Centos7.X自带的防火墙和服务的相关的配置

前端之家收集整理的这篇文章主要介绍了Centos7.X自带的防火墙和服务的相关的配置前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

centos7.0版本之后相对于以前的版本更改行还是很大的,原先在6.5版本之前命令和配置文件大致都差不多,自7.0版本之后一些功能都有较大的改变,接下来会从防火墙和服务的相关配置来进行剖析。


(一)防火墙firewall的相关介绍及配置

CentOS 7中防火墙是一个非常的强大的功能,在CentOS 6.5中在iptables防火墙中进行了升级了。(he dynamic firewall daemon firewalld provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly-----官方文档)

firewall--区域zone

网络区域定义了网络连接的可信等级。这是一个 一对多的关系,这意味着一次连接可以仅仅是一个区域的一部分,而一个区域可以用于很多连接。那个区域是否可用室友firewall提供的区域按照从不信任到信任的顺序排序。


firewall 分类

Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface’s assigned zone can be changed by NetworkManager or via the firewall-config tool which can open the relevant NetworkManager window for you.

The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. They are listed here with a brief explanation:

drop
Any incoming network packets are dropped,there is no reply. Only outgoing network connections are possible.

block
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.

public
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.

external
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.

dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.

work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.

trusted
All network connections are accepted.
It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager,they are assigned to the default zone. On installation,the default zone in firewalld is set to be the public zone.


firewall相关的配置:

1,系统配置目录:/usr/lib/firewalld

[root@iZbp1hxo8urkhrybu3wwhyZfirewalld]#cd/usr/lib/firewalld
[root@iZbp1hxo8urkhrybu3wwhyZfirewalld]#ls
icmptypesservicesxmlschemazones
[root@iZbp1hxo8urkhrybu3wwhyZfirewalld]#cdservices/
[root@iZbp1hxo8urkhrybu3wwhyZservices]#ls
amanda-client.xmlhigh-availability.xmlldap.xmlpmproxy.xmlsamba.xml
bacula-client.xmlhttps.xmllibvirt-tls.xmlpmwebapis.xmlsmtp.xml
bacula.xmlhttp.xmllibvirt.xmlpmwebapi.xmlssh.xml
dhcpv6-client.xmlimaps.xmlmdns.xmlpop3s.xmltelnet.xml
dhcpv6.xmlipp-client.xmlmountd.xmlpostgresql.xmltftp-client.xml
dhcp.xmlipp.xmlms-wbt.xmlproxy-dhcp.xmltftp.xml
dns.xmlipsec.xmlMysqL.xmlradius.xmltransmission-client.xml
freeipa-ldaps.xmliscsi-target.xmlnfs.xmlRH-Satellite-6.xmlvdsm.xml
freeipa-ldap.xmlkerberos.xmlntp.xmlrpc-bind.xmlvnc-server.xml
freeipa-replication.xmlkpasswd.xmlopenvpn.xmlrsyncd.xmlwbem-https.xml
ftp.xmlldaps.xmlpmcd.xmlsamba-client.xml
[root@iZbp1hxo8urkhrybu3wwhyZservices]#

注意:目录中存放定义好的网络服务和端口参数,系统参数,不能修改


2,用户配置目录:/etc/firewalld/

[root@iZbp1hxo8urkhrybu3wwhyZfirewalld]#cd/etc/firewalld/
[root@iZbp1hxo8urkhrybu3wwhyZfirewalld]#ls
firewalld.conficmptypeslockdown-whitelist.xmlserviceszones


3,用户如何自定义添加端口,分为使用命令行添加修改相关的配置文件

3.1,使用命令的方式添加

[root@iZbp1hxo8urkhrybu3wwhyZservices]#firewall-cmd--zone=public--permanent--add-port=8080/tcp
success
[root@iZbp1hxo8urkhrybu3wwhyZservices]#firewall-cmd--reload

参数介绍:

1、firewall-cmd:是Linux提供的操作firewall的一个工具;

2、--permanent:表示设置为持久;

3、--add-port:标识添加的端口

4、--zone:指定某个区域

5、firewall-cmd --reload :重启生效

3.2修改配置文件方式添加端口

[root@iZbp1hxo8urkhrybu3wwhyZzones]#vim/usr/lib/firewalld/zones/public.xml
<?xmlversion="1.0"encoding="utf-8"?>
<zone>
<short>Public</short>
<description>Foruseinpublicareas.Youdonottrusttheothercomputersonnetworkstonotharmyourcomputer.O
nlyselectedincomingconnectionsareaccepted.</description>
<servicename="ssh"/>
<servicename="dhcpv6-client"/>
<rulefamily="ipv4">
<sourceaddress="127.0.0.1"/>
<portprotocol="tcp"port="10050-10051"/>
<accept/>
</rule>
</zone>


firewall常用命令:

