1、CentOS7的4种模式
2、单用户模式
3、救援模式
4、设置固定IP
5、设置主机名
6、命令自动补全
7、服务相关
8、systemd target
常用命令
9、systemd-unit
unit文件的路径
9.1、systemd管理服务的机制和特点
9.2、systemd unit相关命令
9.3、systemd unit target关联
10、防火墙相关
11、firewalld
11.1、相关概念
11.2、相关命令
11.3、firewalld的9个zone
11.4、firewalld的zone相关命令
11.5、firewalld service相关操作
11.6、service的相关命令
11.7、firewalld增加规则
11.8、更改配置文件
1、CentOS7的4种模式
centos7中不再有0-6启动级别,而是4个target
graphical.target多人模式,支持图形和命令行两种登录,对应之前的3,5级别
multi-user.target多人模式,只支持从命令行登录,对应之前的3级别
rescue.target单人模式,对应之前的1级别
emergency.target单人模式,系统进入后根目录是只读的
2、单用户模式
centos7采用的是grub2,所以和之前会有所不同
2、进入单用户模式步骤
a、在对应内核条目上按”e”,进入edit模式
b、找到”ro”一行,以”linux16”开头的,跳到最后输入” rd.break”(需要留一个空格),再按”control + x”进入
c、重新挂载”sysroot”目录,增加写的权限 mount -o remount,rw /sysroot/
d、切换到系统目录 chroot /sysroot
e、让selinux生效 touch /.autorelabel
其实刚刚修改的命令行里面修改的内容其实就是/boot/grub2/grub.cfg里面提供的,不建议直接修改该文件,可以在启动时候调试内核参数或者其它的测试需求
sudo cat /boot/grub2/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub2-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
set pager=1
if [ -s $prefix/grubenv ]; then
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="${saved_entry}"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
terminal_output console
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=5
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=5
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/00_tuned ###
set tuned_params=""
### END /etc/grub.d/00_tuned ###
### BEGIN /etc/grub.d/01_users ###
if [ -f ${prefix}/user.cfg ]; then
source ${prefix}/user.cfg
if [ -n ${GRUB2_PASSWORD} ]; then
set superusers="root"
export superusers
password_pbkdf2 root ${GRUB2_PASSWORD}
fi
fi
### END /etc/grub.d/01_users ###
### BEGIN /etc/grub.d/10_linux ###
# 这里就是开机提示的启动项的字符
menuentry 'CentOS Linux (3.10.0-327.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-327.el7.x86_64-advanced-ce29322c-fe72-4e09-8c15-fdc88d54a34f' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_msdos
insmod xfs
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 2f6558dc-9854-41f7-bec1-8785ae961bdc
else
search --no-floppy --fs-uuid --set=root 2f6558dc-9854-41f7-bec1-8785ae961bdc
fi
# 刚刚修改的位置其实就是这里
# 最后在LANG=en_US.UTF-8(担心乱码的话,可以修改LANG为zh_CN.UTF-8) 后面添加 rd.break
linux16 /vmlinuz-3.10.0-327.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8
initrd16 /initramfs-3.10.0-327.el7.x86_64.img
}
menuentry 'CentOS Linux (0-rescue-7f6fcf1f98784c2ab9b245dc748d02f8) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-0-rescue-7f6fcf1f98784c2ab9b245dc748d02f8-advanced-ce29322c-fe72-4e09-8c15-fdc88d54a34f' {
load_video
insmod gzio
insmod part_msdos
insmod xfs
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 2f6558dc-9854-41f7-bec1-8785ae961bdc
else
search --no-floppy --fs-uuid --set=root 2f6558dc-9854-41f7-bec1-8785ae961bdc
fi
linux16 /vmlinuz-0-rescue-7f6fcf1f98784c2ab9b245dc748d02f8 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet
initrd16 /initramfs-0-rescue-7f6fcf1f98784c2ab9b245dc748d02f8.img
