Alibaba cloud firewall configuration, multiple settings (iptables and firewall)

Alibaba cloud centos7.6 Bring your own firewall fireward, I configured it myself iptables, I didn't understand it at first , I think the two are different , As a result, both cannot be opened , If you simply open fireward It's OK, too , But I prefer iptables Configuration file to view the relevant configuration
ftp Research on the problem that the server web page cannot be opened , By running repeatedly , Find your problem

vim /etc/sysconfig/iptables

All have to be opened.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

#ssh port 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

#vsftpd
-A INPUT -p TCP --dport 61001:62000 -j ACCEPT
-A OUTPUT -p TCP --sport 61001:62000 -j ACCEPT

-A INPUT -p TCP --dport 20 -j ACCEPT
-A OUTPUT -p TCP --sport 20 -j ACCEPT
-A INPUT -p TCP --dport 21 -j ACCEPT
-A OUTPUT -p TCP --sport 21 -j ACCEPT


#mysql port
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT

#tomcat remote debug port
-A INPUT -p tcp -m tcp --dport 5005 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT

#nginx
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

systemctl restart iptables.service
systemctl enable iptables.service

Note that the following is an example of an error , I didn't understand ！
Firewall settings
here iptables Settings are firewall parameters , There is no need to add firewall Parameters , Instead, it won't open

 I also add some parameters , Really can't open , Finally, it is clear that two cannot be configured at the same time 
 The following parameters need not be added 
systemctl restart firewalld.service
firewall-cmd --permanent --list-port
firewall-cmd --zone=public --add-port=22/tcp--permanent
firewall-cmd --zone=public--add-port=21/tcp --permanent
systemctl restart firewalld
firewall-cmd --permanent --list-port

The following is the previously opened port , I tested it , Sure enough, it can't be tested at the same time , If you can't open a web page, you won't send it

Now let's run the existing iptables Just configure it
abbreviation , You can't have both fish and bear paws

systemctl restart iptables.service
systemctl enable iptables.service
systemctl restart vsftpd.service

Open the web page and enter your account , Just log in with password