http://blog.csdn.net/gong_xucheng/article/details/50945917 (CentOS 7.0 service management systemctl command)
http://www.linuxidc.com/Linux/2015-07/120833.htm (Complete guide to systemctl commands)
http://www.cnblogs.com/xxoome/p/7115614.html (Centos7.3 firewall configuration)
The CentOS 7 system has modified the default firewall, so the following operations are required;
Check out the open ports:
[root@localhost ~]# firewall-cmd --list-ports
open port 81
[root@localhost ~]# firewall-cmd --zone=public --add-port=81/tcp --permanent
Command meaning:
--zone #scope
–add-port=80/tcp #Add port, the format is: port/communication protocol
–permanent #Permanent effect, invalid after restart without this parameter
firwall-cmd # is a tool provided by Linux to operate firewall;
restart firewall
[root@localhost ~]# firewall-cmd --reload
CentOS 7.0 uses firewall as the firewall by default, you can change it to iptables firewall steps
1. Turn off the firewall:
systemctl stop firewalld.service #停止firewall
systemctl start firewalld.service #Start firewall
systemctl disable firewalld.service #Prohibit firewall from starting
firewall-cmd --state #View the default firewall status (not running when turned off, running when turned on)
2. iptables firewall (iptables must be installed here, configure it below)
If it is not installed, install it with the following command:
#yum -y install iptables-services
# vim /etc/sysconfig/iptables #Edit firewall configuration file
# sampleconfiguration for iptables service
# you can edit thismanually or use system-config-firewall
# please do not askus to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT[0:0]
:OUTPUT ACCEPT[0:0]
-A INPUT -m state--state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -jACCEPT
-A INPUT -i lo -jACCEPT
-A INPUT -p tcp -mstate --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -jACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080-j ACCEPT
-A INPUT -j REJECT--reject-with icmp-host-prohibited
-A FORWARD -jREJECT --reject-with icmp-host-prohibited
COMMIT
:wq! #保存退出
备注:这里使用80和8080端口为例。***部分一般添加到“-A INPUT -p tcp -m state --state NEW -m tcp--dport 22 -j ACCEPT”行的上面或者下面,切记不要添加到最后一行,否则防火墙重启后不生效。
systemctl restart iptables.service #最后重启防火墙使配置生效
systemctl enable iptables.service #设置防火墙开机启动
==========================================================================
1、systemctl是CentOS7的服务管理工具中主要的工具,它融合之前service和chkconfig的功能于一体。
systemctl start firewalld.service #启动防火墙服务
systemctl stop firewalld.service #关闭防火墙服务
systemctl restart firewalld.service #重启防火墙服务
systemctl status firewalld.service #显示防火墙服务的状态
systemctl enable firewalld.service #在开机时启用防火墙服务
systemctl disable firewalld.service #在开机时禁用防火墙服务
systemctl is-enabled firewalld.service #查看防火墙服务是否开机启动
systemctl list-unit-files|grep enabled #查看已启动的服务列表
systemctl --failed #查看启动失败的服务列表
2、firewalld的基本使用
启动:
systemctl start firewalld 或 systemctl start firewalld.service
查看状态:
systemctl status firewalld
禁止:
systemctl disable firewalld 或 systemctl disable firewalld.service
停止:
systemctl stop firewalld 或 systemctl stop firewalld.service
3、配置firewalld-cmd
firewall-cmd --version #查看版本
firewall-cmd --help #查看帮助
firewall-cmd --state #显示状态
firewall-cmd --zone=public --list-ports #查看所有打开的端口
firewall-cmd --reload #更新防火墙规则,重载
firewall-cmd --get-active-zones #查看区域信息:
firewall-cmd --get-zone-of-interface=eth0 #查看指定接口所属区域
firewall-cmd --panic-on #拒绝所有包
firewall-cmd --panic-off #取消拒绝状态
firewall-cmd --query-panic #查看是否拒绝
firewall-cmd --list-all #查看防火墙规则
firewall-cmd --get-zones ##列出支持的zone
firewall-cmd --get-services ##列出支持的服务,在列表中的服务是放行的
firewall-cmd --query-service ftp ##查看ftp服务是否支持,返回yes或者no
firewall-cmd --add-service=ftp ##临时开放ftp服务
firewall-cmd --add-service=ftp --permanent ##永久开放ftp服务
firewall-cmd --remove-service=ftp --permanent ##永久移除ftp服务
那怎么开启一个端口呢
添加
firewall-cmd --zone=public --add-port=80/tcp --permanent
添加一组连续端口
firewall-cmd --zone=public --add-port=82-85/tcp --permanent
reload
firewall-cmd --reload
Check
firewall-cmd --zone= public --query-port=80/tcp
delete
firewall-cmd --zone= public --remove-port=80/tcp --permanent