1、CentOS7的4种模式
2、单用户模式
3、救援模式
4、设置固定IP
5、设置主机名
6、命令自动补全
7、服务相关
8、systemd target
常用命令
9、systemd-unit
unit文件的路径
9.1、systemd管理服务的机制和特点
9.2、systemd unit相关命令
9.3、systemd unit target关联
10、防火墙相关
11、firewalld
11.1、相关概念
11.2、相关命令
11.3、firewalld的9个zone
11.4、firewalld的zone相关命令
11.5、firewalld service相关操作
11.6、service的相关命令
11.7、firewalld增加规则
11.8、更改配置文件
1、CentOS7的4种模式
centos7中不再有0-6启动级别,而是4个target
graphical.target多人模式,支持图形和命令行两种登录,对应之前的3,5级别
multi-user.target多人模式,只支持从命令行登录,对应之前的3级别
rescue.target单人模式,对应之前的1级别
emergency.target单人模式,系统进入后根目录是只读的
2、单用户模式
centos7采用的是grub2,所以和之前会有所不同
2、进入单用户模式步骤
a、在对应内核条目上按”e”,进入edit模式
b、找到”ro”一行,以”linux16”开头的,跳到最后输入” rd.break”(需要留一个空格),再按”control + x”进入
c、重新挂载”sysroot”目录,增加写的权限 mount -o remount,rw /sysroot/
d、切换到系统目录 chroot /sysroot
e、让selinux生效 touch /.autorelabel
其实刚刚修改的命令行里面修改的内容其实就是/boot/grub2/grub.cfg里面提供的,不建议直接修改该文件,可以在启动时候调试内核参数或者其它的测试需求
sudo cat /boot/grub2/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub2-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
set pager=1
if [ -s $prefix/grubenv ]; then
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="${saved_entry}"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
terminal_output console
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/00_tuned ###
set tuned_params=""
### END /etc/grub.d/00_tuned ###
### BEGIN /etc/grub.d/01_users ###
if [ -f ${prefix}/user.cfg ]; then
source ${prefix}/user.cfg
if [ -n ${GRUB2_PASSWORD} ]; then
set superusers="root"
export superusers
password_pbkdf2 root ${GRUB2_PASSWORD}
fi
fi
### END /etc/grub.d/01_users ###
### BEGIN /etc/grub.d/10_linux ###
# 这里就是开机提示的启动项的字符
menuentry 'CentOS Linux (3.10.0-327.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-327.el7.x86_64-advanced-ce29322c-fe72-4e09-8c15-fdc88d54a34f' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod xfs
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 2f6558dc-9854-41f7-bec1-8785ae961bdc
else
search --no-floppy --fs-uuid --set=root 2f6558dc-9854-41f7-bec1-8785ae961bdc
fi
# 刚刚修改的位置其实就是这里
# 最后在LANG=en_US.UTF-8(担心乱码的话,可以修改LANG为zh_CN.UTF-8) 后面添加 rd.break
linux16 /vmlinuz-3.10.0-327.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8
initrd16 /initramfs-3.10.0-327.el7.x86_64.img
}
menuentry 'CentOS Linux (0-rescue-7f6fcf1f98784c2ab9b245dc748d02f8) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-0-rescue-7f6fcf1f98784c2ab9b245dc748d02f8-advanced-ce29322c-fe72-4e09-8c15-fdc88d54a34f' {
load_video
insmod gzio
insmod part_msdos
insmod xfs
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 2f6558dc-9854-41f7-bec1-8785ae961bdc
else
search --no-floppy --fs-uuid --set=root 2f6558dc-9854-41f7-bec1-8785ae961bdc
fi
linux16 /vmlinuz-0-rescue-7f6fcf1f98784c2ab9b245dc748d02f8 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet
initrd16 /initramfs-0-rescue-7f6fcf1f98784c2ab9b245dc748d02f8.img
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/20_ppc_terminfo ###
