CentOS7

最新推荐文章于 2024-09-04 11:03:23 发布

置顶秋雪夜雨寒

最新推荐文章于 2024-09-04 11:03:23 发布

阅读量1.2k

点赞数 1

分类专栏： Linux CentOS7

本文链接：https://blog.csdn.net/longyinyushi/article/details/79841367

版权

Linux 同时被 2 个专栏收录

65 篇文章 1 订阅

订阅专栏

CentOS7

1 篇文章 0 订阅

订阅专栏

1、CentOS7的4种模式

centos7中不再有0-6启动级别，而是4个target
graphical.target多人模式，支持图形和命令行两种登录，对应之前的3，5级别
multi-user.target多人模式，只支持从命令行登录，对应之前的3级别
rescue.target单人模式，对应之前的1级别
emergency.target单人模式，系统进入后根目录是只读的

2、单用户模式

centos7采用的是grub2，所以和之前会有所不同
2、进入单用户模式步骤
- a、在对应内核条目上按”e”，进入edit模式
- b、找到”ro”一行，以”linux16”开头的，跳到最后输入” rd.break”(需要留一个空格)，再按”control + x”进入
- c、重新挂载”sysroot”目录，增加写的权限 mount -o remount,rw /sysroot/
- d、切换到系统目录 chroot /sysroot
- e、让selinux生效 touch /.autorelabel

其实刚刚修改的命令行里面修改的内容其实就是/boot/grub2/grub.cfg里面提供的，不建议直接修改该文件，可以在启动时候调试内核参数或者其它的测试需求

sudo cat /boot/grub2/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub2-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
set pager=1

if [ -s $prefix/grubenv ]; then
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="${saved_entry}"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}

function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

terminal_output console
if [ x$feature_timeout_style = xy ] ; then
  set timeout_style=menu
  set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
  set timeout=5
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/00_tuned ###
set tuned_params=""
### END /etc/grub.d/00_tuned ###

### BEGIN /etc/grub.d/01_users ###
if [ -f ${prefix}/user.cfg ]; then
  source ${prefix}/user.cfg
  if [ -n ${GRUB2_PASSWORD} ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root ${GRUB2_PASSWORD}
  fi
fi
### END /etc/grub.d/01_users ###

### BEGIN /etc/grub.d/10_linux ###
# 这里就是开机提示的启动项的字符
menuentry 'CentOS Linux (3.10.0-327.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-327.el7.x86_64-advanced-ce29322c-fe72-4e09-8c15-fdc88d54a34f' {
    load_video
    set gfxpayload=keep
    insmod gzio
    insmod part_msdos
    insmod xfs
    set root='hd0,msdos1'
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  2f6558dc-9854-41f7-bec1-8785ae961bdc
    else
      search --no-floppy --fs-uuid --set=root 2f6558dc-9854-41f7-bec1-8785ae961bdc
    fi
    # 刚刚修改的位置其实就是这里
    # 最后在LANG=en_US.UTF-8(担心乱码的话，可以修改LANG为zh_CN.UTF-8) 后面添加 rd.break
    linux16 /vmlinuz-3.10.0-327.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8
    initrd16 /initramfs-3.10.0-327.el7.x86_64.img
}
menuentry 'CentOS Linux (0-rescue-7f6fcf1f98784c2ab9b245dc748d02f8) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-0-rescue-7f6fcf1f98784c2ab9b245dc748d02f8-advanced-ce29322c-fe72-4e09-8c15-fdc88d54a34f' {
    load_video
    insmod gzio
    insmod part_msdos
    insmod xfs
    set root='hd0,msdos1'
    if [ x$feature_platform_search_hint = xy ]; then
      search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  2f6558dc-9854-41f7-bec1-8785ae961bdc
    else
      search --no-floppy --fs-uuid --set=root 2f6558dc-9854-41f7-bec1-8785ae961bdc
    fi
    linux16 /vmlinuz-0-rescue-7f6fcf1f98784c2ab9b245dc748d02f8 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet
    initrd16 /initramfs-0-rescue-7f6fcf1f98784c2ab9b245dc748d02f8.img
}

### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/20_ppc_terminfo ###
### END /etc/grub.d/20_ppc_terminfo ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###

3、退出单用户模式

control + d, 然后 reboot即可

3、救援模式

1、设置光驱启动
2、选择”Troubleshooting”
3、选择”Rescue a CentOS system”
4、continue
5、chroot /mnt /sysimage

4、设置固定IP

编辑网络配置文件

sudo vim /etc/sysconfig/network-scripts/ifcfg-eno16777736

TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
UUID=73a35962-27e5-43a8-931b-f3724ac86f0b
DEVICE=eno16777736
ONBOOT=yes
IPADDR=172.16.81.141
METMASK=255.255.255.0
GATEWAY=172.16.81.2
DNS1=172.16.81.2

重启网络

[vincent@localhost ~]$ sudo systemctl restart network
[vincent@localhost ~]$ sudo systemctl status network
● network.service - LSB: Bring up/down networking
   Loaded: loaded (/etc/rc.d/init.d/network)
   Active: active (exited) since Thu 2018-03-22 13:44:01 EDT; 8s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 2517 ExecStop=/etc/rc.d/init.d/network stop (code=exited, status=0/SUCCESS)
  Process: 2764 ExecStart=/etc/rc.d/init.d/network start (code=exited, status=0/SUCCESS)

Mar 22 13:44:01 localhost.localdomain systemd[1]: Starting LSB: Bring up/down networking...
Mar 22 13:44:01 localhost.localdomain network[2764]: Bringing up loopback interface:  Could not load file '/etc/syscon...g-lo'
Mar 22 13:44:01 localhost.localdomain network[2764]: Could not load file '/etc/sysconfig/network-scripts/ifcfg-lo'
Mar 22 13:44:01 localhost.localdomain network[2764]: Could not load file '/etc/sysconfig/network-scripts/ifcfg-lo'
Mar 22 13:44:01 localhost.localdomain network[2764]: Could not load file '/etc/sysconfig/network-scripts/ifcfg-lo'
Mar 22 13:44:01 localhost.localdomain network[2764]: [  OK  ]
Mar 22 13:44:01 localhost.localdomain network[2764]: Bringing up interface eno16777736:  Connection successfully activ...on/1)
Mar 22 13:44:01 localhost.localdomain network[2764]: [  OK  ]
Mar 22 13:44:01 localhost.localdomain systemd[1]: Started LSB: Bring up/down networking.
Hint: Some lines were ellipsized, use -l to show in full.

5、设置主机名

# 设置主机名
[vincent@localhost ~]$ sudo hostnamectl set-hostname "VINCENT_ANNIE"

# 查看主机名
[vincent@localhost ~]$ sudo hostname
vincent_annie

# 查看主机名状态
[vincent@localhost ~]$ sudo hostnamectl status 
   Static hostname: vincent_annie
   Pretty hostname: VINCENT_ANNIE
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 7f6fcf1f98784c2ab9b245dc748d02f8
           Boot ID: 9f0f35cddd1e401cbe7002085bc7f07c
    Virtualization: vmware
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-327.el7.x86_64
      Architecture: x86-64

# 查看配置文件
[vincent@localhost ~]$ sudo cat /etc/hostname 
vincent_annie

6、命令自动补全

# 需要安装bash-completion
$ sudo yum install bash-completion -y

# 使用配置文件生效
. /etc/profile

7、服务相关

1、centos7不再使用checkconfig了，而是使用systemd
2、使用某服务自启动：

sudo systemctl enable sshd
Created symlink from /etc/systemd/system/multi-user.target.wants/sshd.service to /usr/lib/systemd/system/sshd.service.

3、不要让httpd开机自启：

$ sudo systemctl disable sshd 
Removed symlink /etc/systemd/system/multi-user.target.wants/sshd.service.

