linux查看防火墙状态及开启关闭命令
- 方式一:service方式
#查看防火墙状态
[root@localhost /]# service iptables status
表格:filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
#防火墙开启,关闭防火墙
[root@localhost /]# service iptables stop
iptables:清除防火墙规则: [确定]
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:正在卸载模块: [确定]
[root@localhost /]#
[root@localhost /]#
[root@localhost /]# service iptables status
iptables:未运行防火墙。
#防火墙关闭,开启防火墙
[root@localhost /]# service iptables start
iptables:应用防火墙规则: [确定]
[root@localhost /]#
- 方式二:iptables方式
#查看防火墙状态
[root@localhost /]# /etc/init.d/iptables status
表格:filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
#防火墙开启,关闭防火墙
[root@localhost /]# /etc/init.d/iptables stop
iptables:清除防火墙规则: [确定]
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:正在卸载模块: [确定]
[root@localhost /]#
[root@localhost /]#
[root@localhost /]# /etc/init.d/iptables status
iptables:未运行防火墙。
[root@localhost /]#
#防火墙关闭,开启防火墙
[root@localhost /]# /etc/init.d/iptables restart
iptables:应用防火墙规则: [确定]
[root@localhost /]#
添加Linux防火墙端口
[root@localhost /]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
编辑iptables文件/etc/sysconfig/iptables,添加如下一行,可以参照已有的已经开启的ssh的22端口
-A INPUT -m state –state NEW -m tcp -p tcp –dport 8080 -j ACCEPT
[root@localhost /]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
COMMIT
保存后,重启防火墙
[root@localhost /]# service iptables restart
iptables:清除防火墙规则: [确定]
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:正在卸载模块: [确定]
iptables:应用防火墙规则: [确定]
[root@localhost /]# service iptables status
表格:filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
查看某端口是否被占用,以4700为例
[root@iZ23aha612kZ sysconfig]# netstat -lnp|grep 4700
udp 0 0 0.0.0.0:4700 0.0.0.0:* 17736/java
[root@iZ23aha612kZ sysconfig]# netstat -lnp|grep 4702
[root@iZ23aha612kZ sysconfig]#
如果没有任何打印,说明没有被占用。有打印的话,说明被占用了,一般会列出哪个进程占用。
查看是否开启了SELinux
SELinux是一个安全体系结构,它通过LSM(Linux Security Modules)框架被集成到Linux Kernel 2.6.x中。它是NSA (United States National Security Agency)和SELinux社区的联合项目。
SELinux提供了一种灵活的强制访问控制(MAC)系统,且内嵌于Linux Kernel中。SELinux定义了系统中每个【用户】、【进程】、【应用】和【文件】的访问和转变的权限,然后它使用一个安全策略来控制这些实体(用户、进程、应用和文件)之间的交互,安全策略指定如何严格或宽松地进行检查。
SELinux对系统用户(system users)是透明的,只有系统管理员需要考虑在他的服务器中如何制定严格的策略。策略可以根据需要是严格的或宽松的。
只有同时满足了【标准Linux访问控制】和【SELinux访问控制】时,主体才能访问客体。
遇到的问题
linux本机下使用php index.php 可以查看运行结果,但是 在我的windows浏览器下报错:[Mon Nov 06 10:18:33 2017] [error] [client 192.168.0.81] PHP Warning: mysql_connect(): Can’t connect to MySQL server on ‘127.0.0.1’ (13) in /var/www/html/index.php on line 9
[root@localhost html]# cat index.php
----Hello, World!!!
---2017/11/06
<?php
$link=mysql_connect('127.0.0.1','cdms','cdms');
if($link)
echo "scuess";
else
echo "fail";
?>
---
[root@localhost html]# php index.php
----Hello, World!!!
