centos7.0版本之后相对于以前的版本更改行还是很大的,原先在6.5版本之前命令和配置文件大致都差不多,自7.0版本之后一些功能都有较大的改变,接下来会从防火墙和服务的相关配置来进行剖析。
(一)防火墙firewall的相关介绍及配置
CentOS 7中防火墙是一个非常的强大的功能,在CentOS 6.5中在iptables防火墙中进行了升级了。(he dynamic firewall daemon firewalld provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly-----官方文档)
firewall--区域zone
网络区域定义了网络连接的可信等级。这是一个 一对多的关系,这意味着一次连接可以仅仅是一个区域的一部分,而一个区域可以用于很多连接。那个区域是否可用室友firewall提供的区域按照从不信任到信任的顺序排序。
firewall 分类
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface’s assigned zone can be changed by NetworkManager or via the firewall-config tool which can open the relevant NetworkManager window for you.
The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. They are listed here with a brief explanation:
drop
Any incoming network packets are dropped,there is no reply. Only outgoing network connections are possible.
block
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
public
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
external
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted
All network connections are accepted.
It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager,they are assigned to the default zone. On installation,the default zone in firewalld is set to be the public zone.
firewall相关的配置:
1,系统配置目录:/usr/lib/firewalld
[root@iZbp1hxo8urkhrybu3wwhyZfirewalld]#cd/usr/lib/firewalld [root@iZbp1hxo8urkhrybu3wwhyZfirewalld]#ls icmptypesservicesxmlschemazones [root@iZbp1hxo8urkhrybu3wwhyZfirewalld]#cdservices/ [root@iZbp1hxo8urkhrybu3wwhyZservices]#ls amanda-client.xmlhigh-availability.xmlldap.xmlpmproxy.xmlsamba.xml bacula-client.xmlhttps.xmllibvirt-tls.xmlpmwebapis.xmlsmtp.xml bacula.xmlhttp.xmllibvirt.xmlpmwebapi.xmlssh.xml dhcpv6-client.xmlimaps.xmlmdns.xmlpop3s.xmltelnet.xml dhcpv6.xmlipp-client.xmlmountd.xmlpostgresql.xmltftp-client.xml dhcp.xmlipp.xmlms-wbt.xmlproxy-dhcp.xmltftp.xml dns.xmlipsec.xmlMysqL.xmlradius.xmltransmission-client.xml freeipa-ldaps.xmliscsi-target.xmlnfs.xmlRH-Satellite-6.xmlvdsm.xml freeipa-ldap.xmlkerberos.xmlntp.xmlrpc-bind.xmlvnc-server.xml freeipa-replication.xmlkpasswd.xmlopenvpn.xmlrsyncd.xmlwbem-https.xml ftp.xmlldaps.xmlpmcd.xmlsamba-client.xml [root@iZbp1hxo8urkhrybu3wwhyZservices]#
注意:目录中存放定义好的网络服务和端口参数,系统参数,不能修改。
2,用户配置目录:/etc/firewalld/
[root@iZbp1hxo8urkhrybu3wwhyZfirewalld]#cd/etc/firewalld/ [root@iZbp1hxo8urkhrybu3wwhyZfirewalld]#ls firewalld.conficmptypeslockdown-whitelist.xmlserviceszones
3,用户如何自定义添加端口,分为使用命令行添加和修改相关的配置文件。
3.1,使用命令的方式添加
[root@iZbp1hxo8urkhrybu3wwhyZservices]#firewall-cmd--zone=public--permanent--add-port=8080/tcp success [root@iZbp1hxo8urkhrybu3wwhyZservices]#firewall-cmd--reload
参数介绍:
1、firewall-cmd:是Linux提供的操作firewall的一个工具;
2、--permanent:表示设置为持久;
3、--add-port:标识添加的端口
4、--zone:指定某个区域
5、firewall-cmd --reload :重启生效
[root@iZbp1hxo8urkhrybu3wwhyZzones]#vim/usr/lib/firewalld/zones/public.xml <?xmlversion="1.0"encoding="utf-8"?> <zone> <short>Public</short> <description>Foruseinpublicareas.Youdonottrusttheothercomputersonnetworkstonotharmyourcomputer.O nlyselectedincomingconnectionsareaccepted.</description> <servicename="ssh"/> <servicename="dhcpv6-client"/> <rulefamily="ipv4"> <sourceaddress="127.0.0.1"/> <portprotocol="tcp"port="10050-10051"/> <accept/> </rule> </zone>
firewall常用命令:
1,重启,关闭开启firewall.service服务
[root@iZbp1hxo8urkhrybu3wwhyZzones]#servicefirewalldrestart Redirectingto/bin/systemctlrestartfirewalld.service [root@iZbp1hxo8urkhrybu3wwhyZzones]#servicefirewalldstop Redirectingto/bin/systemctlstopfirewalld.service [root@iZbp1hxo8urkhrybu3wwhyZzones]#servicefirewalldstart Redirectingto/bin/systemctlstartfirewalld.service
2,查看firewalld服务状态:
[root@iZbp1hxo8urkhrybu3wwhyZzones]#systemctlstatusfirewalld ●firewalld.service-firewalld-dynamicfirewalldaemon Loaded:loaded(/usr/lib/systemd/system/firewalld.service;disabled;vendorpreset:enabled) Active:active(running)sinceWed2017-04-1911:10:50CST;43sago MainPID:4290(firewalld) CGroup:/system.slice/firewalld.service └─4290/usr/bin/python-Es/usr/sbin/firewalld--nofork--nopid Apr1911:10:50iZbp1hxo8urkhrybu3wwhyZsystemd[1]:Startingfirewalld-dynamicfirewalldaemon... Apr1911:10:50iZbp1hxo8urkhrybu3wwhyZsystemd[1]:Startedfirewalld-dynamicfirewalldaemon.
