iptables打开22,80,8080,3306等端口

systemctl stop firewalld
systemctl mask firewalld

Then, install the iptables-services package:

yum install iptables-services

Enable the service at boot-time:

systemctl enable iptables

Managing the service

systemctl [stop|start|restart] iptables

Saving your firewall rules can be done as follows:

service iptables save

/usr/libexec/iptables/iptables.init save

reference:https://www.cnblogs.com/anne32184/p/5961806.html

 1 vi /etc/sysconfig/iptables
 2 -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT（允许80端口通过防火墙）
 3 -A INPUT -m state –state NEW -m tcp -p tcp –dport 3306 -j ACCEPT（允许3306端口通过防火墙）
 4 特别提示：很多网友把这两条规则添加到防火墙配置的最后一行，导致防火墙启动失败，正确的应该是添加到默认的22端口这条规则的下面
 5 添加好之后防火墙规则如下所示：
 6 ######################################
 7 # Firewall configuration written by system-config-firewall
 8 # Manual customization of this file is not recommended.
 9 *filter
10 :INPUT ACCEPT [0:0]
11 :FORWARD ACCEPT [0:0]
12 :OUTPUT ACCEPT [0:0]
13 -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
14 -A INPUT -p icmp -j ACCEPT
15 -A INPUT -i lo -j ACCEPT
16 -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
17 -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
18 -A INPUT -m state –state NEW -m tcp -p tcp –dport 3306 -j ACCEPT
19 -A INPUT -j REJECT –reject-with icmp-host-prohibited
20 -A FORWARD -j REJECT –reject-with icmp-host-prohibited
21 COMMIT
22 #####################################
23 /etc/init.d/iptables restart      #最后重启防火墙使配置生效

