经常start、stop、restart操作防火墙有两种方式:
1、service iptables stop
2、/etc/init.d/iptables stop
但是经常会有这种错误,因为在RHEL7、CentOS种其实没有这个服务。
[[email protected] ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.0 (Maipo) [[email protected] ~]# service iptables stop Redirecting to /bin/systemctl stop iptables.service [[email protected] ~]# /etc/init.d/iptables stop -bash: /etc/init.d/iptables: No such file or directory
或者
[[email protected] ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [[email protected] ~]# service iptables stop Redirecting to /bin/systemctl stop iptables.service Failed to stop iptables.service: Unit iptables.service not loaded. [[email protected] ~]# /etc/init.d/iptables stop -bash: /etc/init.d/iptables: No such file or directory
原来在RHEL7、CentOS7开始,使用systemctl工具来管理服务程序,包括了service和chkconfig。
[[email protected] ~]# systemctl list-unit-files|grep firewall firewalld.service disabled
那么systemctl管理防火墙:
启动一个服务:systemctl start firewalld.service 关闭一个服务:systemctl stop firewalld.service 重启一个服务:systemctl restart firewalld.service 显示一个服务的状态:systemctl status firewalld.service 在开机时启用一个服务:systemctl enable firewalld.service 在开机时禁用一个服务:systemctl disable firewalld.service 查看服务是否开机启动:systemctl is-enabled firewalld.service;echo $? 查看已启动的服务列表:systemctl list-unit-files|grep enabled
示例:
1、关闭防火墙并查看运行状态
[[email protected] ~]# systemctl stop firewalld.service [[email protected] ~]# systemctl list-unit-files |grep firewall firewalld.service disabled [[email protected] ~]# firewall-cmd --permanent --list-port FirewallD is not running [[email protected] ~]# systemctl status firewalld.service ?.firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Nov 25 16:16:52 CTU1000094955 systemd[1]: Starting firewalld - dynamic firewall daemon... Nov 25 16:16:52 CTU1000094955 systemd[1]: Started firewalld - dynamic firewall daemon. Nov 25 16:17:03 CTU1000094955 systemd[1]: Started firewalld - dynamic firewall daemon. Nov 25 16:18:10 CTU1000094955 systemd[1]: Stopping firewalld - dynamic firewall daemon... Nov 25 16:18:11 CTU1000094955 systemd[1]: Stopped firewalld - dynamic firewall daemon.
2、开启防火墙并查看防护墙状态
[[email protected] ~]# systemctl start firewalld.service [[email protected] ~]# systemctl status firewalld.service ?.firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: active (running) since Sat 2017-11-25 16:20:44 CST; 5s ago Main PID: 7677 (firewalld) CGroup: /system.slice/firewalld.service ?..7677 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Nov 25 16:20:43 CTU1000094955 systemd[1]: Starting firewalld - dynamic firewall daemon... Nov 25 16:20:44 CTU1000094955 systemd[1]: Started firewalld - dynamic firewall daemon. [[email protected] ~]# systemctl list-unit-files |grep firewall firewalld.service disabled [[email protected] ~]# firewall-cmd --permanent --list-port 10001/tcp 80/tcp
与此同时,还可以通过firewall -cmd来操作防火墙
[[email protected] ~]# man firewall-cmd
FIREWALL-CMD(1) firewall-cmd FIREWALL-CMD(1) NAME firewall-cmd - firewalld command line client SYNOPSIS firewall-cmd [OPTIONS...] DESCRIPTION firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration. The runtime configuration in firewalld is separated from the permanent configuration. This means that things can get changed in the runtime or permanent configuration. OPTIONS The following options are supported: General Options -h, --help Prints a short help text and exits. -V, --version Print the version string of firewalld. This option is not combinable with other options. -q, --quiet Do not print status messages. Status Options --state Check whether the firewalld daemon is active (i.e. running). Returns an exit code 0 if it is active, NOT_RUNNING otherwise (see the section called ?.XIT CODES?.. This will also print the state to STDOUT. --reload Reload firewall rules and keep state information. Current permanent configuration will become new runtime configuration, i.e. all runtime only changes done until reload are lost with reload if they have not been also in permanent configuration. --complete-reload
3、查看防火墙是否运行
[[email protected] ~]# firewall-cmd --state running
4、查看默认通过防火墙
[[email protected] ~]# firewall-cmd --permanent --list-port 10001/tcp 80/tcp
刚才测试添加了10001、80两个端口,参数–permanent 是永久配置机子重启依然有效。
5、删除默认通过防火墙的端口
[[email protected] ~]# firewall-cmd --permanent --remove-port=80/tcp success [[email protected] ~]# firewall-cmd --permanent --list-port 10001/tcp
可以看到刚刚能通过防火墙的80端口现在已经查不到了。
6、添加端口到防火墙例外
[[email protected] ~]# firewall-cmd --permanent --zone=public --add-port=80/tcp success [[email protected] ~]# firewall-cmd --permanent --list-port 10001/tcp 80/tcp
现在80端口又回来了。
原创文章,作者:奋斗,如若转载,请注明出处:https://blog.ytso.com/tech/aiops/1204.html