Redhat7-禁用firewalld&開啓iptables&systemctl使用簡介

Redhat7-禁用firewalld&開啓iptables&systemctl使用簡介

 

防火牆服務默認使用的是 firewalld ，而不是 iptables 。若是想改用 iptables ，能夠參考如下步驟：

1.安裝

[root@localhost ~]# yum install iptables-services

• 1

2.屏蔽該服務

[root@localhost ~]# systemctl mask firewalld

# systemctl mask firewalld 屏蔽服務（讓它不能啓動）
# ln -s '/dev/null''/etc/systemd/system/firewalld.service'
# systemctl unmask firewalld 顯示服務（如 firewalld.service）
# rm '/etc/systemd/system/firewalld.service'

3.啓用iptables

[root@localhost ~]# systemctl enable iptables
#若是須要使用 ip6tables , 需另外加一行
[root@localhost ~]# systemctl enable ip6tables

4.啓動iptables，中止firewalld

#中止firewalld服務，開啓 iptables服務
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl start iptables
# 同上，若是須要使用 ip6tables , 需另外加一條
[root@localhost ~]# systemctl start ip6tables

到此就能夠像之前使用iptables了，但看完這個流程，有的同窗可能不理解systemctl是幹啥的，下面簡要說一下：

systemctl至關於以前service和chkconfig的融合體。可使用它永久性啓用/禁止或臨時關閉/啓動某個服務。

[root@localhost init.d]# systemctl  #能夠列出當前運行的服務狀態
UNIT                                                               LOAD   ACTIVE SUB       DESCRIPTION
proc-sys-fs-binfmt_misc.automount                                  loaded active waiting   Arbitrary Executable File Formats File System Automount Point
sys-devices-pci0000:00-0000:00:02.0-backlight-acpi_video0.device   loaded active plugged   /sys/devices/pci0000:00/0000:00:02.0/backlight/acpi_video0
sys-devices-pci0000:00-0000:00:1b.0-sound-card0.device             loaded active plugged   6 Series/C200 Series Chipset Family High Definition Audio Controll
sys-devices-pci0000:00-0000:00:1c.5-0000:03:00.0-net-enp3s0.device loaded active plugged   RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (P8 seri
sys-devices-pci0000:00-0000:00:1f.2-ata5-host4-target4:0:0-4:0:0:0-block-sda-sda1.device loaded active plugged   WDC_WD5003ABYX-01WERA1 EFI\x20System\x20Part
sys-devices-pci0000:00-0000:00:1f.2-ata5-host4-target4:0:0-4:0:0:0-block-sda-sda2.device loaded active plugged   WDC_WD5003ABYX-01WERA1 2
sys-devices-pci0000:00-0000:00:1f.2-ata5-host4-target4:0:0-4:0:0:0-block-sda-sda3.device loaded active plugged   LVM PV 00d05P-rKKJ-nWdn-ejxs-kpY4-GE0k-3o4TF
sys-devices-pci0000:00-0000:00:1f.2-ata5-host4-target4:0:0-4:0:0:0-block-sda.device loaded active plugged   WDC_WD5003ABYX-01WERA1
sys-devices-platform-serial8250-tty-ttyS0.device                   loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS0
sys-devices-platform-serial8250-tty-ttyS1.device                   loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS1
sys-devices-platform-serial8250-tty-ttyS2.device                   loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS2
sys-devices-platform-serial8250-tty-ttyS3.device                   loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS3
sys-devices-virtual-block-dm\x2d0.device                           loaded active plugged   /sys/devices/virtual/block/dm-0
sys-devices-virtual-block-dm\x2d1.device                           loaded active plugged   /sys/devices/virtual/block/dm-1
sys-devices-virtual-block-dm\x2d2.device                           loaded active plugged   /sys/devices/virtual/block/dm-2
sys-module-configfs.device                                         loaded active plugged   /sys/module/configfs
sys-subsystem-net-devices-enp3s0.device                            loaded active plugged   RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (P8 seri
-.mount                                                            loaded active mounted   /
boot-efi.mount                                                     loaded active mounted   /boot/efi