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/20_ppc_terminfo ###
### END /etc/grub.d/20_ppc_terminfo ###
### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###
3、退出单用户模式
control + d, 然后 reboot即可
3、救援模式
1、设置光驱启动
2、选择”Troubleshooting”
3、选择”Rescue a CentOS system”
4、continue
5、chroot /mnt /sysimage
4、设置固定IP
编辑网络配置文件
sudo vim /etc/sysconfig/network-scripts/ifcfg-eno16777736
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
UUID=73a35962-27e5-43a8-931b-f3724ac86f0b
DEVICE=eno16777736
ONBOOT=yes
IPADDR=172.16.81.141
METMASK=255.255.255.0
GATEWAY=172.16.81.2
DNS1=172.16.81.2
重启网络
[vincent@localhost ~]$ sudo systemctl restart network
[vincent@localhost ~]$ sudo systemctl status network
● network.service - LSB: Bring up/down networking
Loaded: loaded (/etc/rc.d/init.d/network)
Active: active (exited) since Thu 2018-03-22 13:44:01 EDT; 8s ago
Docs: man:systemd-sysv-generator(8)
Process: 2517 ExecStop=/etc/rc.d/init.d/network stop (code=exited, status=0/SUCCESS)
Process: 2764 ExecStart=/etc/rc.d/init.d/network start (code=exited, status=0/SUCCESS)
Mar 22 13:44:01 localhost.localdomain systemd[1]: Starting LSB: Bring up/down networking...
Mar 22 13:44:01 localhost.localdomain network[2764]: Bringing up loopback interface: Could not load file '/etc/syscon...g-lo'
Mar 22 13:44:01 localhost.localdomain network[2764]: Could not load file '/etc/sysconfig/network-scripts/ifcfg-lo'
Mar 22 13:44:01 localhost.localdomain network[2764]: Could not load file '/etc/sysconfig/network-scripts/ifcfg-lo'
Mar 22 13:44:01 localhost.localdomain network[2764]: Could not load file '/etc/sysconfig/network-scripts/ifcfg-lo'
Mar 22 13:44:01 localhost.localdomain network[2764]: [ OK ]
Mar 22 13:44:01 localhost.localdomain network[2764]: Bringing up interface eno16777736: Connection successfully activ...on/1)
Mar 22 13:44:01 localhost.localdomain network[2764]: [ OK ]
Mar 22 13:44:01 localhost.localdomain systemd[1]: Started LSB: Bring up/down networking.
Hint: Some lines were ellipsized, use -l to show in full.
5、设置主机名
# 设置主机名
[vincent@localhost ~]$ sudo hostnamectl set-hostname "VINCENT_ANNIE"
# 查看主机名
[vincent@localhost ~]$ sudo hostname
vincent_annie
# 查看主机名状态
[vincent@localhost ~]$ sudo hostnamectl status
Static hostname: vincent_annie
Pretty hostname: VINCENT_ANNIE
Icon name: computer-vm
Chassis: vm
Machine ID: 7f6fcf1f98784c2ab9b245dc748d02f8
Boot ID: 9f0f35cddd1e401cbe7002085bc7f07c
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-327.el7.x86_64
Architecture: x86-64
# 查看配置文件
[vincent@localhost ~]$ sudo cat /etc/hostname
vincent_annie
6、命令自动补全
# 需要安装bash-completion
$ sudo yum install bash-completion -y
# 使用配置文件生效
. /etc/profile
7、服务相关
1、centos7不再使用checkconfig了,而是使用systemd
2、使用某服务自启动:
sudo systemctl enable sshd
Created symlink from /etc/systemd/system/multi-user.target.wants/sshd.service to /usr/lib/systemd/system/sshd.service.
3、不要让httpd开机自启:
$ sudo systemctl disable sshd
Removed symlink /etc/systemd/system/multi-user.target.wants/sshd.service.