  1 # Generated by iptables-save v1.4.21 on Fri Jul 28 19:10:39 2017
  2 *nat
  3 :PREROUTING ACCEPT [0:0]
  4 :INPUT ACCEPT [0:0]
  5 :OUTPUT ACCEPT [136:8416]
  6 :POSTROUTING ACCEPT [136:8416]
  7 :OUTPUT_direct - [0:0]
  8 :POSTROUTING_ZONES - [0:0]
  9 :POSTROUTING_ZONES_SOURCE - [0:0]
 10 :POSTROUTING_direct - [0:0]
 11 :POST_public - [0:0]
 12 :POST_public_allow - [0:0]
 13 :POST_public_deny - [0:0]
 14 :POST_public_log - [0:0]
 15 :PREROUTING_ZONES - [0:0]
 16 :PREROUTING_ZONES_SOURCE - [0:0]
 17 :PREROUTING_direct - [0:0]
 18 :PRE_public - [0:0]
 19 :PRE_public_allow - [0:0]
 20 :PRE_public_deny - [0:0]
 21 :PRE_public_log - [0:0]
 22 -A PREROUTING -j PREROUTING_direct
 23 -A PREROUTING -j PREROUTING_ZONES_SOURCE
 24 -A PREROUTING -j PREROUTING_ZONES
 25 -A OUTPUT -j OUTPUT_direct
 26 -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
 27 -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
 28 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
 29 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
 30 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
 31 -A POSTROUTING -j POSTROUTING_direct
 32 -A POSTROUTING -j POSTROUTING_ZONES_SOURCE
 33 -A POSTROUTING -j POSTROUTING_ZONES
 34 -A POSTROUTING_ZONES -o enp0s3 -g POST_public
 35 -A POSTROUTING_ZONES -g POST_public
 36 -A POST_public -j POST_public_log
 37 -A POST_public -j POST_public_deny
 38 -A POST_public -j POST_public_allow
 39 -A PREROUTING_ZONES -i enp0s3 -g PRE_public
 40 -A PREROUTING_ZONES -g PRE_public
 41 -A PRE_public -j PRE_public_log
 42 -A PRE_public -j PRE_public_deny
 43 -A PRE_public -j PRE_public_allow
 44 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 45 -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
 46 -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
 47 -A INPUT -m state --state NEW -m tcp -p tcp --dport 9904 -j ACCEPT
 48 
 49 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 50 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 51 #（之前我添加在下面，浏览器也是不能访问的，必须放在上面！）
 52 #允许8080端口通过防火墙
 53 #-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
 54 #允许3306端口通过防火墙
 55 #-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
 56 #允许9904端口通过防火墙
 57 #-A INPUT -m state --state NEW -m tcp -p tcp --dport 9904 -j ACCEPT
 58 COMMIT
 59 # Completed on Fri Jul 28 19:10:39 2017
 60 # Generated by iptables-save v1.4.21 on Fri Jul 28 19:10:39 2017
 61 *mangle
 62 :PREROUTING ACCEPT [732:348610]
 63 :INPUT ACCEPT [732:348610]
 64 :FORWARD ACCEPT [0:0]
 65 :OUTPUT ACCEPT [765:100277]
 66 :POSTROUTING ACCEPT [767:100547]
 67 :FORWARD_direct - [0:0]
 68 :INPUT_direct - [0:0]
 69 :OUTPUT_direct - [0:0]
 70 :POSTROUTING_direct - [0:0]
 71 :PREROUTING_ZONES - [0:0]
 72 :PREROUTING_ZONES_SOURCE - [0:0]
 73 :PREROUTING_direct - [0:0]
 74 :PRE_public - [0:0]
 75 :PRE_public_allow - [0:0]
 76 :PRE_public_deny - [0:0]
 77 :PRE_public_log - [0:0]
 78 -A PREROUTING -j PREROUTING_direct
 79 -A PREROUTING -j PREROUTING_ZONES_SOURCE
 80 -A PREROUTING -j PREROUTING_ZONES
 81 -A INPUT -j INPUT_direct
 82 -A FORWARD -j FORWARD_direct
 83 -A OUTPUT -j OUTPUT_direct
 84 -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
 85 -A POSTROUTING -j POSTROUTING_direct
 86 -A PREROUTING_ZONES -i enp0s3 -g PRE_public
 87 -A PREROUTING_ZONES -g PRE_public
 88 -A PRE_public -j PRE_public_log
 89 -A PRE_public -j PRE_public_deny
 90 -A PRE_public -j PRE_public_allow
 91 COMMIT
 92 # Completed on Fri Jul 28 19:10:39 2017
 93 # Generated by iptables-save v1.4.21 on Fri Jul 28 19:10:39 2017
 94 *security
 95 :INPUT ACCEPT [727:348220]
 96 :FORWARD ACCEPT [0:0]
 97 :OUTPUT ACCEPT [765:100277]
 98 :FORWARD_direct - [0:0]
 99 :INPUT_direct - [0:0]
100 :OUTPUT_direct - [0:0]
101 -A INPUT -j INPUT_direct
102 -A FORWARD -j FORWARD_direct
103 -A OUTPUT -j OUTPUT_direct
104 COMMIT
105 # Completed on Fri Jul 28 19:10:39 2017
106 # Generated by iptables-save v1.4.21 on Fri Jul 28 19:10:39 2017
107 *raw
108 :PREROUTING ACCEPT [732:348610]
109 :OUTPUT ACCEPT [765:100277]
110 :OUTPUT_direct - [0:0]
111 :PREROUTING_direct - [0:0]
112 -A PREROUTING -j PREROUTING_direct
113 -A OUTPUT -j OUTPUT_direct
114 COMMIT
115 # Completed on Fri Jul 28 19:10:39 2017
116 # Generated by iptables-save v1.4.21 on Fri Jul 28 19:10:39 2017
117 *filter
118 :INPUT ACCEPT [0:0]
119 :FORWARD ACCEPT [0:0]
120 :OUTPUT ACCEPT [14:984]
121 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
122 -A INPUT -p icmp -j ACCEPT
123 -A INPUT -i lo -j ACCEPT
124 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
125 -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
126 -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
127 -A INPUT -m state --state NEW -m tcp -p tcp --dport 9904 -j ACCEPT
128 -A INPUT -j REJECT --reject-with icmp-host-prohibited
129 #-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
130 #允许3306端口通过防火墙
131 #-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
132 #允许9904端口通过防火墙
133 #-A INPUT -m state --state NEW -m tcp -p tcp 
134 -A INPUT -j REJECT --reject-with icmp-host-prohibited
135 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
136 COMMIT
137 # Completed on Fri Jul 28 19:10:39 201