1,重启,关闭开启firewall.service服务

[root@iZbp1hxo8urkhrybu3wwhyZzones]#servicefirewalldrestart
Redirectingto/bin/systemctlrestartfirewalld.service
[root@iZbp1hxo8urkhrybu3wwhyZzones]#servicefirewalldstop
Redirectingto/bin/systemctlstopfirewalld.service
[root@iZbp1hxo8urkhrybu3wwhyZzones]#servicefirewalldstart
Redirectingto/bin/systemctlstartfirewalld.service

2,查看firewalld服务状态:

[root@iZbp1hxo8urkhrybu3wwhyZzones]#systemctlstatusfirewalld
●firewalld.service-firewalld-dynamicfirewalldaemon
Loaded:loaded(/usr/lib/systemd/system/firewalld.service;disabled;vendorpreset:enabled)
Active:active(running)sinceWed2017-04-1911:10:50CST;43sago
MainPID:4290(firewalld)
CGroup:/system.slice/firewalld.service
└─4290/usr/bin/python-Es/usr/sbin/firewalld--nofork--nopid
Apr1911:10:50iZbp1hxo8urkhrybu3wwhyZsystemd[1]:Startingfirewalld-dynamicfirewalldaemon...
Apr1911:10:50iZbp1hxo8urkhrybu3wwhyZsystemd[1]:Startedfirewalld-dynamicfirewalldaemon.

3,查看firewall的状态

[root@iZbp1hxo8urkhrybu3wwhyZzones]#firewall-cmd--state
running

4,查看防火墙firewall规则

[root@iZbp1hxo8urkhrybu3wwhyZ~]#firewall-cmd--list-all
public(default)
interfaces:
sources:
services:dhcpv6-clientssh
ports:10050/tcp8080/tcp10051/tcp
masquerade:no
forward-ports:
icmp-blocks:
richrules:


后注:如果感觉firewall防火墙玩不好,可以关闭firewall而安装iptables,具体步骤如下

[root@iZbp1hxo8urkhrybu3wwhyZ~]#servicefirewalldstop####停止firewalld服务
Redirectingto/bin/systemctlstopfirewalld.service
[root@iZbp1hxo8urkhrybu3wwhyZ~]#systemctldisablefirewalld.service####禁止firewalld开机启动
[root@iZbp1hxo8urkhrybu3wwhyZ~]#yuminstalliptables-services#####安装iptables
Loadedplugins:fastestmirror
Repodataisover2weeksold.Installyum-cron?Orrun:yummakecachefast
base|3.6kB00:00:00
epel|4.3kB00:00:00
extras|3.4kB00:00:00
updates|3.4kB00:00:00
[root@iZbp1hxo8urkhrybu3wwhyZ~]#vim/etc/sysconfig/iptables########编辑iptables配置文件
[root@iZbp1hxo8urkhrybu3wwhyZ~]#serviceiptablesstart#开启
[root@iZbp1hxo8urkhrybu3wwhyZ~]#systemctlenableiptables.service#设置防火墙开机启动


备注:centos7.Xfireward防火墙基本使用:

1、firewalld的基本使用
启动:systemctlstartfirewalld
查看状态:systemctlstatusfirewalld
停止:systemctldisablefirewalld
禁用:systemctlstopfirewalld

2.systemctl是CentOS7的服务管理工具中主要的工具,它融合之前service和chkconfig的功能于一体。
启动一个服务:systemctlstartfirewalld.service关闭一个服务:systemctlstopfirewalld.service重启一个服务:systemctlrestartfirewalld.service显示一个服务的状态:systemctlstatusfirewalld.service在开机时启用一个服务:systemctlenablefirewalld.service在开机时禁用一个服务:systemctldisablefirewalld.service查看服务是否开机启动:systemctlis-enabledfirewalld.service查看已启动的服务列表:systemctllist-unit-files|grepenabled查看启动失败的服务列表:systemctl--Failed
3.配置firewalld-cmd
查看版本:firewall-cmd--version
查看帮助:firewall-cmd--help
显示状态:firewall-cmd--state
查看所有打开的端口:firewall-cmd--zone=public--list-ports
更新防火墙规则:firewall-cmd--reload
查看区域信息:firewall-cmd--get-active-zones
查看指定接口所属区域:firewall-cmd--get-zone-of-interface=eth0
拒绝所有包:firewall-cmd--panic-on
取消拒绝状态:firewall-cmd--panic-off
查看是否拒绝:firewall-cmd--query-panic

那怎么开启一个端口呢
添加
firewall-cmd--zone=public--add-port=80/tcp--permanent(--permanent永久生效,没有此参数重启后失效)
重新载入
firewall-cmd--reload
查看
firewall-cmd--zone=public--query-port=80/tcp
删除
firewall-cmd--zone=public--remove-port=80/tcp--permanent