### END /etc/grub.d/20_ppc_terminfo ###
### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###
3、退出单用户模式
control + d, 然后 reboot即可
3、救援模式
1、设置光驱启动
2、选择”Troubleshooting”
3、选择”Rescue a CentOS system”
4、continue
5、chroot /mnt /sysimage
4、设置固定IP
编辑网络配置文件
sudo vim /etc/sysconfig/network-scripts/ifcfg-eno16777736
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
UUID=73a35962-27e5-43a8-931b-f3724ac86f0b
DEVICE=eno16777736
ONBOOT=yes
IPADDR=172.16.81.141
METMASK=255.255.255.0
GATEWAY=172.16.81.2
DNS1=172.16.81.2
重启网络
[vincent@localhost ~]$ sudo systemctl restart network
[vincent@localhost ~]$ sudo systemctl status network
● network.service - LSB: Bring up/down networking
Loaded: loaded (/etc/rc.d/init.d/network)
Active: active (exited) since Thu 2018-03-22 13:44:01 EDT; 8s ago
Docs: man:systemd-sysv-generator(8)
Process: 2517 ExecStop=/etc/rc.d/init.d/network stop (code=exited, status=0/SUCCESS)
Process: 2764 ExecStart=/etc/rc.d/init.d/network start (code=exited, status=0/SUCCESS)
Mar 22 13:44:01 localhost.localdomain systemd[1]: Starting LSB: Bring up/down networking...
Mar 22 13:44:01 localhost.localdomain network[2764]: Bringing up loopback interface: Could not load file '/etc/syscon...g-lo'
Mar 22 13:44:01 localhost.localdomain network[2764]: Could not load file '/etc/sysconfig/network-scripts/ifcfg-lo'
Mar 22 13:44:01 localhost.localdomain network[2764]: Could not load file '/etc/sysconfig/network-scripts/ifcfg-lo'
Mar 22 13:44:01 localhost.localdomain network[2764]: Could not load file '/etc/sysconfig/network-scripts/ifcfg-lo'
Mar 22 13:44:01 localhost.localdomain network[2764]: [ OK ]
Mar 22 13:44:01 localhost.localdomain network[2764]: Bringing up interface eno16777736: Connection successfully activ...on/1)
Mar 22 13:44:01 localhost.localdomain network[2764]: [ OK ]
Mar 22 13:44:01 localhost.localdomain systemd[1]: Started LSB: Bring up/down networking.
Hint: Some lines were ellipsized, use -l to show in full.
5、设置主机名
# 设置主机名
[vincent@localhost ~]$ sudo hostnamectl set-hostname "VINCENT_ANNIE"
# 查看主机名
[vincent@localhost ~]$ sudo hostname
vincent_annie
# 查看主机名状态
[vincent@localhost ~]$ sudo hostnamectl status
Static hostname: vincent_annie
Pretty hostname: VINCENT_ANNIE
Icon name: computer-vm
Chassis: vm
Machine ID: 7f6fcf1f98784c2ab9b245dc748d02f8
Boot ID: 9f0f35cddd1e401cbe7002085bc7f07c
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-327.el7.x86_64
Architecture: x86-64
# 查看配置文件
[vincent@localhost ~]$ sudo cat /etc/hostname
vincent_annie
6、命令自动补全
# 需要安装bash-completion
$ sudo yum install bash-completion -y
# 使用配置文件生效
. /etc/profile
7、服务相关
1、centos7不再使用checkconfig了,而是使用systemd
2、使用某服务自启动:
sudo systemctl enable sshd
Created symlink from /etc/systemd/system/multi-user.target.wants/sshd.service to /usr/lib/systemd/system/sshd.service.
3、不要让httpd开机自启:
$ sudo systemctl disable sshd
Removed symlink /etc/systemd/system/multi-user.target.wants/sshd.service.