4、查看某服务的状态:
$ sudo systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2018-03-22 13:48:01 EDT; 18h ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 1100 (sshd)
CGroup: /system.slice/sshd.service
└─1100 /usr/sbin/sshd -D
Mar 22 13:48:01 localhost.localdomain systemd[1]: Started OpenSSH server daemon.
Mar 22 13:48:01 localhost.localdomain systemd[1]: Starting OpenSSH server daemon...
Mar 22 13:48:01 localhost.localdomain sshd[1100]: Server listening on 0.0.0.0 port 22.
Mar 22 13:48:01 localhost.localdomain sshd[1100]: Server listening on :: port 22.
Mar 22 14:05:28 localhost.localdomain sshd[2249]: Accepted publickey for vincent from 1...4c
Mar 22 17:23:59 localhost.localdomain sshd[2401]: Accepted publickey for vincent from 1...4c
Mar 23 06:06:58 localhost.localdomain sshd[2909]: Accepted publickey for vincent from 1...4c
Mar 23 06:17:12 localhost.localdomain sshd[2935]: Accepted publickey for vincent from 1...4c
Hint: Some lines were ellipsized, use -l to show in full.
5、查看所有的服务
$ sudo systemctl list-units --type=service
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
[email protected] loaded active running Getty on tty1
● kdump.service loaded failed failed Crash recovery kernel arming
kmod-static-nodes.service loaded active exited Create list of required static dev
lvm2-lvmetad.service loaded active running LVM2 metadata daemon
lvm2-monitor.service loaded active exited Monitoring of LVM2 mirrors, snapsh
lvm2-pvscan@8:2.service loaded active exited LVM2 PV scan on device 8:2
network.service loaded active exited LSB: Bring up/down networking
NetworkManager.service loaded active running Network Manager
polkit.service loaded active running Authorization Manager
6、启动服务
$ sudo systemctl start sshd
7、停止服务
$ sudo systemctl stop sshd
8、重启服务
$ sudo systemctl restart sshd
9、启动脚本路径
$ ls /usr/lib/systemd/system | grep sshd
sshd-keygen.service
sshd.service
[email protected]
sshd.socket
10、检查一个服务不否为开机启动
$ sudo systemctl is-enabled sshd
enabled
8、systemd target
1、target类似于centos6里面的启动级别,但target支持多个target同时启动,target其实是多个unit的组合,系统启动说白了其实就是启动多个unit,为了管理方便就使用target来管理这些unit
2、切换target时,默认不关闭前一个target启动的进程,systemctl isolate命令改变这种行为,关闭前一个target里面所有不属于后一个target里面的进程
常用命令
查看系统所有的target
$ sudo systemctl list-unit-files --type=target
查看一个target包含的unit
$ sudo systemctl list-dependencies multi-user.target
multi-user.target
● ├─auditd.service
● ├─brandbot.path
● ├─crond.service
● ├─dbus.service
● ├─irqbalance.service
● ├─kdump.service
● ├─network.service
● ├─NetworkManager.service
● ├─plymouth-quit-wait.service
● ├─plymouth-quit.service
● ├─postfix.service
● ├─rsyslog.service
查看启动时的默认target
$ sudo systemctl get-default
multi-user.target
设置启动时的默认target
$ sudo systemctl set-default multi-user.target
Removed symlink /etc/systemd/system/default.target.
Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
切换target时同时关闭前一个target中所有后一个target没有用到的进程
$ sudo systemctl isolate multi-user.target
PolicyKit daemon disconnected from the bus.
We are no longer a registered authentication agent.
