本文共 11778 字,大约阅读时间需要 39 分钟。
CentOS 7中防火墙是一个非常的强大的功能,在CentOS 6.5中在iptables防火墙中进行了升级了。(he dynamic firewall daemon firewalld provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly-----官方文档)
网络区域定义了网络连接的可信等级。这是一个 一对多的关系,这意味着一次连接可以仅仅是一个区域的一部分,而一个区域可以用于很多连接。那个区域是否可用室友firewall提供的区域按照从不信任到信任的顺序排序。
firewall 分类
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface’s assigned zone can be changed by NetworkManager or via the firewall-config tool which can open the relevant NetworkManager window for you.
The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. They are listed here with a brief explanation:
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
All network connections are accepted.
It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | [root@iZbp1hxo8urkhrybu3wwhyZ firewalld] # cd /usr/lib/firewalld [root@iZbp1hxo8urkhrybu3wwhyZ firewalld] # ls icmptypes services xmlschema zones [root@iZbp1hxo8urkhrybu3wwhyZ firewalld] # cd services/ [root@iZbp1hxo8urkhrybu3wwhyZ services] # ls amanda-client.xml high-availability.xml ldap.xml pmproxy.xml samba.xml bacula-client.xml https.xml libvirt-tls.xml pmwebapis.xml smtp.xml bacula.xml http.xml libvirt.xml pmwebapi.xml ssh .xml dhcpv6-client.xml imaps.xml mdns.xml pop3s.xml telnet.xml dhcpv6.xml ipp-client.xml mountd.xml postgresql.xml tftp-client.xml dhcp.xml ipp.xml ms-wbt.xml proxy-dhcp.xml tftp.xml dns.xml ipsec.xml mysql.xml radius.xml transmission-client.xml freeipa-ldaps.xml iscsi-target.xml nfs.xml RH-Satellite-6.xml vdsm.xml freeipa-ldap.xml kerberos.xml ntp.xml rpc-bind.xml vnc-server.xml freeipa-replication.xml kpasswd.xml openvpn.xml rsyncd.xml wbem-https.xml ftp .xml ldaps.xml pmcd.xml samba-client.xml [root@iZbp1hxo8urkhrybu3wwhyZ services] # |
1 2 3 | [root@iZbp1hxo8urkhrybu3wwhyZ firewalld] # cd /etc/firewalld/ [root@iZbp1hxo8urkhrybu3wwhyZ firewalld] # ls firewalld.conf icmptypes lockdown-whitelist.xml services zones |
1 2 3 | [root@iZbp1hxo8urkhrybu3wwhyZ services] # firewall-cmd --zone=public --permanent --add-port=8080/tcp success [root@iZbp1hxo8urkhrybu3wwhyZ services] # firewall-cmd --reload |
5、firewall-cmd --reload :重启生效
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | [root@iZbp1hxo8urkhrybu3wwhyZ zones] # vim /usr/lib/firewalld/zones/public.xml <?xml version= "1.0" encoding= "utf-8" ?> <zone> <short>Public< /short > <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. O nly selected incoming connections are accepted.< /description > <service name= "ssh" /> <service name= "dhcpv6-client" /> <rule family= "ipv4" > < source address= "" /> <port protocol= "tcp" port= "10050-10051" /> <accept/> < /rule > < /zone > |
1 2 3 4 5 6 | [root@iZbp1hxo8urkhrybu3wwhyZ zones] # service firewalld restart Redirecting to /bin/systemctl restart firewalld.service [root@iZbp1hxo8urkhrybu3wwhyZ zones] # service firewalld stop Redirecting to /bin/systemctl stop firewalld.service [root@iZbp1hxo8urkhrybu3wwhyZ zones] # service firewalld start Redirecting to /bin/systemctl start firewalld.service |
1 2 3 4 5 6 7 8 9 | [root@iZbp1hxo8urkhrybu3wwhyZ zones] # systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded ( /usr/lib/systemd/system/firewalld .service; disabled; vendor preset: enabled) Active: active (running) since Wed 2017-04-19 11:10:50 CST; 43s ago Main PID: 4290 (firewalld) CGroup: /system .slice /firewalld .service └─4290 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Apr 19 11:10:50 iZbp1hxo8urkhrybu3wwhyZ systemd[1]: Starting firewalld - dynamic firewall daemon... Apr 19 11:10:50 iZbp1hxo8urkhrybu3wwhyZ systemd[1]: Started firewalld - dynamic firewall daemon. |
1 2 | [root@iZbp1hxo8urkhrybu3wwhyZ zones] # firewall-cmd --state running |
1 2 3 4 5 6 7 8 9 10 | [root@iZbp1hxo8urkhrybu3wwhyZ ~] # firewall-cmd --list-all public (default) interfaces: sources: services: dhcpv6-client ssh ports: 10050 /tcp 8080 /tcp 10051 /tcp masquerade: no forward-ports: icmp-blocks: rich rules: |
