因為實驗室單純試 Linux 下的某些功能,所以為了避免影響測試,我們會將 Firewall 以及 SELinux 關閉(安裝完預設都是開啟的).
測試環境為 CentOS 7 x64 (適用於 RHEL7)
Firewall
立即停止 Firewall (iptables) 功能.
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) [root@localhost ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
調整開機後不要啟動 Firewall (iptables) 功能.
[root@localhost ~]# systemctl disable firewalld
[root@localhost ~]# systemctl list-unit-files |grep -i firewalld firewalld.service disabled
但是有可能透過 iptables -L 還是會看到有定義 iptables
[root@localhost ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere
這是因為作業系統有安裝了 KVM (關於 KVM Network 請參考 https://benjr.tw/8189 ) 時所產生的 virbr0 裝置.
[root@localhost ~]# ifconfig virbr0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:46:34:b0 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
anywhere udp dpt:bootpc
[root@localhost ~]# brctl show bridge name bridge id STP enabled interfaces virbr0 8000.5254004634b0 yes virbr0-nic
可以透過下面的方式把 virbr0 關閉 (不關閉也不影響)
[root@localhost ~]# virsh net-list
[root@localhost ~]# virsh net-destroy default
[root@localhost ~]# virsh net-autostart default --disable
[root@localhost ~]# virsh net-undefine default
[root@localhost ~]# systemctl disable libvirtd.service
SELinux
暫時把 SELinux 關閉.
[root@localhost ~]# setenforce 0
開機後不要啟動 selinux 功能,需把 SELINUX 修改成為 disabled (預設為 enforcing ).
[root@localhost ~]# vi /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled #SELINUX=enforcing # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root@localhost ~]# reboot
[root@localhost ~]# sestatus SELinux status: disabled
沒有解決問題,試試搜尋本站其他內容
One thought on “CentOS 7 – Firewall , SELinux”