4、查看某服务的状态:
$ sudo systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2018-03-22 13:48:01 EDT; 18h ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 1100 (sshd)
CGroup: /system.slice/sshd.service
└─1100 /usr/sbin/sshd -D
Mar 22 13:48:01 localhost.localdomain systemd[1]: Started OpenSSH server daemon.
Mar 22 13:48:01 localhost.localdomain systemd[1]: Starting OpenSSH server daemon...
Mar 22 13:48:01 localhost.localdomain sshd[1100]: Server listening on 0.0.0.0 port 22.
Mar 22 13:48:01 localhost.localdomain sshd[1100]: Server listening on :: port 22.
Mar 22 14:05:28 localhost.localdomain sshd[2249]: Accepted publickey for vincent from 1...4c
Mar 22 17:23:59 localhost.localdomain sshd[2401]: Accepted publickey for vincent from 1...4c
Mar 23 06:06:58 localhost.localdomain sshd[2909]: Accepted publickey for vincent from 1...4c
Mar 23 06:17:12 localhost.localdomain sshd[2935]: Accepted publickey for vincent from 1...4c
Hint: Some lines were ellipsized, use -l to show in full.
5、查看所有的服务
$ sudo systemctl list-units --type=service
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
getty@tty1.service loaded active running Getty on tty1
● kdump.service loaded failed failed Crash recovery kernel arming
kmod-static-nodes.service loaded active exited Create list of required static dev
lvm2-lvmetad.service loaded active running LVM2 metadata daemon
lvm2-monitor.service loaded active exited Monitoring of LVM2 mirrors, snapsh
lvm2-pvscan@8:2.service loaded active exited LVM2 PV scan on device 8:2
network.service loaded active exited LSB: Bring up/down networking
NetworkManager.service loaded active running Network Manager
polkit.service loaded active running Authorization Manager
6、启动服务
$ sudo systemctl start sshd
7、停止服务
$ sudo systemctl stop sshd
8、重启服务
$ sudo systemctl restart sshd
9、启动脚本路径
$ ls /usr/lib/systemd/system | grep sshd
sshd-keygen.service
sshd.service
sshd@.service
sshd.socket
10、检查一个服务不否为开机启动
$ sudo systemctl is-enabled sshd
enabled
8、systemd target
1、target类似于centos6里面的启动级别,但target支持多个target同时启动,target其实是多个unit的组合,系统启动说白了其实就是启动多个unit,为了管理方便就使用target来管理这些unit
2、切换target时,默认不关闭前一个target启动的进程,systemctl isolate命令改变这种行为,关闭前一个target里面所有不属于后一个target里面的进程
常用命令
查看系统所有的target
$ sudo systemctl list-unit-files --type=target
查看一个target包含的unit
$ sudo systemctl list-dependencies multi-user.target
multi-user.target
● ├─auditd.service
● ├─brandbot.path
● ├─crond.service
● ├─dbus.service
● ├─irqbalance.service
● ├─kdump.service
● ├─network.service
● ├─NetworkManager.service
● ├─plymouth-quit-wait.service
● ├─plymouth-quit.service
● ├─postfix.service
● ├─rsyslog.service
查看启动时的默认target
$ sudo systemctl get-default
multi-user.target
设置启动时的默认target
$ sudo systemctl set-default multi-user.target
Removed symlink /etc/systemd/system/default.target.
Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
切换target时同时关闭前一个target中所有后一个target没有用到的进程
$ sudo systemctl isolate multi-user.target
PolicyKit daemon disconnected from the bus.
We are no longer a registered authentication agent.