9、systemd-unit
unit文件的路径
/etc/systemd/system/
9.1、systemd管理服务的机制和特点
1、支持服务并列启动,不用顺序启动,从而开机时间短
2、支持自动检测服务依赖的服务
3、systemd可以管理所有系统资源。不同的系统资源称为unit(单位)
4、unit一共分为12种类型
1、service unit:系统服务
2、device unit: 硬件设备
3、automount unit: 自动挂载点
4、scope unit: 不是由systemd启动的外部进程
5、slice unit: 进程组
6、socket unit: 进程间通讯的socket
7、timer unit: 定时器
8、target unit: 多个unit构成一个组
9、mount unit: 文件系统的挂载点
10、path unit: 文件或路径
11、snapshot unit: 快照,可以切回某个快照
12、swap unit: swap文件
9.2、systemd unit相关命令
列出正在运行的unit
$ systemctl list-units
UNIT LOAD ACTIVE SUB DESCRIPTION
proc-sys-fs-binfmt_misc.automount loaded active waiting Arbitrary Executable File Formats File System A
sys-devices-pci0000:00-0000:00:07.1-ata2-host2-target2:0:0-2:0:0:0-block-sr0.device loaded active plugged VMware_Virt
sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:0-0:0:0:0-block-sda-sda1.device loaded active plugged VMware_Virt
sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:0-0:0:0:0-block-sda-sda2.device loaded active plugged LVM PV JFEt
sys-devices-pci0000:00-0000:00:10.0-host0-target0:0:0-0:0:0:0-block-sda.device loaded active plugged VMware_Virtual_S
sys-devices-pci0000:00-0000:00:11.0-0000:02:00.0-usb2-2\x2d2-2\x2d2.1-2\x2d2.1:1.0-bluetooth-hci0-rfkill0.device loaded
sys-devices-pci0000:00-0000:00:11.0-0000:02:00.0-usb2-2\x2d2-2\x2d2.1-2\x2d2.1:1.0-bluetooth-hci0.device loaded active
sys-devices-pci0000:00-0000:00:11.0-0000:02:01.0-net-eno16777736.device loaded active plugged 82545EM Gigabit Etherne
sys-devices-pci0000:00-0000:00:11.0-0000:02:02.0-sound-card0.device loaded active plugged ES1371 / Creative Labs CT25
sys-devices-platform-serial8250-tty-ttyS1.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS1
sys-devices-platform-serial8250-tty-ttyS2.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS2
sys-devices-platform-serial8250-tty-ttyS3.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS3
sys-devices-pnp0-00:08-tty-ttyS0.device loaded active plugged /sys/devices/pnp0/00:08/tty/ttyS0
列出所有unit,包括没有找到配置文件或者启动失败的
$ sudo systemctl list-units --all
UNIT LOAD ACTIVE SUB DESCRIPTION
proc-sys-fs-binfmt_misc.automount loaded active waiting Arbitrary Executable File Formats File Syst
dev-block-8:2.device loaded active plugged LVM PV JFEtl1-7nqO-8VWp-e1XQ-FG2g-vDNj-vLw6
dev-cdrom.device loaded active plugged VMware_Virtual_IDE_CDROM_Drive
dev-centos-root.device loaded active plugged /dev/centos/root
dev-centos-swap.device loaded active plugged /dev/centos/swap
列出所有没有运行的unit
$ sudo systemctl list-units --all --state=inactive
UNIT LOAD ACTIVE SUB DESCRIPTION
proc-sys-fs-binfmt_misc.mount loaded inactive dead Arbitrary Executable File Formats File System
sys-fs-fuse-connections.mount loaded inactive dead FUSE Control File System
tmp.mount loaded inactive dead Temporary Directory
systemd-ask-password-console.path loaded inactive dead Dispatch Password Requests to Console Directory Watch
brandbot.service loaded inactive dead Flexible Branding Service
cpupower.service loaded inactive dead Configure CPU power related settings
● display-manager.service not-found inactive dead display-manager.service
dm-event.service loaded inactive dead Device-mapper event daemon
dracut-shutdown.service loaded inactive dead Restore /run/initramfs
列出所有加载失败的unit
$ sudo systemctl list-units --all --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
● kdump.service loaded failed failed Crash recovery kernel arming
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
1 loaded units listed.