4、查看某服务的状态：

$ sudo systemctl status sshd 
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2018-03-22 13:48:01 EDT; 18h ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1100 (sshd)
   CGroup: /system.slice/sshd.service
           └─1100 /usr/sbin/sshd -D

Mar 22 13:48:01 localhost.localdomain systemd[1]: Started OpenSSH server daemon.
Mar 22 13:48:01 localhost.localdomain systemd[1]: Starting OpenSSH server daemon...
Mar 22 13:48:01 localhost.localdomain sshd[1100]: Server listening on 0.0.0.0 port 22.
Mar 22 13:48:01 localhost.localdomain sshd[1100]: Server listening on :: port 22.
Mar 22 14:05:28 localhost.localdomain sshd[2249]: Accepted publickey for vincent from 1...4c
Mar 22 17:23:59 localhost.localdomain sshd[2401]: Accepted publickey for vincent from 1...4c
Mar 23 06:06:58 localhost.localdomain sshd[2909]: Accepted publickey for vincent from 1...4c
Mar 23 06:17:12 localhost.localdomain sshd[2935]: Accepted publickey for vincent from 1...4c
Hint: Some lines were ellipsized, use -l to show in full.

5、查看所有的服务

$ sudo systemctl list-units --type=service
  UNIT                              LOAD   ACTIVE SUB     DESCRIPTION
  auditd.service                    loaded active running Security Auditing Service
  crond.service                     loaded active running Command Scheduler
  dbus.service                      loaded active running D-Bus System Message Bus
  getty@tty1.service                loaded active running Getty on tty1
● kdump.service                     loaded failed failed  Crash recovery kernel arming
  kmod-static-nodes.service         loaded active exited  Create list of required static dev
  lvm2-lvmetad.service              loaded active running LVM2 metadata daemon
  lvm2-monitor.service              loaded active exited  Monitoring of LVM2 mirrors, snapsh
  lvm2-pvscan@8:2.service           loaded active exited  LVM2 PV scan on device 8:2
  network.service                   loaded active exited  LSB: Bring up/down networking
  NetworkManager.service            loaded active running Network Manager
  polkit.service                    loaded active running Authorization Manager

6、启动服务

$ sudo systemctl start sshd

7、停止服务

$ sudo systemctl stop sshd

8、重启服务

$ sudo systemctl restart sshd

9、启动脚本路径

$ ls /usr/lib/systemd/system | grep sshd 
sshd-keygen.service
sshd.service
sshd@.service
sshd.socket

10、检查一个服务不否为开机启动

$ sudo systemctl is-enabled sshd
enabled

8、systemd target

1、target类似于centos6里面的启动级别，但target支持多个target同时启动，target其实是多个unit的组合，系统启动说白了其实就是启动多个unit，为了管理方便就使用target来管理这些unit
2、切换target时，默认不关闭前一个target启动的进程，systemctl isolate命令改变这种行为，关闭前一个target里面所有不属于后一个target里面的进程

常用命令

查看系统所有的target

$ sudo systemctl list-unit-files --type=target

查看一个target包含的unit

$ sudo systemctl list-dependencies multi-user.target
multi-user.target
● ├─auditd.service
● ├─brandbot.path
● ├─crond.service
● ├─dbus.service
● ├─irqbalance.service
● ├─kdump.service
● ├─network.service
● ├─NetworkManager.service
● ├─plymouth-quit-wait.service
● ├─plymouth-quit.service
● ├─postfix.service
● ├─rsyslog.service

查看启动时的默认target

$ sudo systemctl get-default 
multi-user.target

设置启动时的默认target

$ sudo systemctl set-default multi-user.target 
Removed symlink /etc/systemd/system/default.target.
Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.

切换target时同时关闭前一个target中所有后一个target没有用到的进程

$ sudo systemctl isolate multi-user.target 
PolicyKit daemon disconnected from the bus.
We are no longer a registered authentication agent.

9、systemd-unit

unit文件的路径

/etc/systemd/system/

9.1、systemd管理服务的机制和特点

1、支持服务并列启动，不用顺序启动，从而开机时间短
2、支持自动检测服务依赖的服务
3、systemd可以管理所有系统资源。不同的系统资源称为unit(单位)
4、unit一共分为12种类型
- 1、service unit:系统服务
- 2、device unit: 硬件设备
- 3、automount unit: 自动挂载点
- 4、scope unit: 不是由systemd启动的外部进程
- 5、slice unit: 进程组
- 6、socket unit: 进程间通讯的socket
- 7、timer unit: 定时器
- 8、target unit: 多个unit构成一个组
- 9、mount unit: 文件系统的挂载点
- 10、path unit: 文件或路径
- 11、snapshot unit: 快照，可以切回某个快照
- 12、swap unit: swap文件