1 2 3 4 5 6 7 8 9 10 11 12 13 | [root@iZbp1hxo8urkhrybu3wwhyZ ~] # service firewalld stop ####停止firewalld服务 Redirecting to /bin/systemctl stop firewalld.service [root@iZbp1hxo8urkhrybu3wwhyZ ~] # systemctl disable firewalld.service ####禁止firewalld开机启动 [root@iZbp1hxo8urkhrybu3wwhyZ ~] # yum install iptables-services #####安装iptables Loaded plugins: fastestmirror Repodata is over 2 weeks old. Install yum- cron ? Or run: yum makecache fast base | 3.6 kB 00:00:00 epel | 4.3 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 [root@iZbp1hxo8urkhrybu3wwhyZ ~] # vim /etc/sysconfig/iptables ########编辑iptables配置文件 [root@iZbp1hxo8urkhrybu3wwhyZ ~] #service iptables start #开启 [root@iZbp1hxo8urkhrybu3wwhyZ ~] #systemctl enable iptables.service #设置防火墙开机启动 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | 1、firewalld的基本使用 启动: systemctl start firewalld 查看状态: systemctl status firewalld 停止: systemctl disable firewalld 禁用: systemctl stop firewalld 2.systemctl是CentOS7的服务管理工具中主要的工具,它融合之前service和chkconfig的功能于一体。 启动一个服务:systemctl start firewalld.service关闭一个服务:systemctl stop firewalld.service重启一个服务:systemctl restart firewalld.service显示一个服务的状态:systemctl status firewalld.service在开机时启用一个服务:systemctl enable firewalld.service在开机时禁用一个服务:systemctl disable firewalld.service查看服务是否开机启动:systemctl is-enabled firewalld.service查看已启动的服务列表:systemctl list-unit-files| grep enabled查看启动失败的服务列表:systemctl --failed 3.配置firewalld-cmd 查看版本: firewall-cmd --version 查看帮助: firewall-cmd --help 显示状态: firewall-cmd --state 查看所有打开的端口: firewall-cmd --zone=public --list-ports 更新防火墙规则: firewall-cmd --reload 查看区域信息: firewall-cmd --get-active-zones 查看指定接口所属区域: firewall-cmd --get-zone-of-interface=eth0 拒绝所有包:firewall-cmd --panic-on 取消拒绝状态: firewall-cmd --panic-off 查看是否拒绝: firewall-cmd --query-panic 那怎么开启一个端口呢 添加 firewall-cmd --zone=public --add-port=80 /tcp --permanent (--permanent永久生效,没有此参数重启后失效) 重新载入 firewall-cmd --reload 查看 firewall-cmd --zone= public --query-port=80 /tcp 删除 firewall-cmd --zone= public --remove-port=80 /tcp --permanent |
(二)centos 7.x添加自定义服务
Centos 系统服务脚本目录:
1 | /usr/lib/systemd/ |
1 | /lib/systemd/system/ |
1 2 3 4 5 6 7 8 9 10 11 12 | [root@iZbp1h901rvv69gdzz4l75Z system] #vim /lib/systemd/system/nginx.service [Unit] Description=nginx After=network.target [Service] Type=forking ExecStart= /usr/local/nginx/sbin/nginx ExecReload= /usr/local/nginx/sbin/nginx -s reload ExecStop= /usr/local/nginx/sbin/nginx -s quit PrivateTmp= true [Install] WantedBy=multi-user.target |
ExecStart为服务的具体运行命令 ExecReload为重启命令 ExecStop为停止命令 PrivateTmp=True表示给服务分配独立的临时空间 注意:[Service]的启动、重启、停止命令全部要求使用绝对路径[Install]服务安装的相关设置,可设置为多用户
1 2 3 | [root@iZbp1h901rvv69gdzz4l75Z system] #chmod 745 /lib/systemd/system/nginx.service [root@iZbp1h901rvv69gdzz4l75Z system] #ll /lib/systemd/system/nginx.service -rwxr-xr-- 1 root root 258 Apr 19 14:39 nginx.service |
1 2 3 | [root@iZbp1h901rvv69gdzz4l75Z system] # systemctl enable nginx.service [root@iZbp1h901rvv69gdzz4l75Z system] # systemctl list-unit-files|grep enabled|grep nginx.service nginx.service enabled |
systemctl 是系统服务管理器命令,它实际上将 service 和 chkconfig 这两个命令组合到一起。
任务 | 旧指令 | 新指令 |
使某服务自动启动 | chkconfig –level 3 httpd on | systemctl enable httpd.service |
使某服务不自动启动 | chkconfig –level 3 httpd off | systemctl disable httpd.service |
检查服务状态 | service httpd status | systemctl status httpd.service (服务详细信息) systemctl is-active httpd.service (仅显示是否 Active) |
显示所有已启动的服务 | chkconfig –list | systemctl list-units |grep enabled |
启动某服务 | service httpd start | systemctl start httpd.service |
停止某服务 | service httpd stop | systemctl stop httpd.service |
重启某服务 | service httpd restart | systemctl restart httpd.service |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | 启动nginx服务 systemctl start nginx.service 设置开机自启动 systemctl enable nginx.service 停止开机自启动 systemctl disable nginx.service 查看服务当前状态 systemctl status nginx.service 重新启动服务 systemctl restart nginx.service 查看所有已启动的服务 systemctl list- units -- type =service 分类: 网络 列出所有服务的层级和依赖关系,可以指定某个服务 systemctl list-dependencies [服务名称] |
1. 列出所有可用单元
# systemctl list-unit-files
2. 列出所有运行中单元
# systemctl list-units
3. 列出所有失败单元
# systemctl –failed
4. 检查某个单元(如 crond.service)是否启用
# systemctl is-enabled crond.service
5. 列出所有服务
# systemctl list-unit-files –type=service
列出所有服务:systemctl list-unit-files|grep enabled
6. Linux中如何启动、重启、停止、重载服务以及检查服务(如 httpd.service)状态
# systemctl start httpd.service
# systemctl restart httpd.service
# systemctl stop httpd.service
# systemctl reload httpd.service
# systemctl status httpd.service
7. 如何激活服务并在开机时启用或禁用服务(即系统启动时自动启动mysql.service服务)
# systemctl is-active mysql.service
# systemctl enable mysql.service
# systemctl disable mysql.service
8. 使用systemctl命令杀死服务
# systemctl kill crond
9. 检查某个服务的所有配置细节
# systemctl show mysql
本文转自 lqbyz 51CTO博客,原文链接:http://blog.51cto.com/liqingbiao/1917393