To show all installed unit files use 'systemctl list-unit-files'.
列出所有正在运行的且类型为service的unit
$ sudo systemctl list-units --type=service
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
[email protected] loaded active running Getty on tty1
显示某个unit是否正在运行
$ sudo systemctl is-active sshd.service
active
显示某个unit是否处于失败状态
$ sudo systemctl is-failed sshd.service
active
显示某个unit服务是否建立了启动链接(开机启动)
$ sudo systemctl is-enabled sshd.service
enabled
9.3、systemd unit target关联
主配置文件位置
/etc/systemd/system.conf
开机会先加载/etc/systemd/system/default.target
[root@vincent_annie ~]# ls /etc/systemd/system/default.target
/etc/systemd/system/default.target
# 可以看到它是一个软链接文件
[root@vincent_annie ~]# ls -l /etc/systemd/system/default.target
lrwxrwxrwx. 1 root root 37 Mar 31 22:05 /etc/systemd/system/default.target -> /lib/systemd/system/multi-user.target
# /lib/systemd/system/multi-user.target文件的内容
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=Multi-User System
Documentation=man:systemd.special(7)
Requires=basic.target
Conflicts=rescue.service rescue.target
After=basic.target rescue.service rescue.target
AllowIsolate=yes
/lib/systemd/system/multi-user.target会加载/lib/systemd/system/multi-user.target.wants/目录下的service
# ls -l /lib/systemd/system/multi-user.target.wants/
total 0
lrwxrwxrwx. 1 root root 16 Mar 31 22:02 brandbot.path -> ../brandbot.path
lrwxrwxrwx. 1 root root 15 Mar 31 22:02 dbus.service -> ../dbus.service
lrwxrwxrwx. 1 root root 15 Mar 31 22:02 getty.target -> ../getty.target
lrwxrwxrwx. 1 root root 24 Mar 31 22:02 plymouth-quit.service -> ../plymouth-quit.service
lrwxrwxrwx. 1 root root 29 Mar 31 22:02 plymouth-quit-wait.service -> ../plymouth-quit-wait.service
lrwxrwxrwx. 1 root root 33 Mar 31 22:02 systemd-ask-password-wall.path -> ../systemd-ask-password-wall.path
lrwxrwxrwx. 1 root root 25 Mar 31 22:02 systemd-logind.service -> ../systemd-logind.service
lrwxrwxrwx. 1 root root 39 Mar 31 22:02 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
lrwxrwxrwx. 1 root root 32 Mar 31 22:02 systemd-user-sessions.service -> ../systemd-user-sessions.service
查看某个service属于那个target,直接查看里面内容即可,看里面[install]部分
[root@vincent_annie ~]# cat /lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
10、防火墙相关
1、centos7不再使用iptables,而是firewalld
2、若不想使用`firewall
d则可以将firewalld服务暂时停掉,再安装iptables-services`
相关操作如下
systemctl stop firewalld
systemctl disable firewalld
sudo systemctl disable firewalld
yum install iptables-services
systemctl enable iptables.service
systemctl start iptables.service
3、如果提示Failed to execute operation: Access denied则有可能是没有安装firewalld这个包,安装命令如下
$ yum install -y firewalld
11、firewalld
11.1、相关概念
1、centos6上使用静态防火墙,规则保存在/etc/sysconfig/iptables文件中,更新规则,需要重新加载或者是重启iptables服务,相当于是把之前的规则全部清空再把配置文件里面的规则加载
2、而centos7使用了动态防火墙,即firewalld,这种防火墙方案不再像之前的centos6,更新规则后,不需要重新加载配置