9.2、systemd unit相关命令

列出正在运行的unit

$ systemctl list-units
  UNIT                                            LOAD   ACTIVE SUB       DESCRIPTION
  proc-sys-fs-binfmt_misc.automount               loaded active waiting   Arbitrary Executable File Formats File System A
  sys-devices-pci0000:00-0000:00:07.1-ata2-host2-target2:0:0-2:0:0:0-block-sr0.device loaded active plugged   VMware_Virt
  sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:0-0:0:0:0-block-sda-sda1.device loaded active plugged   VMware_Virt
  sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:0-0:0:0:0-block-sda-sda2.device loaded active plugged   LVM PV JFEt
  sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:0-0:0:0:0-block-sda.device loaded active plugged   VMware_Virtual_S
  sys-devices-pci0000:00-0000:00:11.0-0000:02:00.0-usb2-2\x2d2-2\x2d2.1-2\x2d2.1:1.0-bluetooth-hci0-rfkill0.device loaded
  sys-devices-pci0000:00-0000:00:11.0-0000:02:00.0-usb2-2\x2d2-2\x2d2.1-2\x2d2.1:1.0-bluetooth-hci0.device loaded active 
  sys-devices-pci0000:00-0000:00:11.0-0000:02:01.0-net-eno16777736.device loaded active plugged   82545EM Gigabit Etherne
  sys-devices-pci0000:00-0000:00:11.0-0000:02:02.0-sound-card0.device loaded active plugged   ES1371 / Creative Labs CT25
  sys-devices-platform-serial8250-tty-ttyS1.device loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS1
  sys-devices-platform-serial8250-tty-ttyS2.device loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS2
  sys-devices-platform-serial8250-tty-ttyS3.device loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS3
  sys-devices-pnp0-00:08-tty-ttyS0.device         loaded active plugged   /sys/devices/pnp0/00:08/tty/ttyS0

列出所有unit，包括没有找到配置文件或者启动失败的

$ sudo systemctl list-units --all 
  UNIT                                           LOAD      ACTIVE   SUB       DESCRIPTION
  proc-sys-fs-binfmt_misc.automount              loaded    active   waiting   Arbitrary Executable File Formats File Syst
  dev-block-8:2.device                           loaded    active   plugged   LVM PV JFEtl1-7nqO-8VWp-e1XQ-FG2g-vDNj-vLw6
  dev-cdrom.device                               loaded    active   plugged   VMware_Virtual_IDE_CDROM_Drive
  dev-centos-root.device                         loaded    active   plugged   /dev/centos/root
  dev-centos-swap.device                         loaded    active   plugged   /dev/centos/swap

列出所有没有运行的unit

$ sudo systemctl list-units --all --state=inactive
  UNIT                                   LOAD      ACTIVE   SUB  DESCRIPTION
  proc-sys-fs-binfmt_misc.mount          loaded    inactive dead Arbitrary Executable File Formats File System
  sys-fs-fuse-connections.mount          loaded    inactive dead FUSE Control File System
  tmp.mount                              loaded    inactive dead Temporary Directory
  systemd-ask-password-console.path      loaded    inactive dead Dispatch Password Requests to Console Directory Watch
  brandbot.service                       loaded    inactive dead Flexible Branding Service
  cpupower.service                       loaded    inactive dead Configure CPU power related settings
● display-manager.service                not-found inactive dead display-manager.service
  dm-event.service                       loaded    inactive dead Device-mapper event daemon
  dracut-shutdown.service                loaded    inactive dead Restore /run/initramfs

列出所有加载失败的unit

$ sudo systemctl list-units --all --failed
  UNIT          LOAD   ACTIVE SUB    DESCRIPTION
● kdump.service loaded failed failed Crash recovery kernel arming

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

1 loaded units listed.
To show all installed unit files use 'systemctl list-unit-files'.