9、systemd-unit
unit文件的路径
/etc/systemd/system/
9.1、systemd管理服务的机制和特点
1、支持服务并列启动,不用顺序启动,从而开机时间短
2、支持自动检测服务依赖的服务
3、systemd可以管理所有系统资源。不同的系统资源称为unit(单位)
4、unit一共分为12种类型
1、service unit:系统服务
2、device unit: 硬件设备
3、automount unit: 自动挂载点
4、scope unit: 不是由systemd启动的外部进程
5、slice unit: 进程组
6、socket unit: 进程间通讯的socket
7、timer unit: 定时器
8、target unit: 多个unit构成一个组
9、mount unit: 文件系统的挂载点
10、path unit: 文件或路径
11、snapshot unit: 快照,可以切回某个快照
12、swap unit: swap文件
9.2、systemd unit相关命令
列出正在运行的unit
$ systemctl list-units
UNIT LOAD ACTIVE SUB DESCRIPTION
proc-sys-fs-binfmt_misc.automount loaded active waiting Arbitrary Executable File Formats File System A
sys-devices-pci0000:00-0000:00:07.1-ata2-host2-target2:0:0-2:0:0:0-block-sr0.device loaded active plugged VMware_Virt
sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:0-0:0:0:0-block-sda-sda1.device loaded active plugged VMware_Virt
sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:0-0:0:0:0-block-sda-sda2.device loaded active plugged LVM PV JFEt
sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:0-0:0:0:0-block-sda.device loaded active plugged VMware_Virtual_S
sys-devices-pci0000:00-0000:00:11.0-0000:02:00.0-usb2-2\x2d2-2\x2d2.1-2\x2d2.1:1.0-bluetooth-hci0-rfkill0.device loaded
sys-devices-pci0000:00-0000:00:11.0-0000:02:00.0-usb2-2\x2d2-2\x2d2.1-2\x2d2.1:1.0-bluetooth-hci0.device loaded active
sys-devices-pci0000:00-0000:00:11.0-0000:02:01.0-net-eno16777736.device loaded active plugged 82545EM Gigabit Etherne
sys-devices-pci0000:00-0000:00:11.0-0000:02:02.0-sound-card0.device loaded active plugged ES1371 / Creative Labs CT25
sys-devices-platform-serial8250-tty-ttyS1.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS1
sys-devices-platform-serial8250-tty-ttyS2.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS2
sys-devices-platform-serial8250-tty-ttyS3.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS3
sys-devices-pnp0-00:08-tty-ttyS0.device loaded active plugged /sys/devices/pnp0/00:08/tty/ttyS0
列出所有unit,包括没有找到配置文件或者启动失败的
$ sudo systemctl list-units --all
UNIT LOAD ACTIVE SUB DESCRIPTION
proc-sys-fs-binfmt_misc.automount loaded active waiting Arbitrary Executable File Formats File Syst
dev-block-8:2.device loaded active plugged LVM PV JFEtl1-7nqO-8VWp-e1XQ-FG2g-vDNj-vLw6
dev-cdrom.device loaded active plugged VMware_Virtual_IDE_CDROM_Drive
dev-centos-root.device loaded active plugged /dev/centos/root
dev-centos-swap.device loaded active plugged /dev/centos/swap
列出所有没有运行的unit
$ sudo systemctl list-units --all --state=inactive
UNIT LOAD ACTIVE SUB DESCRIPTION
proc-sys-fs-binfmt_misc.mount loaded inactive dead Arbitrary Executable File Formats File System
sys-fs-fuse-connections.mount loaded inactive dead FUSE Control File System
tmp.mount loaded inactive dead Temporary Directory
systemd-ask-password-console.path loaded inactive dead Dispatch Password Requests to Console Directory Watch
brandbot.service loaded inactive dead Flexible Branding Service
cpupower.service loaded inactive dead Configure CPU power related settings
● display-manager.service not-found inactive dead display-manager.service
dm-event.service loaded inactive dead Device-mapper event daemon
dracut-shutdown.service loaded inactive dead Restore /run/initramfs
列出所有加载失败的unit
$ sudo systemctl list-units --all --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
● kdump.service loaded failed failed Crash recovery kernel arming
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
1 loaded units listed.
To show all installed unit files use 'systemctl list-unit-files'.
