本文介绍了Linux系统中iptables规则的保存与备份,firewalld服务的启用与管理,包括zone和服务的概念。还讲解了crontab任务计划的设置,以及chkconfig和systemd对系统服务的管理,最后提到了unit和target在系统中的作用。
1、iptables规则保存和备份
- service iptables save 规则保存到/etc/sysconfig/iptables
- ptables如果不使用service iptables save命令,则重启之后规则会全部消失。
- 如果想启动服务就让有规则,就把iptables保存在/etc/sysconfig/iptables
- iptables-save > /tmp/my.ipt iptables规则备份到指定路径:my.ipt
- iptables-restore < /tmp/my.ipt 恢复备份规则
[root@aminglinux ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]
[root@aminglinux ~]# iptables-save > /tmp/my.ipt
[root@aminglinux ~]# ls /tmp/
ks-script-fT59sT
my.ipt
systemd-private-2741670e94844319abce946bf235aa62-chronyd.service-BcqaHN
systemd-private-2741670e94844319abce946bf235aa62-vgauthd.service-40GcDJ
systemd-private-2741670e94844319abce946bf235aa62-vmtoolsd.service-IU0UCI
yum.log
[root@aminglinux ~]# iptables-restore < /tmp/my.ipt
2、firewalld
打开firewalld,先关闭iptables
- systemctl disable iptables
- systemctl stop iptables
- systemctl enable firewalld
- systemctl start firewalld
[root@aminglinux ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@aminglinux ~]# systemctl stop iptables
[root@aminglinux ~]# systemctl enable firewalld
[root@aminglinux ~]# systemctl start firewalld
[root@aminglinux ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
240 17344 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
33 3042 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
33 3042 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
33 3042 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
33 3042 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 166 packets, 14224 bytes)
pkts bytes target prot opt in out source destination
166 14224 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
33 3042 IN_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 IN_public all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
33 3042 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
33 3042 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
33 3042 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
firewalld有zone和service两个基础概念
2.1、firewalld默认的9个zone :默认zone为public;
- drop(丢弃):任何接收的网络数据包都被丢弃,没有任何回复;
- block(限制):任何接收的网络连接都被ipv4的icmp-host-prohibited信息和ipv6的icmp-host-prohibited信息所拒绝;(针对icmp)
- public(公共):在公共区域内使用,不能相信网络内的其他计算机不会对你的计算机造成危害,只能接收经过选取;
- external(外部):特别是为路由器启用了伪装功能的外部网,你不能信任来自网络的其他计算,不能相信他们不会对你造成伤害,只能接受经过选择的连接。
- dmz(非军事区):用于你的非军事区内的电脑,此区域可公开访问,可以有限的进入你的内部网络,仅仅接受经过选择的连接。
- work(工作):用于工作区,你可以基本信任网络内的其他电脑不会对你造成危害,仅仅接收经过选择的连接。
- home(家庭):用于内部网络,你可以基本上信任网络内其他电脑不会对你造成危害,仅仅接收经过选择的连接。
- internal(内部):用于内部网络,你可以基本上信任网络内其他电脑不会对你造成危害,仅仅接收经过选择的连接。
- trusted(信任):可接受所有的网络连接
查看所有zone:
[root@aminglinux ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
查看默认zone:
[root@aminglinux ~]# firewall-cmd --get-default-zone
public
zone 命令
[root@aminglinux ~]# firewall-cmd --set-default-zone=work 设定默认zone为work
success
[root@aminglinux ~]# firewall-cmd --get-zone-of-interface=ens33 查看指定网卡所在的zone
work
[root@aminglinux ~]# firewall-cmd --zone=public --add-interface=lo 给指定网卡设置zone
success
[root@aminglinux ~]# firewall-cmd --zone=dmz --change-interface=lo 针对指定网卡更改zone
success
[root@aminglinux ~]# firewall-cmd --zone=dmz --remove-interface=lo 针对网卡删除zone
success
[root@aminglinux ~]# firewall-cmd --get-active-zones 查看系统所有网卡所在的zone
work
interfaces: ens33
2.2、service
- 配置文件模板路径:/usr/lib/firewalld/services/
- 实际生效配置目录:/etc/firewalld/services/
把系统文件内所有的service列出来
[root@aminglinux ~]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
列出默认zone下的service
[root@aminglinux ~]# firewall-cmd --list-services
ssh dhcpv6-client
列出指定的zone下的service :firewall-cmd --zone=(zone名) --list-service
