CentOS 7 默认实用的用Firewalld作为防火墙，摒弃了原先的iptables。但是内核还是使用iptable作为管理

参考文档

https://access.redhat.com/documentation/zh-CN/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html

http://www.myhome.net.tw/2015_02/p10.htm

firewall的启动和关闭命令

#systemctl start firewalld
#systemctl enable firewalld
#systemctl stop firewalld
#systemctl disable firewalld
#systemctl status firewalld

1Firewalld目录

/usr/lib/firewalld 这个目录是预设的设定资料，就是最原始的配置。可以在其目录下面看到很多的xml文件。

/etc/firewalld 存放现在正在实用的配置文档,如果下面没有就会采用/usr/lib/firewalld 目录中默认的配置文档。

2Friewall的命令

可以通过GUI界面来管理firewalld ,在有视窗的centos中，Applications->sundry->firewall可以来管理和配置

也可以通过命令行的方式来管理 firewall-cmd来具体的配置，可以实用man命令来了解firewalld相关命令的实用方式

# man firewalld.conf
# man firewall-cmd
# man firewalld.zone
# man firewalld.service
# man firewalld.icmptype
# man firewalld.direct

常用的命令如下

1 添加http和https服务

# firewall-cmd --permanent --zone=public --add-service=http
# firewall-cmd --permanent --zone=public --add-service=https
#  firewall-cmd --reload（不中断连接加载）

其中 --permanent（翻译：永久）是永久修改

2 修改SSH的端口22到23456

[root@localhost ~]# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/
[root@localhost ~]# vi /etc/firewalld/services/ssh.xml
<?xml version="1.0" encoding="utf-8"?>
<service><short>SSH</short><description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description><port protocol="tcp" port="23456"/>
</service>
[root@localhost ~]# firewall-cmd --complete-reload （中断连接加载）
[root@localhost ~]# vi /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/usr/bin# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 23456
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
[root@localhost ~]# systemctl restart sshd
[root@localhost ~]# systemctl status sshd
sshd.service - OpenSSH server daemonLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)Active: active (running) since Mon 2015-08-31 17:47:22 CST; 25s agoMain PID: 12302 (sshd)CGroup: /system.slice/sshd.service?..12302 /usr/sbin/sshd -DAug 31 17:47:22 localhost.localdomain systemd[1]: Started OpenSSH server daemon.
Aug 31 17:47:22 localhost.localdomain sshd[12302]: Server listening on 0.0.0.0 port 23456.
Aug 31 17:47:22 localhost.localdomain sshd[12302]: Server listening on :: port 23456.
Aug 31 17:47:23 localhost.localdomain python[12304]: SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket port 23456.*****  Plugin bind_ports (92.2 confidence) suggests   ************************...
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]#