列出所有正在运行的且类型为service的unit
$ sudo systemctl list-units --type=service
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
getty@tty1.service loaded active running Getty on tty1
显示某个unit是否正在运行
$ sudo systemctl is-active sshd.service
active
显示某个unit是否处于失败状态
$ sudo systemctl is-failed sshd.service
active
显示某个unit服务是否建立了启动链接(开机启动)
$ sudo systemctl is-enabled sshd.service
enabled
9.3、systemd unit target关联
主配置文件位置
/etc/systemd/system.conf
开机会先加载/etc/systemd/system/default.target
[root@vincent_annie ~]# ls /etc/systemd/system/default.target
/etc/systemd/system/default.target
# 可以看到它是一个软链接文件
[root@vincent_annie ~]# ls -l /etc/systemd/system/default.target
lrwxrwxrwx. 1 root root 37 Mar 31 22:05 /etc/systemd/system/default.target -> /lib/systemd/system/multi-user.target
# /lib/systemd/system/multi-user.target文件的内容
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=Multi-User System
Documentation=man:systemd.special(7)
Requires=basic.target
Conflicts=rescue.service rescue.target
After=basic.target rescue.service rescue.target
AllowIsolate=yes
/lib/systemd/system/multi-user.target会加载/lib/systemd/system/multi-user.target.wants/目录下的service
# ls -l /lib/systemd/system/multi-user.target.wants/
total 0
lrwxrwxrwx. 1 root root 16 Mar 31 22:02 brandbot.path -> ../brandbot.path
lrwxrwxrwx. 1 root root 15 Mar 31 22:02 dbus.service -> ../dbus.service
lrwxrwxrwx. 1 root root 15 Mar 31 22:02 getty.target -> ../getty.target
lrwxrwxrwx. 1 root root 24 Mar 31 22:02 plymouth-quit.service -> ../plymouth-quit.service
lrwxrwxrwx. 1 root root 29 Mar 31 22:02 plymouth-quit-wait.service -> ../plymouth-quit-wait.service
lrwxrwxrwx. 1 root root 33 Mar 31 22:02 systemd-ask-password-wall.path -> ../systemd-ask-password-wall.path
lrwxrwxrwx. 1 root root 25 Mar 31 22:02 systemd-logind.service -> ../systemd-logind.service
lrwxrwxrwx. 1 root root 39 Mar 31 22:02 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
lrwxrwxrwx. 1 root root 32 Mar 31 22:02 systemd-user-sessions.service -> ../systemd-user-sessions.service
查看某个service属于那个target,直接查看里面内容即可,看里面[install]部分
[root@vincent_annie ~]# cat /lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
10、防火墙相关
1、centos7不再使用iptables,而是firewalld
2、若不想使用`firewall
d则可以将firewalld服务暂时停掉,再安装iptables-services`
相关操作如下
systemctl stop firewalld
systemctl disable firewalld
sudo systemctl disable firewalld
yum install iptables-services
systemctl enable iptables.service
systemctl start iptables.service
3、如果提示Failed to execute operation: Access denied则有可能是没有安装firewalld这个包,安装命令如下
$ yum install -y firewalld
11、firewalld
11.1、相关概念
1、centos6上使用静态防火墙,规则保存在/etc/sysconfig/iptables文件中,更新规则,需要重新加载或者是重启iptables服务,相当于是把之前的规则全部清空再把配置文件里面的规则加载
2、而centos7使用了动态防火墙,即firewalld,这种防火墙方案不再像之前的centos6,更新规则后,不需要重新加载配置
3、无论是iptables还是firewalld,底层都是使用iptables工具来配置规则的
