- 目录
- 1.保存和备份iptables规则
- 2.firewalld的9个zone
- 3.firewalld关于service的操作
- 4.Linux任务计划cron
- 5.chkconfig工具
- 6.systemd管理服务
- 7.unit介绍
- 8.target介绍
- 拓展
1.保存和备份iptables规则
iptables规则保存到其他位置
[root@localhost ~]# iptables-save > /tmp/ipt.txt
[root@localhost ~]# cat /tmp/ipt.txt
# Generated by iptables-save v1.4.21 on Wed Jun 13 09:32:23 2018
*nat
:PREROUTING ACCEPT [430:125068]
iptables规则恢复
[root@localhost ~]# iptables-restore < /tmp/ipt.txt
service iptables save 会把规则保存到 /etc/sysconfig/ipatables中。
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]
2.firewalld的9个zone
打开firewalld
[root@localhost ~]# systemctl disable iptables
[root@localhost ~]# systemctl stop iptables
[root@localhost ~]# systemctl enable firewalld
[root@localhost ~]# systemctl start firewalld
firewalld默认有9个zone
[root@localhost ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
查看默认的zone
[root@localhost ~]# firewall-cmd --get-default-zone
public
drop(丢弃)任何接收的网络数据包都被丢弃,没有任何回复。仅能有发送出去的网络连接。
block(限制)任何接收的网络连接都被IPv4的icmp-host-prohibited信息和IPv6的icmp6-adm-prohibited信息所拒绝。
public(公共)在公共区域内使用,不能相信网络内的其他计算机不会对你的计算机造成危害,只能接受经过选择的连接。
external(外部)特别是为路由器启用了伪装功能的外部网,你不能信任任何来自网络的其他计算,不相信他们不会对你的计算机造成危害,只能接受经过选择的连接。
dmz(非军事区)用于你的非军事区的电脑,此区域可公开访问, 可以有限的进入你的内部网络,仅仅接收经过选择的连接。
work(工作)用于工作区。你可以基本相信网络内的其他电脑不会危害你的电脑。仅仅接收经过选择的连接。
home(家庭)用于家庭网络。你可以基本相信网络内的其他电脑不会危害你的计算机。仅仅接收经过选择的连接。
internal(内部)用于内部网络。你可以基本信任网络内部的其他计算机不会威胁你的计算机。仅仅接受经过选择的连接。
trusted(信任)可接受所有的网络连接。
2.1关于zone的一些操作
设定默认的zone
[root@localhost ~]# firewall-cmd --set-default-zone=work
success
[root@localhost ~]# firewall-cmd --get-default-zone
work
查指定网卡的默认zone
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
work
指定网卡的zone
[root@localhost ~]# firewall-cmd --zone=dmz --add-interface=ens37
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37
dmz
针对网卡更改zone
[root@localhost ~]# firewall-cmd --zone=block --change-interface=ens37
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37
block
针对网卡删除zone
[root@localhost ~]# firewall-cmd --zone=block --remove-interface=ens37
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37
no zone
查看系统所有网卡所在的zone
[root@localhost ~]# firewall-cmd --get-active-zones
work
interfaces: ens33
3.firewalld关于service的操作
service就是zone下的子单元,可以理解为一个端口。
查看所有的service
[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
查看当前zone 的service
[root@localhost ~]# firewall-cmd --list-services
ssh dhcpv6-client
查看不同的zone都有哪些service
[root@localhost ~]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client
[root@localhost ~]# firewall-cmd --zone=block --list-services
在指定的zone增加service;只是暂时增加到内存里
[root@localhost ~]# firewall-cmd --zone=public --add-service=http
success
[root@localhost ~]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client http
永久保存
[root@localhost ~]# firewall-cmd --zone=public --add-service=http --permanent
success
zone的配置文件模板;每当修改后都会产生一个old文件
[root@localhost ~]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
修改ftp端口port值改成11
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/>
<module name="nf_conntrack_ftp"/>
</service>
~
拷贝work.xml文件,并增加一行服务名称
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>
~
~
重新加载服务
[root@localhost ~]# firewall-cmd --reload
success
操作生效
[root@localhost ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp
4.Linux任务计划cron
crontab -u(指定用户)、-e(编辑)、-l(查看)、-r(删除)
