Centos 7 防火墙默认不工作

tag-icon tag-icon centos kernel security firewall
Centos 7 防火墙默认不工作

我有一个来自 godaddy 的 vps,正如我在文章中提到的,我的系统中有 centos 7。当我启动服务器时,我做的第一件事是:

$ yum update
$  yum install firewalld
$  systemctl start firewalld
$ systemctl enable firewalld
$ firewall-cmd --state
not running

我一遍又一遍地尝试格式化和其他东西,但仍然得到这个。

另外当我尝试时

$ firewall-cmd --reload
Error: COMMAND_FAILED

这是防火墙状态

firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2017-12-17 04:31:45 MST; 23h ago
     Docs: man:firewalld(1)
 Main PID: 131 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─131 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Dec 17 04:34:37 s132-148-146-167.secureserver.net firewalld[131]: WARNING: '/usr/sbin/ebtables-restore --noflush' failed: The kernel doesn't support the ebtables 'broute' table.
Dec 17 04:34:37 s132-148-146-167.secureserver.net firewalld[131]: ERROR: COMMAND_FAILED
Dec 17 04:43:21 s132-148-146-167.secureserver.net firewalld[131]: WARNING: ALREADY_ENABLED: ftp
Dec 18 03:46:03 s132-148-146-167.secureserver.net firewalld[131]: WARNING: ipset not usable, disabling ipset usage in firewall.
Dec 18 03:46:03 s132-148-146-167.secureserver.net firewalld[131]: ERROR: Failed to read file "/proc/sys/net/netfilter/nf_conntrack_helper": [Errno 2] No such file or directory: '/proc/sys/net/netfilter/nf_conntrack_helper'
Dec 18 03:46:03 s132-148-146-167.secureserver.net firewalld[131]: WARNING: Failed to get and parse nf_conntrack_helper setting
Dec 18 03:46:03 s132-148-146-167.secureserver.net firewalld[131]: WARNING: INVALID_HELPER: 'nf_conntrack_ftp' is not available
Dec 18 03:46:03 s132-148-146-167.secureserver.net firewalld[131]: WARNING: '/usr/sbin/iptables-restore --wait=2 -n' failed: iptables-restore: line 64 failed
Dec 18 03:46:03 s132-148-146-167.secureserver.net firewalld[131]: WARNING: '/usr/sbin/ebtables-restore --noflush' failed: The kernel doesn't support the ebtables 'broute' table.
Dec 18 03:46:03 s132-148-146-167.secureserver.net firewalld[131]: ERROR: COMMAND_FAILED

请帮忙。我做错了什么或缺乏什么吗?这是我的操作系统上的默认防火墙错误吗?我应该为此责怪 GoDaddy 吗?

我在firewalld日志中看到的错误;

WARNING: ip6tables not usable, disabling IPv6 firewall.
WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.

答案1

我认为您在 ebtables 方面遇到了问题。请验证您是否已安装并验证 ebtables。

rpm -V ebtables -v           (You can check meanings of output on rpm man page)

尝试重新启动服务并通过journalctl检查状态

systemctl restart ebtables
journalctl -u ebtables.service

systemctl restart firewalld
journalctl -u firewalld.service

注意:journalctl -u firewalld.service对于调试问题也更有帮助。

答案2

如果 FTP 服务使用标准 FTP 控制端口 21,您所需要做的就是加载 nf_conntrack_ftp 模块。

为了在重新启动后保持持久性,请使用:

# cat /etc/modules-load.d/nf_conntrack_ftp.conf 
nf_conntrack_ftp

答案3

我的错误:

[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Mon 2018-12-17 13:38:24 CST; 1min 51s ago
     Docs: man:firewalld(1)
  Process: 6491 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 6491 (code=exited, status=0/SUCCESS)

Dec 17 13:38:24 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 17 13:38:24 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 17 13:38:24 localhost.localdomain firewalld[6491]: WARNING: ipset not usable, disabling ipset usage in firewall.
Dec 17 13:38:24 localhost.localdomain firewalld[6491]: ERROR: Failed to read file "/proc/sys/net/netfilter/nf_conntrack_helper": [Errno …_helper'
Dec 17 13:38:24 localhost.localdomain firewalld[6491]: WARNING: Failed to get and parse nf_conntrack_helper setting
Dec 17 13:38:24 localhost.localdomain firewalld[6491]: WARNING: iptables not usable, disabling IPv4 firewall.
Dec 17 13:38:24 localhost.localdomain firewalld[6491]: WARNING: ip6tables not usable, disabling IPv6 firewall.
Dec 17 13:38:24 localhost.localdomain firewalld[6491]: WARNING: ebtables not usable, disabling ethernet bridge firewall.
Dec 17 13:38:24 localhost.localdomain firewalld[6491]: FATAL ERROR: No IPv4 and IPv6 firewall.
Dec 17 13:38:24 localhost.localdomain firewalld[6491]: ERROR: Raising SystemExit in run_server

[root@localhost ~]# iptables -L -n
iptables v1.4.21: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

我的解决方案:

[root@localhost ~]# depmod
[root@localhost ~]# systemctl restart firewalld

相关内容