3,查看firewall的状态
[root@iZbp1hxo8urkhrybu3wwhyZzones]#firewall-cmd--state running
4,查看防火墙firewall规则
[root@iZbp1hxo8urkhrybu3wwhyZ~]#firewall-cmd--list-all public(default) interfaces: sources: services:dhcpv6-clientssh ports:10050/tcp8080/tcp10051/tcp masquerade:no forward-ports: icmp-blocks: richrules:
后注:如果感觉firewall防火墙玩不好,可以关闭firewall而安装iptables,具体步骤如下
[root@iZbp1hxo8urkhrybu3wwhyZ~]#servicefirewalldstop####停止firewalld服务 Redirectingto/bin/systemctlstopfirewalld.service [root@iZbp1hxo8urkhrybu3wwhyZ~]#systemctldisablefirewalld.service####禁止firewalld开机启动 [root@iZbp1hxo8urkhrybu3wwhyZ~]#yuminstalliptables-services#####安装iptables Loadedplugins:fastestmirror Repodataisover2weeksold.Installyum-cron?Orrun:yummakecachefast base|3.6kB00:00:00 epel|4.3kB00:00:00 extras|3.4kB00:00:00 updates|3.4kB00:00:00 [root@iZbp1hxo8urkhrybu3wwhyZ~]#vim/etc/sysconfig/iptables########编辑iptables配置文件 [root@iZbp1hxo8urkhrybu3wwhyZ~]#serviceiptablesstart#开启 [root@iZbp1hxo8urkhrybu3wwhyZ~]#systemctlenableiptables.service#设置防火墙开机启动
备注:centos7.Xfireward防火墙基本使用:
1、firewalld的基本使用 启动:systemctlstartfirewalld 查看状态:systemctlstatusfirewalld 停止:systemctldisablefirewalld 禁用:systemctlstopfirewalld 2.systemctl是CentOS7的服务管理工具中主要的工具,它融合之前service和chkconfig的功能于一体。 启动一个服务:systemctlstartfirewalld.service关闭一个服务:systemctlstopfirewalld.service重启一个服务:systemctlrestartfirewalld.service显示一个服务的状态:systemctlstatusfirewalld.service在开机时启用一个服务:systemctlenablefirewalld.service在开机时禁用一个服务:systemctldisablefirewalld.service查看服务是否开机启动:systemctlis-enabledfirewalld.service查看已启动的服务列表:systemctllist-unit-files|grepenabled查看启动失败的服务列表:systemctl--Failed 3.配置firewalld-cmd 查看版本:firewall-cmd--version 查看帮助:firewall-cmd--help 显示状态:firewall-cmd--state 查看所有打开的端口:firewall-cmd--zone=public--list-ports 更新防火墙规则:firewall-cmd--reload 查看区域信息:firewall-cmd--get-active-zones 查看指定接口所属区域:firewall-cmd--get-zone-of-interface=eth0 拒绝所有包:firewall-cmd--panic-on 取消拒绝状态:firewall-cmd--panic-off 查看是否拒绝:firewall-cmd--query-panic 那怎么开启一个端口呢 添加 firewall-cmd--zone=public--add-port=80/tcp--permanent(--permanent永久生效,没有此参数重启后失效) 重新载入 firewall-cmd--reload 查看 firewall-cmd--zone=public--query-port=80/tcp 删除 firewall-cmd--zone=public--remove-port=80/tcp--permanent
Centos 系统服务脚本目录:
/usr/lib/systemd/
有系统(system)和用户(user)之分,
如需要开机没有登陆情况下就能运行的程序,存在系统服务(system)里,即:
/lib/systemd/system/
服务以.service结尾。
这边以Nginx开机运行为例
1,建立服务文件
[root@iZbp1h901rvv69gdzz4l75Zsystem]#vimNginx.service [Unit] Description=Nginx After=network.target [Service] Type=forking ExecStart=/usr/local/Nginx/sbin/Nginx ExecReload=/usr/local/Nginx/sbin/Nginx-sreload ExecStop=/usr/local/Nginx/sbin/Nginx-squit PrivateTmp=true [Install] WantedBy=multi-user.target