列出所有正在运行的且类型为service的unit

$ sudo systemctl list-units --type=service
  UNIT                               LOAD   ACTIVE SUB     DESCRIPTION
  auditd.service                     loaded active running Security Auditing Service
  crond.service                      loaded active running Command Scheduler
  dbus.service                       loaded active running D-Bus System Message Bus
  getty@tty1.service                 loaded active running Getty on tty1

显示某个unit是否正在运行

$ sudo systemctl is-active sshd.service 
active

显示某个unit是否处于失败状态

$ sudo systemctl is-failed sshd.service 
active

显示某个unit服务是否建立了启动链接(开机启动)

$ sudo systemctl is-enabled sshd.service 
enabled

9.3、systemd unit target关联

主配置文件位置

/etc/systemd/system.conf

开机会先加载/etc/systemd/system/default.target

[root@vincent_annie ~]# ls /etc/systemd/system/default.target 
/etc/systemd/system/default.target
# 可以看到它是一个软链接文件
[root@vincent_annie ~]# ls -l /etc/systemd/system/default.target 
lrwxrwxrwx. 1 root root 37 Mar 31 22:05 /etc/systemd/system/default.target -> /lib/systemd/system/multi-user.target
# /lib/systemd/system/multi-user.target文件的内容
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Multi-User System
Documentation=man:systemd.special(7)
Requires=basic.target
Conflicts=rescue.service rescue.target
After=basic.target rescue.service rescue.target
AllowIsolate=yes

/lib/systemd/system/multi-user.target会加载/lib/systemd/system/multi-user.target.wants/目录下的service

# ls -l /lib/systemd/system/multi-user.target.wants/
total 0
lrwxrwxrwx. 1 root root 16 Mar 31 22:02 brandbot.path -> ../brandbot.path
lrwxrwxrwx. 1 root root 15 Mar 31 22:02 dbus.service -> ../dbus.service
lrwxrwxrwx. 1 root root 15 Mar 31 22:02 getty.target -> ../getty.target
lrwxrwxrwx. 1 root root 24 Mar 31 22:02 plymouth-quit.service -> ../plymouth-quit.service
lrwxrwxrwx. 1 root root 29 Mar 31 22:02 plymouth-quit-wait.service -> ../plymouth-quit-wait.service
lrwxrwxrwx. 1 root root 33 Mar 31 22:02 systemd-ask-password-wall.path -> ../systemd-ask-password-wall.path
lrwxrwxrwx. 1 root root 25 Mar 31 22:02 systemd-logind.service -> ../systemd-logind.service
lrwxrwxrwx. 1 root root 39 Mar 31 22:02 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
lrwxrwxrwx. 1 root root 32 Mar 31 22:02 systemd-user-sessions.service -> ../systemd-user-sessions.service

查看某个service属于那个target，直接查看里面内容即可，看里面[install]部分

[root@vincent_annie ~]# cat /lib/systemd/system/sshd.service 
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service

[Service]
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target

10、防火墙相关

1、centos7不再使用iptables，而是firewalld
2、若不想使用`firewall
d则可以将firewalld服务暂时停掉，再安装iptables-services`
- 相关操作如下
  systemctl stop firewalld systemctl disable firewalld sudo systemctl disable firewalld yum install iptables-services systemctl enable iptables.service systemctl start iptables.service
3、如果提示Failed to execute operation: Access denied则有可能是没有安装firewalld这个包，安装命令如下

$ yum install -y firewalld

11、firewalld

11.1、相关概念

1、centos6上使用静态防火墙，规则保存在/etc/sysconfig/iptables文件中，更新规则，需要重新加载或者是重启iptables服务，相当于是把之前的规则全部清空再把配置文件里面的规则加载
2、而centos7使用了动态防火墙，即firewalld，这种防火墙方案不再像之前的centos6，更新规则后，不需要重新加载配置
3、无论是iptables还是firewalld，底层都是使用iptables工具来配置规则的
4、firewalld有zone和service的概念
- a、每个zone里面的iptables规则都不一样
- b、默认有9个zone
- c、CentOS7默认的zone是public