4、firewalld有zone和service的概念
a、每个zone里面的iptables规则都不一样
b、默认有9个zone
c、CentOS7默认的zone是public
11.2、相关命令
获取所有zone
# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
获取默认的zone
# firewall-cmd --get-default-zone
public
11.3、firewalld的9个zone
drop(丢弃):
任何接收到的网络数据包都被丢弃,没有任何回复。仅能有发出去的网络连接
block(限制):
任何接收到的网络连接都被IPv4的icmp-host-prohibited信息和IPv6的icmp6-adm-prohibited信息所拒绝
public(公共):
在公共区域内使用,不能相信网络内的其它计算机不会对您的计算机造成危害,只能接收经过选取的连接
external(外部):特别是为路由器启用了伪装功能的外部网,您 不能信任来自网络的其它计算机,不能相信他们不会对您的计算机造成伤害,只能接收经过选择的连接
dmz(非军事区):用于您的非军事区内的电脑,些区域内可公开 访问,可以有限地进入您的内部网络,仅仅接收经过选择的连接
work(工作):用于工作区,您可以基本相信网络内的其它计算机不会危害您 的计算机,仅仅接收经过选择的连接
home(家庭):用于家庭网络,您可以基本信任网络内的其它计算机不会危害您的电脑,仅仅接收经过选择的连接
internal(内部):用于内部网络,您可以基本上信任网络内的计算机不会威胁您的计算机,仅仅接收经过选择的连接
trusted(信任):可接收所有的网络连接
11.4、firewalld的zone相关命令
1、设置默认的zone
[root@vincent_annie ~]# firewall-cmd --set-default-zone=work
success
# 查看默认的zone
[root@vincent_annie ~]# firewall-cmd --get-default-zone
work
2、查看指定网卡所在的zone
[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=eno16777736
no zone
3、给指定网卡设置zone
[root@vincent_annie ~]# firewall-cmd --zone=public --add-interface=lo
success
[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=lo
public
4、针对网卡更改zone
[root@vincent_annie ~]# firewall-cmd --zone=dmz --change-interface=lo
success
[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=lo
dmz
5、针对网卡删除zone
[root@vincent_annie ~]# firewall-cmd --zone=dmz --remove-interface=lo
success
[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=lo
no zone
6、查看所有网卡所在的zone
[root@vincent_annie ~]# firewall-cmd --get-active-zones
block
interfaces: lo
[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=eno16777736
no zone
[root@vincent_annie ~]# firewall-cmd --zone=public --add-interface=eno16777736
success
[root@vincent_annie ~]# firewall-cmd --get-active-zones
public
interfaces: eno16777736
block
interfaces: lo
[root@vincent_annie ~]#
查看所有的zone情况
firewall-cmd --list-all-zones
11.5、firewalld service相关操作
firewalld的相关配置文件在/etc/firewalld目录下
所有的zone都在/usr/lib/firewalld/zones/目录下
[root@vincent_annie firewalld]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
在/usr/lib/firewalld/services/下面,保存了另外一类配置文件,每个配置文件保存了一类具体的网络服务,如ssh等
每个配置文件中记录了每个服务所使用的协议和端口,在新版本中的services目录中,已经为我们定义好了70+种服务供我们使用
zone实质上就是调用了不同的service而实现了不同的功能
11.6、service的相关命令
1、列出所有的service
2、列出当前zone下加载的service
3、查看某个zone下的service
4、给指定的zone添加一个service
5、给指定的zone添加service并且保存到配置文件中
6、从指定的zone中删除一个service
[root@vincent_annie firewalld]# # 列出当前zone下的所有service
# 可以看到下面的提示,说明当前的默认zone和接口使用的zone并不相同
[root@vincent_annie firewalld]# firewall-cmd --list-services
You're performing an operation over default zone ('work'),
but your connections/interfaces are in zone 'public,block' (see --get-active-zones)
You most likely need to use --zone=public option.