说明:
Unit]:服务的说明
Description:描述服务
After:描述服务类别
[Service]服务运行参数的设置
Type=forking是后台运行的形式
ExecStart为服务的具体运行命令
ExecReload为重启命令
ExecStop为停止命令
PrivateTmp=True表示给服务分配独立的临时空间
注意:[Service]的启动、重启、停止命令全部要求使用绝对路径
[Install]服务安装的相关设置,可设置为多用户
2,保存该文件,并赋予754权限
[root@iZbp1h901rvv69gdzz4l75Zsystem]#chmod754Nginx.service [root@iZbp1h901rvv69gdzz4l75Zsystem]#llNginx.service -rwxr-xr--1rootroot258Apr1914:39Nginx.service
3,设置开机自启动
[root@iZbp1h901rvv69gdzz4l75Zsystem]#systemctlenableNginx.service [root@iZbp1h901rvv69gdzz4l75Zsystem]#systemctllist-unit-files|grepenabled|grepNginx.service Nginx.serviceenabled
其他相关的命令
systemctl 是系统服务管理器命令,它实际上将 service 和 chkconfig 这两个命令组合到一起。
| 任务 | 旧指令 | 新指令 |
| 使某服务自动启动 | chkconfig �Clevel 3 httpd on | systemctl enable httpd.service |
| 使某服务不自动启动 | chkconfig �Clevel 3 httpd off | systemctl disable httpd.service |
| service httpd status | systemctl statushttpd.service (服务详细信息) systemctl is-active httpd.service (仅显示是否 Active) | |
| 显示所有已启动的服务 | chkconfig �Clist | systemctl list-units |grep enabled |
| service httpd start | systemctl start httpd.service | |
| 停止某服务 | service httpd stop | systemctl stop httpd.service |
| service httpd restart | systemctl restart httpd.service |
启动Nginx服务 systemctlstartNginx.service 设置开机自启动 systemctlenableNginx.service 停止开机自启动 systemctldisableNginx.service 查看服务当前状态 systemctlstatusNginx.service 重新启动服务 systemctlrestartNginx.service 查看所有已启动的服务 systemctllist-units--type=service 分类:网络 列出所有服务的层级和依赖关系,可以指定某个服务 systemctllist-dependencies[服务名称]
备注:
1. 列出所有可用单元
# systemctl list-unit-files
2. 列出所有运行中单元
# systemctl list-units
3. 列出所有失败单元
# systemctl �CFailed
4. 检查某个单元(如 crond.service)是否启用
# systemctl is-enabled crond.service
5. 列出所有服务
# systemctl list-unit-files �Ctype=service
列出所有服务:systemctl list-unit-files|grep enabled
6. Linux中如何启动、重启、停止、重载服务以及检查服务(如 httpd.service)状态
# systemctl start httpd.service
# systemctl restart httpd.service
# systemctl stop httpd.service
# systemctl reload httpd.service
# systemctl status httpd.service
注意:当我们使用systemctl的start,restart,stop和reload命令时,终端不会输出任何内容,只有status命令可以打印输出。
7. 如何激活服务并在开机时启用或禁用服务(即系统启动时自动启动MysqL.service服务)
# systemctl is-active MysqL.service
# systemctl enable MysqL.service
# systemctl disable MysqL.service
8. 使用systemctl命令杀死服务
# systemctl kill crond
9. 检查某个服务的所有配置细节
# systemctl show MysqL
附注:RHEL7和RHEL6的主要变化
RHEL7和RHEL6的主要变化 |
||
RHEL6 |
||
文件系统 |
@H_502_393@EXT4 |
|
内核版本 |
@H_502_393@2.6.x-x系列 |
|
内核名称 |
@H_502_393@Santiago |
|
发布时间 |
@H_502_393@2010-11-09(2.6.32-71) |
|
进程名称 |
@H_502_393@init |
|
运行级别 |
