一、查看防火墙开放了那些端口。
如下:22,3306已经对外开放了
[root@localhost tomcat7]# /etc/init.d/iptables status table: filter chain input (policy accept) num target prot opt source destination 1 accept all -- 0.0.0.0/0 0.0.0.0/0 state related,established 2 accept icmp -- 0.0.0.0/0 0.0.0.0/0 3 accept all -- 0.0.0.0/0 0.0.0.0/0 4 accept tcp -- 0.0.0.0/0 0.0.0.0/0 state new tcp dpt:22 5 accept tcp -- 0.0.0.0/0 0.0.0.0/0 state new tcp dpt:3306 6 reject all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited chain forward (policy accept) num target prot opt source destination 1 reject all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited chain output (policy accept) num target prot opt source destination
二、提示防火墙已经关闭了。
[root@localhost bin]# /etc/init.d/iptables status iptables: firewall is not running.
三、开放某个端口,如8080端口,
1、直接编辑/etc/sysconfig/iptables ,内容中新增一条
-a input -m state --state new -m tcp -p tcp --dport 端口号 -j accept
注意位置需要放在-a input -j reject --reject-with icmp-host-prohibited前面。
[root@localhost /]# vi /etc/sysconfig/iptables # firewall configuration written by system-config-firewall # manual customization of this file is not recommended. *filter :input accept [0:0] :forward accept [0:0] :output accept [0:0] -a input -m state --state established,related -j accept -a input -p icmp -j accept -a input -i lo -j accept -a input -m state --state new -m tcp -p tcp --dport 22 -j accept -a input -m state --state new -m tcp -p tcp --dport 8080 -j accept -a input -j reject --reject-with icmp-host-prohibited -a forward -j reject --reject-with icmp-host-prohibited commit
2、重新启动防火墙服务 service iptables restart
[root@localhost bin]# service iptables restart iptables: setting chains to policy accept: filter [ ok ] iptables: flushing firewall rules: [ ok ] iptables: unloading modules: [ ok ] iptables: applying firewall rules: [ ok ]
四、直接关闭或打开防火墙(处于安全考虑不建议)
1) 重启后生效
开启: chkconfig iptables on 关闭: chkconfig iptables off
2) 即时生效,重启后失效
开启: service iptables start 关闭: service iptables stop
附带,测试能不能访问某个端口是,可以用telnet命令,telnet host port 如:telent 192.168.101.11 8080
如果telent命令不能识别,需要通过命令yum install telnet安装 (centos系统),windows 环境自行百度 下。