[root@localhost init.d]# systemd-cgls   #該命令能夠樹狀形式列出運行的進程
|-1 /usr/lib/systemd/systemd --switched-root --system --deserialize 21
|-user.slice
| `-user-0.slice
|   |-session-61.scope
|   | |-12073 sshd: root@pts/1    
|   | |-12077 -bash
|   | |-12103 systemd-cgls
|   | `-12104 less
|   `-session-58.scope
|     |-11507 sshd: root@pts/0    
|     |-11511 -bash
|     `-11530 /usr/bin/python -Es /usr/sbin/firewalld
`-system.slice
  |-tuned.service
  | `-1284 /usr/bin/python -Es /usr/sbin/tuned -l -P
  |-postfix.service
  | |- 3228 /usr/libexec/postfix/master -w
  | |- 3279 qmgr -l -t unix -u
  | `-12052 pickup -l -t unix -u
  |-sshd.service
  | `-1282 /usr/sbin/sshd -D
  |-polkit.service
  | `-891 /usr/lib/polkit-1/polkitd --no-debug
  |-wpa_supplicant.service
  | `-889 /usr/sbin/wpa_supplicant -u -f /var/log/wpa_supplicant.log -c /etc/wpa_supplicant/wpa_supplicant.conf -u -f /var/log/wpa_supplicant.log -P /var/run
  |-NetworkManager.service
  | `-771 /usr/sbin/NetworkManager --no-daemon
  |-crond.service
  | `-691 /usr/sbin/crond -n
  |-systemd-logind.service
  | `-684 /usr/lib/systemd/systemd-logind
  |-irqbalance.service
  | `-682 /usr/sbin/irqbalance --foreground
  |-rsyslog.service
  | `-679 /usr/sbin/rsyslogd -n
  |-dbus.service
  | `-676 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
  |-auditd.service
  | `-651 /sbin/auditd -n
  |-systemd-udevd.service
  | `-529 /usr/lib/systemd/systemd-udevd
  |-lvm2-lvmetad.service
  | `-526 /usr/sbin/lvmetad -f

具體使用

一、相對於以前service iptables stop/start/status/restart/reload 等 
啓動服務：systemctl start iptables 
關閉服務：systemctl stop iptables 
重啓服務：systemctl restart iptables 
顯示服務狀態：systemctl status iptables 
二、相對於以前的chkconfig iptables on/off/list 等 
在開機時啓用服務：systemctl enable iptables 
在開機時禁用服務：systemctl disable iptables 
查看服務是否開機啓動：systemctl is-enabled iptables 
查看已啓動的服務列表：systemctl list-unit-files|grep enabled 
查看啓動失敗的服務列表：systemctl –failed

PS：使用命令 systemctl is-enabled iptables 獲得的值能夠是enable、disable或static，這裏的 static 它是指對應的 Unit 文件中沒有定義[Install]區域，所以沒法配置爲開機啓動服務。

說明：啓用服務就是在當前「runlevel」的配置文件目/etc/systemd/system/multi-user.target.wants/裏，創建/usr/lib/systemd/system裏面對應服務配置文件的軟連接；禁用服務就是刪除此軟連接，添加服務就是添加軟鏈接。以下：

[root@localhost ~]# systemctl mask firewalld  #屏蔽服務（讓它不能啓動）
ln -s '/dev/null''/etc/systemd/system/firewalld.service'
[root@localhost ~]# systemctl unmask firewalld #顯示服務（如firewalld.service）
rm '/etc/systemd/system/firewalld.service'

#mask的釋義（mask是disabled的升級版，效果更強大）：
[root@localhost ~]# man systemctl
 mask NAME...
           Mask one or more unit files, as specified on the command line. This will link these units to /dev/null, making it impossible to start them.
           This is a stronger version of disable, since it prohibits all kinds of activation of the unit, including enablement and manual activation. Use
           this option with care. This honors the --runtime option to only mask temporarily until the next reboot of the system. The --now option can be
           used to ensure that the units are also stopped.

unmask NAME...
           Unmask one or more unit files, as specified on the command line. This will undo the effect of mask.