---2017/11/06
scuess
---
- 原因
#发现 httpd_can_network_connect --> off
#getsebool命令是用来查询SElinux策略内各项规则的布尔值。SELinux的策略与规则管理相关命令:seinfo命令、sesearch命令、getsebool命令、setsebool命令、semanage命令。
[root@localhost html]# getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_verify_dns --> off
- 解决问题
[root@localhost html]# setsebool httpd_can_network_connect 1
- 查看是否开启了SELinux
##如果SELinux status参数为enabled即为开启状态
[root@localhost html]# /usr/sbin/sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/sbin/mingetty system_u:system_r:getty_t:s0
/usr/sbin/sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
File contexts:
Controlling term: unconfined_u:object_r:user_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:init_exec_t:s0
/sbin/mingetty system_u:object_r:getty_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
[root@localhost html]#
[root@localhost html]#
[root@localhost html]#
[root@localhost html]#
[root@localhost html]#
[root@localhost html]#
##也可以用这个命令检查,如果为Enforcing即为开启状态
[root@localhost html]# getenforce
Enforcing
- 临时关闭(不用重启机器),设置SELinux 成为 Permissive模式,setenforce 1 设置SELinux 成为 Enforcing模式
[root@localhost html]# setenforce 0
[root@localhost html]#
[root@localhost html]# getenforce
Permissive
[root@localhost html]#
2.可以通过修改SELinux的配置文件开启或关闭它(需要重启机器):
修改/etc/selinux/config 文件
找到:
SELINUX=enforcing
修改成:
SELINUX=disabled
重启一下,就OK。
ll命令 显示文件 年 月 日 时 分 秒
- 下面是默认的ll命令显示:
[root@localhost src]# ll
总用量 1676
-rw-r--r--. 1 root root 2381 1月 23 2017 index.html
-rw-r--r--. 1 root root 37052 7月 3 2011 python-iniparse-0.3.1-2.1.el6.noarch.rpm
-rw-r--r--. 1 root root 87660 5月 12 2016 python-urlgrabber-3.9.1-11.el6.noarch.rpm
drwxr-xr-x. 3 root root 4096 9月 28 13:59 secureCRT
-rw-r--r--. 1 root root 492020 9月 28 11:27 wget-1.12-1.4.el6.x86_64.rpm
-rw-r--r--. 1 root root 1042364 3月 23 2017 yum-3.2.29-81.el6.centos.noarch.rpm
-rw-r--r--. 1 root root 33524 3月 23 2017 yum-plugin-fastestmirror-1.1.30-40.el6.noarch.rpm
- 设置显示样式
[root@localhost src]# alias ll='ls -lh --time-style=+"%Y-%m-%d %H:%M:%S"'
[root@localhost src]# ll
总用量 1.7M
-rw-r--r--. 1 root root 2.4K 2017-01-23 21:28:24 index.html
-rw-r--r--. 1 root root 37K 2011-07-03 12:42:38 python-iniparse-0.3.1-2.1.el6.noarch.rpm
-rw-r--r--. 1 root root 86K 2016-05-12 18:50:34 python-urlgrabber-3.9.1-11.el6.noarch.rpm
drwxr-xr-x. 3 root root 4.0K 2017-09-28 13:59:43 secureCRT
-rw-r--r--. 1 root root 481K 2017-09-28 11:27:36 wget-1.12-1.4.el6.x86_64.rpm
-rw-r--r--. 1 root root 1018K 2017-03-23 23:04:15 yum-3.2.29-81.el6.centos.noarch.rpm
-rw-r--r--. 1 root root 33K 2017-03-23 23:00:06 yum-plugin-fastestmirror-1.1.30-40.el6.noarch.rpm
- 按日期排序
[root@localhost src]# ll -t
总用量 1.7M
drwxr-xr-x. 3 root root 4.0K 2017-09-28 13:59:43 secureCRT
-rw-r--r--. 1 root root 481K 2017-09-28 11:27:36 wget-1.12-1.4.el6.x86_64.rpm