ssh dhcpv6-client
# 查看指定定zone下的service
[root@vincent_annie firewalld]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client
# 在指定的zone下添加一个service
[root@vincent_annie firewalld]# firewall-cmd --zone=public --add-service=mysql
success
[root@vincent_annie firewalld]# firewall-cmd --zone=public --add-service=mysql --permanent
success
# 使用--permanent更新配置到配置文件中,删除也有此参数
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="mysql"/>
</zone>
[root@vincent_annie firewalld]# firewall-cmd --zone=public --add-service=nfs
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="mysql"/>
</zone>
[root@vincent_annie firewalld]# firewall-cmd --zone=public --add-service=nfs --permanent
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="mysql"/>
<service name="nfs"/>
</zone>
[root@vincent_annie firewalld]# firewall-cmd --zone=public --remove-service=nfs
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="mysql"/>
<service name="nfs"/>
</zone>
[root@vincent_annie firewalld]# firewall-cmd --zone=public --remove-service=nfs --permanent
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="mysql"/>
</zone>
[root@vincent_annie firewalld]#
11.7、firewalld增加规则
1、添加自定义规则
[root@vincent_annie firewalld]# # 添加自定义端口
[root@vincent_annie firewalld]# firewall-cmd --add-port=2222/tcp
You're performing an operation over default zone ('work'),
but your connections/interfaces are in zone 'public,block' (see --get-active-zones)
You most likely need to use --zone=public option.
success
[root@vincent_annie firewalld]# firewall-cmd --add-port=2222/tcp --zone=public
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="mysql"/>
</zone>
[root@vincent_annie firewalld]# firewall-cmd --add-port=2222/tcp --zone=public --permanent
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="mysql"/>
<port protocol="tcp" port="2222"/>
</zone>
2、重新加载防火墙规则(如果手动修改防火墙规则,则一定需要重新加载配置文件)
[root@vincent_annie firewalld]# # 不会导致连接中断的重新加载方式
[root@vincent_annie firewalld]# firewall-cmd --reload
success
[root@vincent_annie firewalld]#
[root@vincent_annie firewalld]# # 彻底加载的方式,会导致连接中断,也会清空状态信息
[root@vincent_annie firewalld]# firewall-cmd --complete-reload
success
添加、删除商品范围
# 删除端口范围,不更新到配置文件
[root@vincent_annie firewalld]# firewall-cmd --zone=work --remove-port=2000-4000/tcp
success
# 添加一条端口范围规则,并且更新至配置文件中
[root@vincent_annie firewalld]# firewall-cmd --zone=work --add-port=2000-4000/tcp --permanent
success
# 查看规则是否添加成功
[root@vincent_annie firewalld]# grep 2000 /etc/firewalld/zones/work.xml
<port protocol="tcp" port="2000-4000"/>
启用端口转发
[root@vincent_annie firewalld]# firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2 --permanent
success
[root@vincent_annie firewalld]# grep 127.0.0.2 /etc/firewalld/zones/home.xml
<forward-port to-addr="127.0.0.2" protocol="tcp" port="22"/>
11.8、更改配置文件
两个配置文件路径/etc/firewalld/和/usr/lib/firewalld
/etc/firewalld为系统使用的配置文件路径
/etc/firewalld/zones下面为当前使用过的zone的配置文件,比如默认为public,那么该目录就有名为public.xml的配置文件,文件里的内容为配置的规则,如果有自定义的端口之类的,则使用firewall-cmd --zone=public --list-services则是看不到的
现有一个需求如下
修改ftp的默认端口,把21修改为1121,然后配置防火墙规则,操作如下
# 拷贝配置文件至指定路径
[root@vincent_annie firewalld]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
# 修改配置文件的端口,这里就修改默认端口21为1121
[root@vincent_annie firewalld]# vim /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/>
<module name="nf_conntrack_ftp"/>
</service>
# 修改zone work的配置文件,也可以用命令行的方式来修改
[root@vincent_annie firewalld]# vim /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<port protocol="tcp" port="2000-4000"/>
<service name="ftp"/>
</zone>
# 重新加载服务
[root@vincent_annie firewalld]# firewall-cmd --reload
success
# 查看zone work配置的service
[root@vincent_annie firewalld]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp
转载至https://blog.csdn.net/longyinyushi/article/details/79841367#113firewalld的9个zone
316
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