任务计划配置文件
[root@localhost ~]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
分别是分钟、小时、日期、月份、星期几0代表周日、用户名、需要执行的命令。
使用crontab -e命令来操作
要启用这个还要启动一个服务
[root@localhost ~]# systemctl start crond
[root@localhost ~]# ps -aux|grep cron
root 557 0.0 0.0 126232 1640 ? Ss 14:12 0:00 /usr/sbin/crond -n
root 1525 0.0 0.0 112676 980 pts/0 S+ 14:40 0:00 grep --color=auto cron
服务已启用。这样才能使用crontab;最好使用绝对路径,否则任务计划可能不执行。
crontab -l可以查看计划文件,也可以查看 /var/spool/cron/用户名。同样是计划文件。
5.chkconfig工具
查看当前系统中哪些是使用chkconfig的;在centos6是使用SysV服务
[root@localhost ~]# chkconfig --list
注:该输出结果只显示 SysV 服务,并不包含
原生 systemd 服务。SysV 配置数据
可能被原生 systemd 配置覆盖。
要列出 systemd 服务,请执行 'systemctl list-unit-files'。
查看在具体 target 启用的服务请执行
'systemctl list-dependencies [target]'。
netconsole 0:关 1:关 2:关 3:关 4:关 5:关 6:关
network 0:关 1:关 2:开 3:开 4:开 5:开 6:关
开启服务
[root@localhost ~]# chkconfig --level 3 network on
[root@localhost ~]# chkconfig --list
注:该输出结果只显示 SysV 服务,并不包含
原生 systemd 服务。SysV 配置数据
可能被原生 systemd 配置覆盖。
要列出 systemd 服务,请执行 'systemctl list-unit-files'。
查看在具体 target 启用的服务请执行
'systemctl list-dependencies [target]'。
netconsole 0:关 1:关 2:关 3:关 4:关 5:关 6:关
network 0:关 1:关 2:开 3:开 4:开 5:开 6:关
6.systemd管理服务
几个常用的服务相关命令
查看服务
[root@localhost ~]# systemctl list-units --all --type=service
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing
brandbot.service loaded inactive dead Flexible Branding
chronyd.service loaded active running NTP client/server
cpupower.service loaded inactive dead Configure CPU powe
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Messa
● display-manager.service not-found inactive dead display-manager.se
dracut-shutdown.service loaded inactive dead Restore /run/initr
ebtables.service loaded inactive dead Ethernet Bridge Fi
emergency.service loaded inactive dead Emergency Shell
● exim.service not-found inactive dead exim.service
firewalld.service loaded active running firewalld - dynami
getty@tty1.service loaded active running Getty on tty1
● ip6tables.service not-found inactive dead ip6tables.service
● ipset.service not-found inactive dead ipset.service
● iptables.service not-found inactive dead iptables.service
irqbalance.service loaded inactive dead irqbalance daemon
kdump.service loaded active exited Crash recovery ker
kmod-static-nodes.service loaded active exited Create list of req
microcode.service loaded inactive dead Load CPU microcode
network.service loaded active exited LSB: Bring up/down
NetworkManager-wait-online.service loaded active exited Network M
NetworkManager.service loaded active running Network Manager
● ntpd.service not-found inactive dead ntpd.service
● ntpdate.service not-found inactive dead ntpdate.service
lines 1-26
开机启动服务和不启动服务
[root@localhost ~]# systemctl disable crond.service
Removed symlink /etc/systemd/system/multi-user.target.wants/crond.service.
[root@localhost ~]# systemctl enable crond.service
Created symlink from /etc/systemd/system/multi-user.target.wants/crond.service to /usr/lib/systemd/system/crond.service.
查看服务是否正常启动
[root@localhost ~]# systemctl status crond.service
● crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: active (running) since 三 2018-06-13 14:12:35 CST; 1h 28min ago
Main PID: 557 (crond)
CGroup: /system.slice/crond.service
└─557 /usr/sbin/crond -n
6月 13 14:12:35 localhost.localdomain systemd[1]: Started Command Sch...