(二)centos 7.x添加自定义服务

Centos 系统服务脚本目录:

/usr/lib/systemd/

有系统(system)和用户(user)之分,

如需要开机没有登陆情况下就能运行的程序,存在系统服务(system)里,即:

/lib/systemd/system/

反之,用户登录后才能运行的程序,存在用户(user)里

服务以.service结尾。

这边以Nginx开机运行为例


1,建立服务文件

[root@iZbp1h901rvv69gdzz4l75Zsystem]#vimNginx.service
[Unit]
Description=Nginx
After=network.target
[Service]
Type=forking
ExecStart=/usr/local/Nginx/sbin/Nginx
ExecReload=/usr/local/Nginx/sbin/Nginx-sreload
ExecStop=/usr/local/Nginx/sbin/Nginx-squit
PrivateTmp=true
[Install]
WantedBy=multi-user.target

说明:

Unit]:服务的说明

Description:描述服务
After:描述服务类别

[Service]服务运行参数的设置

Type=forking是后台运行的形式
ExecStart为服务的具体运行命令
ExecReload为重启命令
ExecStop为停止命令
PrivateTmp=True表示给服务分配独立的临时空间
注意:[Service]的启动、重启、停止命令全部要求使用绝对路径

[Install]服务安装的相关设置,可设置为多用户


2,保存该文件,并赋予754权限

[root@iZbp1h901rvv69gdzz4l75Zsystem]#chmod754Nginx.service
[root@iZbp1h901rvv69gdzz4l75Zsystem]#llNginx.service
-rwxr-xr--1rootroot258Apr1914:39Nginx.service

3,设置开机自启动

[root@iZbp1h901rvv69gdzz4l75Zsystem]#systemctlenableNginx.service
[root@iZbp1h901rvv69gdzz4l75Zsystem]#systemctllist-unit-files|grepenabled|grepNginx.service
Nginx.serviceenabled




其他相关的命令

systemctl 是系统服务管理器命令,它实际上将 service 和 chkconfig 这两个命令组合到一起。

检查服务状态启动某服务重启某服务
任务 旧指令 新指令
使某服务自动启动 chkconfig �Clevel 3 httpd on systemctl enable httpd.service
使某服务不自动启动 chkconfig �Clevel 3 httpd off systemctl disable httpd.service
service httpd status systemctl statushttpd.service (服务详细信息) systemctl is-active httpd.service (仅显示是否 Active)
显示所有已启动的服务 chkconfig �Clist systemctl list-units |grep enabled
service httpd start systemctl start httpd.service
停止某服务 service httpd stop systemctl stop httpd.service
service httpd restart systemctl restart httpd.service
启动Nginx服务
systemctlstartNginx.service
设置开机自启动
systemctlenableNginx.service
停止开机自启动
systemctldisableNginx.service
查看服务当前状态
systemctlstatusNginx.service
重新启动服务
systemctlrestartNginx.service
查看所有已启动的服务
systemctllist-units--type=service
分类:网络
列出所有服务的层级和依赖关系,可以指定某个服务
systemctllist-dependencies[服务名称]




备注:

  1. 列出所有可用单元

  # systemctl list-unit-files

  2. 列出所有运行中单元

  # systemctl list-units

  3. 列出所有失败单元

  # systemctl �CFailed

  4. 检查某个单元(如 crond.service)是否启用

  # systemctl is-enabled crond.service

  5. 列出所有服务

  # systemctl list-unit-files �Ctype=service

列出所有服务:systemctl list-unit-files|grep enabled

6. Linux中如何启动、重启、停止、重载服务以及检查服务(如 httpd.service)状态

  # systemctl start httpd.service

  # systemctl restart httpd.service

  # systemctl stop httpd.service

  # systemctl reload httpd.service

  # systemctl status httpd.service

  注意:当我们使用systemctl的start,restart,stop和reload命令时,终端不会输出任何内容,只有status命令可以打印输出

7. 如何激活服务并在开机时启用或禁用服务(即系统启动时自动启动MysqL.service服务)