[root@aminglinux ~]# firewall-cmd --zone=public --list-service
ssh dhcpv6-client
把service加入到指定zone下;只是暂时写入内存中;firewall-cmd --zone=(zone名) --add-service=(service名)
[root@aminglinux ~]# firewall-cmd --zone=public --add-service=http 添加http服务到public zone
success
[root@aminglinux ~]# firewall-cmd --zone=public --list-service
ssh dhcpv6-client http
修改配置文件,添加http服务到public zone,永久的
[root@aminglinux ~]# firewall-cmd --zone=public --add-service=http --permanent
success
需求: ftp服务自定义端口1121,需要在work zone下面放行ftp
[root@aminglinux ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services 复制模板到service下
[root@aminglinux ~]# vim /etc/firewalld/services/ftp.xml 修改ftp的配置文件,修改端口1121
[root@aminglinux ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/ 复制模板到zones下
[root@aminglinux ~]# vim /etc/firewalld/zones/work.xml 修改work.xml的配置文件,把ftp加到里面
[root@aminglinux ~]# firewall-cmd --reload 重新加载配置,配置文件生效
success
[root@aminglinux ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp
3、Linux任务计划crontab
crontab 命令
- -u 表示指定某个用户,不加-u则表示当前用户
- -e 表示指定任务计划
- -l 表示列出任务计划
- -r 表示删除任务计划
[root@aminglinux ~]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
格式:分 时 日 月 周 命令
- 分的范围:0-59 (* 表示所有)
- 时的范围:0-23 (* 表示所有)
- 日的范围:1-31 (* 表示所有)
- 月的范围:1-12 (* 表示所有)
- 周的范围:0-6(Sunday=0 or 7) (* 表示所有)
[root@aminglinux ~]# systemctl start crond 启动服务
root@aminglinux ~]# ps aux |grep cron 通过进程查看
root 695 0.0 0.1 126232 1604 ? Ss 18:06 0:00 /usr/sbin/crond -n
root 1534 0.0 0.0 112676 984 pts/0 R+ 22:20 0:00 grep --color=auto cron
[root@aminglinux ~]# systemctl status crond 查看状态
● crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: active (running) since 三 2018-06-13 18:07:01 CST; 4h 13min ago
Main PID: 695 (crond)
CGroup: /system.slice/crond.service
└─695 /usr/sbin/crond -n
6月 13 18:07:01 aminglinux systemd[1]: Started Command Scheduler.
6月 13 18:07:01 aminglinux systemd[1]: Starting Command Scheduler...
6月 13 18:07:01 aminglinux crond[695]: (CRON) INFO (RANDOM_DELAY will be scaled wi....)
6月 13 18:07:01 aminglinux crond[695]: (CRON) INFO (running with inotify support)
Hint: Some lines were ellipsized, use -l to show in full.
停止crond服务
[root@aminglinux ~]# systemctl stop crond.service
4、Linux系统服务管理chkconfig
- 查看预设服务 :/etc/omot/d/
[root@aminglinux ~]# ls /etc/init.d/
functions netconsole network README
列出服务和级别开启状态:chkconfig --list
[root@aminglinux ~]# chkconfig --list
注:该输出结果只显示 SysV 服务,并不包含
原生 systemd 服务。SysV 配置数据
可能被原生 systemd 配置覆盖。
要列出 systemd 服务,请执行 'systemctl list-unit-files'。
查看在具体 target 启用的服务请执行
'systemctl list-dependencies [target]'。
netconsole 0:关 1:关 2:关 3:关 4:关 5:关 6:关
network 0:关 1:关 2:开 3:开 4:开 5:开 6:关
- centos7之前采用的服务管理是:sysV;7则换成了system
- --add 增加所指定的系统服务,让chkconfig指令得以管理它,并同时在系统启动的叙述文件内增加相关数据。
- --del 删除所指定的系统服务,不再由chkconfig指令管理,并同时在系统启动的叙述文件内删除相关数据。
- --level<等级代号> 指定读系统服务要在哪一个执行等级中开启或关毕。
等级0表示:表示关机等级1表示:单用户模式等级2表示:无网络连接的多用户命令行模式等级3表示:有网络连接的多用户命令行模式(常用级别)等级4表示:系统保留等级5表示:带图形界面的多用户模式等级6表示:重新启动
更改某级别下的开户状态:chkconfig --level 3 network off
[root@aminglinux ~]# chkconfig --level 3 network off
[root@aminglinux ~]# chkconfig --list
注:该输出结果只显示 SysV 服务,并不包含
原生 systemd 服务。SysV 配置数据
可能被原生 systemd 配置覆盖。
要列出 systemd 服务,请执行 'systemctl list-unit-files'。
查看在具体 target 启用的服务请执行
'systemctl list-dependencies [target]'。
netconsole 0:关 1:关 2:关 3:关 4:关 5:关 6:关
network 0:关 1:关 2:开 3:关 4:开 5:开 6:关
- 多个级别:chkconfig --level 345 network off
- 不加表示省略级别;默认针对级别2、3、4、5、
- 删除:chkconfig --del network
- 添加:chkconfig --add network
5、Linux服务管理systemd
- 服务对应的启动脚本路径:/usr/lib/systemd/system/
[root@aminglinux ~]# ls /usr/lib/systemd/system/ 查看所有unit
arp-ethers.service remote-fs.target
auditd.service rescue.service