-rw-r--r--. 1 root root 1018K 2017-03-23 23:04:15 yum-3.2.29-81.el6.centos.noarch.rpm
-rw-r--r--. 1 root root 33K 2017-03-23 23:00:06 yum-plugin-fastestmirror-1.1.30-40.el6.noarch.rpm
-rw-r--r--. 1 root root 2.4K 2017-01-23 21:28:24 index.html
-rw-r--r--. 1 root root 86K 2016-05-12 18:50:34 python-urlgrabber-3.9.1-11.el6.noarch.rpm
-rw-r--r--. 1 root root 37K 2011-07-03 12:42:38 python-iniparse-0.3.1-2.1.el6.noarch.rpm
Linux添加字体
- 查看当前系统的字体
[root@localhost ~]# cd /usr/share/fonts
[root@localhost fonts]# fc-list :lang=zh
AR PL UMing TW:style=Light
AR PL UMing HK:style=Light
AR PL UMing CN:style=Light
AR PL UKai TW MBE:style=Book
AR PL UKai CN:style=Book
AR PL UKai HK:style=Book
AR PL UKai TW:style=Book
文泉驿正黑,文泉驛正黑,WenQuanYi Zen Hei:style=Regular
文泉驿等宽正黑,文泉驛等寬正黑,WenQuanYi Zen Hei Mono:style=Regular
AR PL UMing TW MBE:style=Light
文泉驿点阵正黑,文泉驛點陣正黑,WenQuanYi Zen Hei Sharp:style=Regular
[root@localhost fonts]#
- 新建一个自定义的字体文件夹,把从Windows系统fonts目录下拷贝过来的字体文件直接mv进来,就能看到安装成功了
[root@localhost fonts]#
[root@localhost fonts]#
[root@localhost fonts]#
[root@localhost fonts]# mkdir /usr/share/fonts/my_fonts
[root@localhost fonts]#
[root@localhost fonts]# cd my_fonts/
[root@localhost my_fonts]# mv /usr/local/src/黑体.ttf ./
[root@localhost my_fonts]# fc-list :lang=zh
AR PL UMing TW:style=Light
AR PL UMing HK:style=Light
AR PL UMing CN:style=Light
AR PL UKai TW MBE:style=Book
黑体,SimHei:style=Regular
AR PL UKai CN:style=Book
AR PL UKai HK:style=Book
AR PL UKai TW:style=Book
文泉驿正黑,文泉驛正黑,WenQuanYi Zen Hei:style=Regular
文泉驿等宽正黑,文泉驛等寬正黑,WenQuanYi Zen Hei Mono:style=Regular
AR PL UMing TW MBE:style=Light
文泉驿点阵正黑,文泉驛點陣正黑,WenQuanYi Zen Hei Sharp:style=Regular
- 刷新系统即刻生效,输入命令:sudo fc-cache -fv
[root@localhost my_fonts]#
[root@localhost my_fonts]#
[root@localhost my_fonts]#sudo fc-cache -fv
/usr/share/fonts: caching, new cache contents: 0 fonts, 5 dirs
/usr/share/fonts/cjkuni-ukai: caching, new cache contents: 4 fonts, 0 dirs
/usr/share/fonts/cjkuni-uming: caching, new cache contents: 4 fonts, 0 dirs
/usr/share/fonts/default: caching, new cache contents: 0 fonts, 2 dirs
/usr/share/fonts/default/Type1: caching, new cache contents: 35 fonts, 0 dirs
/usr/share/fonts/default/ghostscript: caching, new cache contents: 13 fonts, 0 dirs
/usr/share/fonts/my_fonts: caching, new cache contents: 1 fonts, 0 dirs
/usr/share/fonts/wqy-zenhei: caching, new cache contents: 3 fonts, 0 dirs
/usr/share/X11/fonts/Type1: skipping, no such directory
/usr/share/X11/fonts/TTF: skipping, no such directory
/usr/local/share/fonts: skipping, no such directory
/root/.fonts: skipping, no such directory
/var/cache/fontconfig: cleaning cache directory
/root/.fontconfig: not cleaning non-existent cache directory
fc-cache: succeeded