11.2、相关命令

获取所有zone

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

获取默认的zone

# firewall-cmd --get-default-zone 
public

11.3、firewalld的9个zone

drop(丢弃):
- 任何接收到的网络数据包都被丢弃，没有任何回复。仅能有发出去的网络连接
block(限制):
- 任何接收到的网络连接都被IPv4的icmp-host-prohibited信息和IPv6的icmp6-adm-prohibited信息所拒绝
public(公共):
- 在公共区域内使用，不能相信网络内的其它计算机不会对您的计算机造成危害，只能接收经过选取的连接
external(外部):特别是为路由器启用了伪装功能的外部网，您不能信任来自网络的其它计算机，不能相信他们不会对您的计算机造成伤害，只能接收经过选择的连接
dmz(非军事区):用于您的非军事区内的电脑，些区域内可公开访问，可以有限地进入您的内部网络，仅仅接收经过选择的连接
work(工作):用于工作区，您可以基本相信网络内的其它计算机不会危害您的计算机，仅仅接收经过选择的连接
home(家庭):用于家庭网络，您可以基本信任网络内的其它计算机不会危害您的电脑，仅仅接收经过选择的连接
internal(内部):用于内部网络，您可以基本上信任网络内的计算机不会威胁您的计算机，仅仅接收经过选择的连接
trusted(信任):可接收所有的网络连接

11.4、firewalld的zone相关命令

1、设置默认的zone

[root@vincent_annie ~]# firewall-cmd --set-default-zone=work 
success
# 查看默认的zone
[root@vincent_annie ~]# firewall-cmd --get-default-zone 
work

2、查看指定网卡所在的zone

[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=eno16777736 
no zone

3、给指定网卡设置zone

[root@vincent_annie ~]# firewall-cmd --zone=public --add-interface=lo 
success
[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=lo 
public

4、针对网卡更改zone

[root@vincent_annie ~]# firewall-cmd --zone=dmz --change-interface=lo 
success
[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=lo 
dmz

5、针对网卡删除zone

[root@vincent_annie ~]# firewall-cmd --zone=dmz --remove-interface=lo 
success
[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=lo 
no zone

6、查看所有网卡所在的zone

[root@vincent_annie ~]# firewall-cmd --get-active-zones 
block
  interfaces: lo
[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=eno16777736 
no zone
[root@vincent_annie ~]# firewall-cmd --zone=public --add-interface=eno16777736 
success
[root@vincent_annie ~]# firewall-cmd --get-active-zones 
public
  interfaces: eno16777736
block
  interfaces: lo
[root@vincent_annie ~]#

11.5、firewalld service相关操作

firewalld的相关配置文件在/etc/firewalld目录下
所有的zone都在/usr/lib/firewalld/zones/目录下
[root@vincent_annie firewalld]# ls /usr/lib/firewalld/zones/ block.xml drop.xml home.xml public.xml work.xml dmz.xml external.xml internal.xml trusted.xml
在/usr/lib/firewalld/services/下面，保存了另外一类配置文件，每个配置文件保存了一类具体的网络服务，如ssh等
每个配置文件中记录了每个服务所使用的协议和端口，在新版本中的services目录中，已经为我们定义好了70+种服务供我们使用
zone实质上就是调用了不同的service而实现了不同的功能

11.6、service的相关命令

1、列出所有的service
2、列出当前zone下加载的service
3、查看某个zone下的service
4、给指定的zone添加一个service
5、给指定的zone添加service并且保存到配置文件中
6、从指定的zone中删除一个service

[root@vincent_annie firewalld]# # 列出当前zone下的所有service
# 可以看到下面的提示，说明当前的默认zone和接口使用的zone并不相同
[root@vincent_annie firewalld]# firewall-cmd --list-services 
You're performing an operation over default zone ('work'),
but your connections/interfaces are in zone 'public,block' (see --get-active-zones)
You most likely need to use --zone=public option.

ssh dhcpv6-client

# 查看指定定zone下的service
[root@vincent_annie firewalld]# firewall-cmd --zone=work --list-services 
ssh dhcpv6-client

# 在指定的zone下添加一个service
[root@vincent_annie firewalld]# firewall-cmd --zone=public --add-service=mysql 
success
[root@vincent_annie firewalld]# firewall-cmd --zone=public --add-service=mysql --permanent 
success