@H_502_393@runlevel0 runlevel1 runlevel2 runlevel3 runlevel4 runlevel5 runlevel6 /etc/inittab |
|
主机名称 |
@H_502_393@/etc/sysconfig/network |
|
容量上限 |
@H_502_393@16TB |
|
内存上限 |
@H_502_393@- |
|
cpu个数 |
@H_502_393@||
检查工具 |
@H_502_393@e2fsck |
|
启动工具 |
@H_502_393@GRUB0.97 |
|
服务启动 |
@H_502_393@Upstart |
|
服务管理 |
@H_502_393@service enable xxx.service service stop xxx.service service start xxx.service chkconfig --level 3 5 nfs on |
|
防火墙 |
@H_502_393@Iptables |
|
网络绑定 |
@H_502_393@Bonding |
|
网络时间 |
@H_502_393@ntpd |
|
NFS版本 |
@H_502_393@NFS4 |
|
集群管理工具 |
@H_502_393@Rgmanager |
|
负载均衡工具 |
@H_502_393@Rgmanager |
|
桌面环境 |
@H_502_393@GNOME2 |
|
| @H_502_393@ | ||
RHEL7和RHEL6的管理命令和配置文件的变化 |
@H_502_393@||
订阅信息 |
@H_502_393@RHEL6 |
|
订阅信息工具 |
@H_502_393@/etc/sysconfig/rhn/systemid subscription-manager identity |
|
配置订阅信息 |
@H_502_393@rhn_register rhnreg_kssubscription-manager identity |
|
基本配置 |
@H_502_393@RHEL6 |
|
GUI配置工具 |
@H_502_393@system-config-* |
|
网络配置工具 |
@H_502_393@system-config-network |
|
语言配置工具 |
@H_502_393@system-config-language |
|
时间配置工具 |
@H_502_393@system-config-date date |
|
时间同步 |
@H_502_393@ntpdate /etc/ntp.conf |
|
键盘配置 |
@H_502_393@system-config-keyboard |
|
服务管理 |
@H_502_393@||
服务列表 |
@H_502_393@chkconfig ls /etc/init.d/ |
|
服务启动 |
@H_502_393@service name start |
|
服务停止 |
@H_502_393@service name stop |
|
服务查看 |
@H_502_393@service namestatus |
|
服务重启 |
@H_502_393@service namerestart |
|
服务开机自启 |
@H_502_393@chkconfig name on |
|
服务开机不自启 |
@H_502_393@chkconfig name off |
|
添加服务 |
@H_502_393@achkconfig --add |
|
服务列表查看 |
@H_502_393@service --status-all |
|
查看运行级别 |
@H_502_393@runlevel |
|
修改运行级别 |
@H_502_393@init runlevel |
|
日志文件 |
@H_502_393@/etc/rsyslog.conf |
|
查看日志文件 |
@H_502_393@/var/log/journalctl |
|
内核硬件 |
@H_502_393@RHEL6 |
|
启动提示符 |
@H_502_393@append 1 or s or init=/bin/bash to kernel cmdline |
|
关闭系统 |
@H_502_393@shutdown |
|
关闭电源 |
@H_502_393@poweroff |
|
挂起系统 |
@H_502_393@halt |
|
重启系统 |
@H_502_393@reboot |
|
修改运行级别 |
@H_502_393@/etc/inittab |
|
配置GRUB |
@H_502_393@/boot/grub/grub.conf |
|
软件管理 |
@H_502_393@RHEL6 |
|
安装软件包 |
@H_502_393@yum install yum groupinstall |
|
查看软件包 |
@H_502_393@yum info yum groupinfo |
|
文件系统 |
@H_502_393@RHEL6 |
|
建立文件系统 |
@H_502_393@fdisk parted |
|
LVM管理 |
@H_502_393@vgextend lvextend resize2fs |
|
网络接口配置 |
@H_502_393@RHEL6 |
|
配置名称 |
@H_502_393@/etc/hosts /etc/resolv.conf |
|
主机名称配置 |
@H_502_393@/etc/sysconfig/network |
|
Ip地址配置 |
@H_502_393@ip add ifconfig brctl |
|
配置防火墙 |
@H_502_393@iptables&ip6tables /etc/sysconfig/ip*tables system-config-firewall |
|
查看端口命令 |
@H_502_393@netstat ss lsof |
|