3、无论是iptables还是firewalld,底层都是使用iptables工具来配置规则的
4、firewalld有zone和service的概念
a、每个zone里面的iptables规则都不一样
b、默认有9个zone
c、CentOS7默认的zone是public
11.2、相关命令
获取所有zone
# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
获取默认的zone
# firewall-cmd --get-default-zone
public
11.3、firewalld的9个zone
drop(丢弃):
任何接收到的网络数据包都被丢弃,没有任何回复。仅能有发出去的网络连接
block(限制):
任何接收到的网络连接都被IPv4的icmp-host-prohibited信息和IPv6的icmp6-adm-prohibited信息所拒绝
public(公共):
在公共区域内使用,不能相信网络内的其它计算机不会对您的计算机造成危害,只能接收经过选取的连接
external(外部):特别是为路由器启用了伪装功能的外部网,您 不能信任来自网络的其它计算机,不能相信他们不会对您的计算机造成伤害,只能接收经过选择的连接
dmz(非军事区):用于您的非军事区内的电脑,些区域内可公开 访问,可以有限地进入您的内部网络,仅仅接收经过选择的连接
work(工作):用于工作区,您可以基本相信网络内的其它计算机不会危害您 的计算机,仅仅接收经过选择的连接
home(家庭):用于家庭网络,您可以基本信任网络内的其它计算机不会危害您的电脑,仅仅接收经过选择的连接
internal(内部):用于内部网络,您可以基本上信任网络内的计算机不会威胁您的计算机,仅仅接收经过选择的连接
trusted(信任):可接收所有的网络连接
11.4、firewalld的zone相关命令
1、设置默认的zone
[root@vincent_annie ~]# firewall-cmd --set-default-zone=work
success
# 查看默认的zone
[root@vincent_annie ~]# firewall-cmd --get-default-zone
work
2、查看指定网卡所在的zone
[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=eno16777736
no zone
3、给指定网卡设置zone
[root@vincent_annie ~]# firewall-cmd --zone=public --add-interface=lo
success
[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=lo
public
4、针对网卡更改zone
[root@vincent_annie ~]# firewall-cmd --zone=dmz --change-interface=lo
success
[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=lo
dmz
5、针对网卡删除zone
[root@vincent_annie ~]# firewall-cmd --zone=dmz --remove-interface=lo
success
[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=lo
no zone
6、查看所有网卡所在的zone
[root@vincent_annie ~]# firewall-cmd --get-active-zones
block
interfaces: lo
[root@vincent_annie ~]# firewall-cmd --get-zone-of-interface=eno16777736
no zone
[root@vincent_annie ~]# firewall-cmd --zone=public --add-interface=eno16777736
success
[root@vincent_annie ~]# firewall-cmd --get-active-zones
public
interfaces: eno16777736
block
interfaces: lo
[root@vincent_annie ~]#
查看所有的zone情况
firewall-cmd --list-all-zones
11.5、firewalld service相关操作
firewalld的相关配置文件在/etc/firewalld目录下
所有的zone都在/usr/lib/firewalld/zones/目录下
[root@vincent_annie firewalld]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
在/usr/lib/firewalld/services/下面,保存了另外一类配置文件,每个配置文件保存了一类具体的网络服务,如ssh等
每个配置文件中记录了每个服务所使用的协议和端口,在新版本中的services目录中,已经为我们定义好了70+种服务供我们使用
zone实质上就是调用了不同的service而实现了不同的功能
11.6、service的相关命令
1、列出所有的service
2、列出当前zone下加载的service
3、查看某个zone下的service
4、给指定的zone添加一个service
5、给指定的zone添加service并且保存到配置文件中
6、从指定的zone中删除一个service
[root@vincent_annie firewalld]# # 列出当前zone下的所有service
# 可以看到下面的提示,说明当前的默认zone和接口使用的zone并不相同
[root@vincent_annie firewalld]# firewall-cmd --list-services
You're performing an operation over default zone ('work'),
but your connections/interfaces are in zone 'public,block' (see --get-active-zones)
You most likely need to use --zone=public option.