# 使用--permanent更新配置到配置文件中，删除也有此参数
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="mysql"/>
</zone>
[root@vincent_annie firewalld]# firewall-cmd --zone=public --add-service=nfs 
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="mysql"/>
</zone>
[root@vincent_annie firewalld]# firewall-cmd --zone=public --add-service=nfs --permanent 
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="mysql"/>
  <service name="nfs"/>
</zone>
[root@vincent_annie firewalld]# firewall-cmd --zone=public --remove-service=nfs 
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="mysql"/>
  <service name="nfs"/>
</zone>
[root@vincent_annie firewalld]# firewall-cmd --zone=public --remove-service=nfs --permanent 
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="mysql"/>
</zone>
[root@vincent_annie firewalld]#

11.7、firewalld增加规则

1、添加自定义规则

[root@vincent_annie firewalld]# # 添加自定义端口
[root@vincent_annie firewalld]# firewall-cmd --add-port=2222/tcp
You're performing an operation over default zone ('work'),
but your connections/interfaces are in zone 'public,block' (see --get-active-zones)
You most likely need to use --zone=public option.

success
[root@vincent_annie firewalld]# firewall-cmd --add-port=2222/tcp --zone=public 
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="mysql"/>
</zone>
[root@vincent_annie firewalld]# firewall-cmd --add-port=2222/tcp --zone=public --permanent
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="mysql"/>
  <port protocol="tcp" port="2222"/>
</zone>

2、重新加载防火墙规则(如果手动修改防火墙规则，则一定需要重新加载配置文件)

[root@vincent_annie firewalld]# # 不会导致连接中断的重新加载方式
[root@vincent_annie firewalld]# firewall-cmd --reload 
success
[root@vincent_annie firewalld]# 
[root@vincent_annie firewalld]# # 彻底加载的方式，会导致连接中断，也会清空状态信息
[root@vincent_annie firewalld]# firewall-cmd --complete-reload 
success

添加、删除商品范围

# 删除端口范围，不更新到配置文件
[root@vincent_annie firewalld]# firewall-cmd --zone=work --remove-port=2000-4000/tcp
success

# 添加一条端口范围规则，并且更新至配置文件中
[root@vincent_annie firewalld]# firewall-cmd --zone=work --add-port=2000-4000/tcp --permanent 
success

# 查看规则是否添加成功
[root@vincent_annie firewalld]# grep 2000 /etc/firewalld/zones/work.xml 
  <port protocol="tcp" port="2000-4000"/>

启用端口转发

[root@vincent_annie firewalld]# firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2 --permanent 
success
[root@vincent_annie firewalld]# grep 127.0.0.2 /etc/firewalld/zones/home.xml 
  <forward-port to-addr="127.0.0.2" protocol="tcp" port="22"/>

11.8、更改配置文件

两个配置文件路径/etc/firewalld/和/usr/lib/firewalld
/etc/firewalld为系统使用的配置文件路径
/etc/firewalld/zones下面为当前使用过的zone的配置文件，比如默认为public，那么该目录就有名为public.xml的配置文件，文件里的内容为配置的规则，如果有自定义的端口之类的，则使用firewall-cmd --zone=public --list-services则是看不到的
现有一个需求如下

修改ftp的默认端口，把21修改为1121，然后配置防火墙规则，操作如下

# 拷贝配置文件至指定路径
[root@vincent_annie firewalld]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/

# 修改配置文件的端口，这里就修改默认端口21为1121
[root@vincent_annie firewalld]# vim /etc/firewalld/services/ftp.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>FTP</short>
  <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
  <port protocol="tcp" port="1121"/>
  <module name="nf_conntrack_ftp"/>
</service>

# 修改zone work的配置文件，也可以用命令行的方式来修改                 
[root@vincent_annie firewalld]# vim /etc/firewalld/zones/work.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Work</short>
  <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="2000-4000"/>
  <service name="ftp"/>
</zone>

# 重新加载服务                   
[root@vincent_annie firewalld]# firewall-cmd --reload 
success

# 查看zone work配置的service
[root@vincent_annie firewalld]# firewall-cmd --zone=work --list-services 
ssh dhcpv6-client ftp