6月 13 14:12:35 localhost.localdomain systemd[1]: Starting Command Sc...
6月 13 14:12:35 localhost.localdomain crond[557]: (CRON) INFO (RANDOM...
6月 13 14:12:35 localhost.localdomain crond[557]: (CRON) INFO (runnin...
Hint: Some lines were ellipsized, use -l to show in full.
查看服务是否开机启动
[root@localhost ~]# systemctl is-enabled crond.service
enabled
开机启动其实就是做了一个软连接。。取消启动就删除了软连接。
重启服务
[root@localhost ~]# systemctl restart crond.service
7.unit介绍
ls /usr/lib/systemd/system 系统所有unit,分为以下类型
service系统服务
target多个unit组成的组
device硬件设备
mount文件系统挂载点
automount自动挂载点
path文件或路径
scope不是由systemd启动的外部进程
slice进程组
snapshot systemd快照
socket进程间通信套接字
swap swap文件
timer 定时器
unit相关命令
列出正在运行的unit
[root@localhost ~]# systemctl list-units
UNIT LOAD ACTIVE SUB DESCRIPTION
proc-sys-fs-binfmt_misc.automount loaded active waiting Arbitrary Execu
sys-devices-pci0000:00-0000:00:07.1-ata2-host2-target2:0:0-2:0:0:0-block-
sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:0-0:0:0:0-block-sda-s
sys-devices-pci0000:00-0000:00:10.0-host0-target0:
.
.
.
列出所有,包括失败的或者inactive的
[root@localhost ~]# systemctl list-units --all
UNIT LOAD ACTIVE SUB DESCRIPTION
proc-sys-fs-binfmt_misc.automount loaded active waiting Arbitrary Execut
dev-disk-by\x2did-ata\x2dST3320418AS_5VM7EV8Z.device loaded active plugged
dev-disk-by\x2did-ata\x2dST3320418AS_5VM7EV8Z\x2dpart1.device loaded active
dev-disk-by\x2did-ata\x2dST3320418AS_5VM7EV8Z\x2dpart2.device loaded active
dev-disk-by\x2did-ata\x2dST3320418AS_5VM7EV8Z\x2dpart3.device loaded active
dev-disk-by\x2did-ata\x2dST3320418AS_5VM7EV8Z\x2dpart4.device loaded active
.
.
列出所有inactive的unit
[root@localhost ~]# systemctl list-units --all --state=inactive
UNIT LOAD ACTIVE SUB DESCRIPTION
proc-sys-fs-binfmt_misc.mount loaded inactive dead Arbitrary Executable File
sys-fs-fuse-connections.mount loaded inactive dead FUSE Control File System
tmp.mount loaded inactive dead Temporary Directory
.
.
.
列出状态为active的service
[root@localhost ~]# systemctl list-units --type=service
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
chronyd.service loaded active running NTP client/server
crond.service loaded active running Command Scheduler
.
.
查看某个服务是否为active
[root@localhost ~]# systemctl is-active crond.service
active
8.target介绍
为了方便管理用target来管理unit
列出所有target
[root@localhost ~]# systemctl list-unit-files --type=target
UNIT FILE STATE
basic.target static
bluetooth.target static
cryptsetup-pre.target static
cryptsetup.target static
ctrl-alt-del.target disabled
default.target enabled
查看指定target下面有哪些unit
[root@localhost ~]# systemctl list-dependencies multi-user.target
multi-user.target
● ├─auditd.service
● ├─brandbot.path
● ├─chronyd.service
● ├─crond.service
● ├─dbus.service
● ├─irqbalance.service
.
.
.
查看系统默认的target
[root@localhost ~]# systemctl get-default
multi-user.target
设置默认的target
[root@localhost ~]# systemctl default multi-user.target
查看一个service是属于哪个target的,可以直接cat文件,看install部分
[root@localhost ~]# cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
Type=forking
PIDFile=/var/run/sshd.pid
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
扩展
提供一个iptables系列文章的博客 https://www.zsythink.net/archives/tag/iptables/page/2/
anacron https://www.jianshu.com/p/3009a9b7d024?from=timeline
systemd自定义启动脚本 http://www.jb51.net/article/100457.htm