ssh dhcpv6-client
# 查看指定定zone下的service
[root@vincent_annie firewalld]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client
# 在指定的zone下添加一个service
[root@vincent_annie firewalld]# firewall-cmd --zone=public --add-service=mysql
success
[root@vincent_annie firewalld]# firewall-cmd --zone=public --add-service=mysql --permanent
success
# 使用--permanent更新配置到配置文件中,删除也有此参数
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
[root@vincent_annie firewalld]# firewall-cmd --zone=public --add-service=nfs
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
[root@vincent_annie firewalld]# firewall-cmd --zone=public --add-service=nfs --permanent
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
[root@vincent_annie firewalld]# firewall-cmd --zone=public --remove-service=nfs
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
[root@vincent_annie firewalld]# firewall-cmd --zone=public --remove-service=nfs --permanent
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
[root@vincent_annie firewalld]#
11.7、firewalld增加规则
1、添加自定义规则
[root@vincent_annie firewalld]# # 添加自定义端口
[root@vincent_annie firewalld]# firewall-cmd --add-port=2222/tcp
You're performing an operation over default zone ('work'),
but your connections/interfaces are in zone 'public,block' (see --get-active-zones)
You most likely need to use --zone=public option.
success
[root@vincent_annie firewalld]# firewall-cmd --add-port=2222/tcp --zone=public
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
[root@vincent_annie firewalld]# firewall-cmd --add-port=2222/tcp --zone=public --permanent
success
[root@vincent_annie firewalld]# cat /etc/firewalld/zones/public.xml
2、重新加载防火墙规则(如果手动修改防火墙规则,则一定需要重新加载配置文件)
[root@vincent_annie firewalld]# # 不会导致连接中断的重新加载方式
[root@vincent_annie firewalld]# firewall-cmd --reload
success
[root@vincent_annie firewalld]#
[root@vincent_annie firewalld]# # 彻底加载的方式,会导致连接中断,也会清空状态信息
[root@vincent_annie firewalld]# firewall-cmd --complete-reload
success
添加、删除商品范围
# 删除端口范围,不更新到配置文件
[root@vincent_annie firewalld]# firewall-cmd --zone=work --remove-port=2000-4000/tcp
success
# 添加一条端口范围规则,并且更新至配置文件中
[root@vincent_annie firewalld]# firewall-cmd --zone=work --add-port=2000-4000/tcp --permanent
success
# 查看规则是否添加成功
[root@vincent_annie firewalld]# grep 2000 /etc/firewalld/zones/work.xml
启用端口转发
[root@vincent_annie firewalld]# firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2 --permanent
success
[root@vincent_annie firewalld]# grep 127.0.0.2 /etc/firewalld/zones/home.xml
11.8、更改配置文件
两个配置文件路径/etc/firewalld/和/usr/lib/firewalld
/etc/firewalld为系统使用的配置文件路径
/etc/firewalld/zones下面为当前使用过的zone的配置文件,比如默认为public,那么该目录就有名为public.xml的配置文件,文件里的内容为配置的规则,如果有自定义的端口之类的,则使用firewall-cmd --zone=public --list-services则是看不到的
现有一个需求如下
修改ftp的默认端口,把21修改为1121,然后配置防火墙规则,操作如下
# 拷贝配置文件至指定路径
[root@vincent_annie firewalld]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
# 修改配置文件的端口,这里就修改默认端口21为1121
[root@vincent_annie firewalld]# vim /etc/firewalld/services/ftp.xml
# 修改zone work的配置文件,也可以用命令行的方式来修改
[root@vincent_annie firewalld]# vim /etc/firewalld/zones/work.xml
# 重新加载服务
[root@vincent_annie firewalld]# firewall-cmd --reload
success
# 查看zone work配置的service
[root@vincent_annie firewalld]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp
转载至https://blog.csdn.net/longyinyushi/article/details/79841367#113firewalld的9个zone