  # systemctl is-active MysqL.service

  # systemctl enable MysqL.service

  # systemctl disable MysqL.service

8. 使用systemctl命令杀死服务

  # systemctl kill crond

9. 检查某个服务的所有配置细节

  # systemctl show MysqL




附注:RHEL7和RHEL6的主要变化

RHEL7RHEL6的主要变化


RHEL7

RHEL6

文件系统

XFS

EXT4

内核版本

3.10.x-x系列

2.6.x-x系列

内核名称

Maipo

Santiago

发布时间

2014-06-093.10.0-123

2010-11-092.6.32-71

进程名称

systemd

init

运行级别

runlevel0.target->poweroff.target

runlevel1.target->rescue.target

runlevel2.target->multi-user.target

runlevel3.target->multi-user.target

runlevel4.target->multi-user.target

runlevel5.target->graphical.target

runlevel6.target->reboot.target

/etc/systemd/system/default.target

runlevel0

runlevel1

runlevel2

runlevel3

runlevel4

runlevel5

runlevel6

/etc/inittab

主机名称

/etc/hostname

/etc/sysconfig/network

容量上限

500TB

16TB

内存上限

64TB

-

cpu个数

5120个,SMP(Symmetric Multi-Processors)技术


检查工具

xfs.repair

e2fsck

启动工具

GRUB2

GRUB0.97

服务启动

Systemd

Upstart

服务管理

systemctl enable xxx.service

systemctl start xxx.service

systemctl stop xxx.service

systemctl restart xxx.service

兼容chkconfigservice命令

service enable xxx.service

service stop xxx.service

service start xxx.service

chkconfig --level 3 5 nfs on

防火墙

Firewalld兼容Iptables

Iptables

网络绑定

Team Driver

Bonding

网络时间

Chronyntpd

ntpd

NFS版本

NFS4.1支持NFSv3NFSv4.0NFSv4.1客户端

NFS4

集群管理工具

Pacemaker

Rgmanager

负载均衡工具

KeepalivedHAProxy

Rgmanager

桌面环境

GNOME3,KDE4.10

GNOME2

数据库

MariaDB

MysqL

RHEL7RHEL6的管理命令和配置文件的变化



订阅信息

RHEL7

RHEL6

订阅信息工具

subscription-manager identity

/etc/sysconfig/rhn/systemid

subscription-manager identity

配置订阅信息

subscription-manager rhn_register

rhn_register rhnreg_kssubscription-manager identity

基本配置

RHEL7

RHEL6

GUI配置工具

gnome-control-center

system-config-*

网络配置工具

nmcli nmtui nm-connection-editor

system-config-network

语言配置工具

localectl

system-config-language

时间配置工具

timedatectl date

system-config-date date

时间同步

ntpdate /etc/chrony.conf

ntpdate /etc/ntp.conf

键盘配置

localectl

system-config-keyboard

服务管理

RHEL6

服务列表

systemctl -at service

ls /{usr/lib,etc}/systemd/system/*.service

chkconfig

ls /etc/init.d/

服务启动

systemctl start name.service

service name start

服务停止

systemctl stop name.service

service name stop

服务查看

systemctl status name.service

service namestatus

服务重启

systemctl restart name.service

service namerestart

服务开机自启

systemctlenablename.service

chkconfig name on

服务开机不自启

systemctl disablename.service

chkconfig name off

添加服务

systemctl daemon-reload

achkconfig --add

服务列表查看

systemctl -t service --state=active

service --status-all

查看运行级别

systemctl get-default

runlevel

修改运行级别

systemctl isolate name.target

init runlevel

init runlevel

日志文件

/etc/rsyslog.conf

/etc/rsyslog.d/*.conf

/var/log/journal/

/etc/systemd/journald.conf

/etc/rsyslog.conf

查看日志文件

/var/log/

/var/log/journalctl

内核硬件

RHEL7

RHEL6

启动提示

append rd.break or init=/bin/bash to kernel cmdline

append 1 or s or init=/bin/bash to kernel cmdline

关闭系统

systemctlshutdown

shutdown

关闭电源

systemctl poweroff

poweroff

挂起系统

systemctl halt

halt

重启系统

systemctlreboot

reboot

修改运行级别

systemctl set-default

/etc/inittab

配置GRUB

/etc/default/grub

grub2-mkconfig

grub-set-default

/boot/grub/grub.conf

软件管理

RHEL7

RHEL6

安装软件包

yum install

yum group install

yum install

yum groupinstall

查看软件包

yum info

yum group info

yum info

yum groupinfo

文件系统

RHEL7

RHEL6

建立文件系统

fdisk parted gdisk

fdisk parted

LVM管理

vgextend lvextend xfs_growfs

vgextend lvextend resize2fs

网络接口配置

RHEL7

RHEL6

配置名称

/etc/hosts

/etc/resolv.conf

nmcli conmod

/etc/hosts

/etc/resolv.conf

主机名称配置

/etc/hostname

hostnamectl

nmcli

/etc/sysconfig/network

Ip地址配置

ip addr

nmcli dev

show

teamdctl

brctl

bridge

ip add

ifconfig

brctl

配置防火墙

firewall-cmd

firewall-config

iptables&ip6tables

/etc/sysconfig/ip*tables

system-config-firewall

查看端口命令

ss

lsof

netstat

ss

lsof

猜你在找的CentOS相关文章