CentOS 7 – Firewall , SELinux

Loading

因為實驗室單純試 Linux 下的某些功能,所以為了避免影響測試,我們會將 Firewall 以及 SELinux 關閉(安裝完預設都是開啟的).

測試環境為 CentOS 7 x64 (適用於 RHEL7)

Firewall

立即停止 Firewall (iptables) 功能.

[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

調整開機後不要啟動 Firewall (iptables) 功能.

[root@localhost ~]# systemctl disable firewalld
[root@localhost ~]# systemctl list-unit-files |grep -i firewalld
firewalld.service                           disabled

但是有可能透過 iptables -L 還是會看到有定義 iptables

[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere  

這是因為作業系統有安裝了 KVM (關於 KVM Network 請參考 https://benjr.tw/8189 ) 時所產生的 virbr0 裝置.

[root@localhost ~]# ifconfig virbr0
virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:46:34:b0  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
           anywhere             udp dpt:bootpc
[root@localhost ~]# brctl show
bridge name	bridge id		STP enabled	interfaces
virbr0		8000.5254004634b0	yes		virbr0-nic

可以透過下面的方式把 virbr0 關閉 (不關閉也不影響)

[root@localhost ~]# virsh net-list
[root@localhost ~]# virsh net-destroy default
[root@localhost ~]# virsh net-autostart default --disable
[root@localhost ~]# virsh net-undefine default
[root@localhost ~]# systemctl disable libvirtd.service

SELinux

暫時把 SELinux 關閉.

[root@localhost ~]# setenforce 0

開機後不要啟動 selinux 功能,需把 SELINUX 修改成為 disabled (預設為 enforcing ).

[root@localhost ~]# vi /etc/sysconfig/selinux 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
#SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

[root@localhost ~]# reboot
[root@localhost ~]# sestatus 
SELinux status:                 disabled
沒有解決問題,試試搜尋本站其他內容

One thought on “CentOS 7 – Firewall , SELinux

  1. 自動引用通知: VNC – tigervnc – Benjr.tw

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料