELinux 關閉(安裝完預設都是開啟的).

測試環境為 CentOS 7 x64 (適用於 RHEL7)

Firewall

立即停止 Firewall (iptables) 功能.

[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

調整開機後不要啟動 Firewall (iptables) 功能.

[root@localhost ~]# systemctl disable firewalld
[root@localhost ~]# systemctl list-unit-files |grep -i firewalld
firewalld.service                           disabled

但是有可能透過 iptables -L 還是會看到有定義 iptables

[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere  

這是因為作業系統有安裝了 KVM (關於 KVM Network 請參考 http://benjr.tw/8189 ) 時所產生的 virbr0 裝置.

[root@localhost ~]# ifconfig virbr0
virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:46:34:b0  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
           anywhere             udp dpt:bootpc
[root@localhost ~]# brctl show
bridge name	bridge id		STP enabled	interfaces
virbr0		8000.5254004634b0	yes		virbr0-nic

可以透過下面的方式把 virbr0 關閉 (不關閉也不影響)

[root@localhost ~]# virsh net-list
[root@localhost ~]# virsh net-destroy default
[root@localhost ~]# virsh net-autostart default --disable
[root@localhost ~]# virsh net-undefine default
[root@localhost ~]# systemctl disable libvirtd.service

SELinux

只能調整開機後不要啟動 selinux 功能.所以必須重新開關機.

[root@localhost ~]# vi /etc/sysconfig/selinux 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
#SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

[root@localhost ~]# reboot
[root@localhost ~]# sestatus 
SELinux status:                 disabled

#SELINUX 預設為 enforcing 需要修改成為 disabled .

網友的想法

  1. 自動參照通知: VNC – tigervnc – Benjr.tw

發表迴響