autovt@.service rescue.target
basic.target rescue.target.wants
basic.target.wants rhel-autorelabel-mark.service
blk-availability.service rhel-autorelabel.service
bluetooth.target rhel-configure.service
brandbot.path rhel-dmesg.service
brandbot.service rhel-domainname.service
chrony-dnssrv@.service rhel-import-state.service
chrony-dnssrv@.timer rhel-loadmodules.service
chronyd.service rhel-readonly.service
chrony-wait.service rpcbind.target
console-getty.service rsyslog.service
console-shell.service runlevel0.target
container-getty@.service runlevel1.target
cpupower.service runlevel1.target.wants
crond.service runlevel2.target
cryptsetup-pre.target runlevel2.target.wants
cryptsetup.target runlevel3.target
ctrl-alt-del.target runlevel3.target.wants
- 列出所有服务:systemctl list-units --all --type=service
[root@aminglinux ~]# systemctl list-units --all --type=service
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
brandbot.service loaded inactive dead Flexible Branding Service
chronyd.service loaded active running NTP client/server
cpupower.service loaded inactive dead Configure CPU power related
crond.service loaded inactive dead Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
● display-manager.service not-found inactive dead display-manager.service
dm-event.service loaded inactive dead Device-mapper event daemon
dracut-shutdown.service loaded inactive dead Restore /run/initramfs
ebtables.service loaded inactive dead Ethernet Bridge Filtering ta
emergency.service loaded inactive dead Emergency Shell
● exim.service not-found inactive dead exim.service
firewalld.service loaded active running firewalld - dynamic firewall
getty@tty1.service loaded active running Getty on tty1
ip6tables.service loaded inactive dead IPv6 firewall with ip6tables
● ipset.service not-found inactive dead ipset.service
iptables.service loaded inactive dead IPv4 firewall with iptables
irqbalance.service loaded active running irqbalance daemon
● kdump.service loaded failed failed Crash recovery kernel arming
kmod-static-nodes.service loaded active exited Create list of required stat
● lvm2-activation.service not-found inactive dead lvm2-activation.service
lvm2-lvmetad.service loaded active running LVM2 metadata daemon
lvm2-lvmpolld.service loaded inactive dead LVM2 poll daemon
常用服务相关命令
- systemctl enable crond.service //让某个服务开机启动
- systemctl disable crond //不让开机启动
- systemctl status crond //查看服务状态
- systemctl stop crond //停止服务
- systemctl start crond //启动服务
- systemctl restart crond //重启服务
- systemctl is-enabled crond //检查服务是否开机启动
6、unit
- unit分类:
- service 系统服务
- target 多个unit组成的组
- device 硬件设备
- mount 文件系统挂载点
- automount 自动挂载点
- path 文件或路径
- scope 不是由systemd启动的外部进程
- slice 进程组
- snapshot systemd 快照
- socket 进程间通信套接字
- swap swap文件
- timer 定时器
- 常用unit相关命令:
- systemctl list-units //列出正在运行的unit
- systemctl list-units --all //列出所有的unit
- systemctl list-units --all --state=inactive //列出所有inactive的unit
- systemctl list-units --all --type=service //列出状态的service
- systemctl is-active crond.service //查看某个unit是否active
[root@aminglinux ~]# systemctl list-units
[root@aminglinux ~]# systemctl list-units --all
[root@aminglinux ~]# systemctl list-units --all --state=inactive
[root@aminglinux ~]# systemctl list-units --all --type=service
[root@aminglinux ~]# systemctl is-active crond.service
inactive
7、target
- 查看当前系统所有target;(unit组合):systemctl list-unit-files --type=target
[root@aminglinux ~]# systemctl list-unit-files --type=target
UNIT FILE STATE
basic.target static
bluetooth.target static
cryptsetup-pre.target static
cryptsetup.target static
ctrl-alt-del.target disabled
default.target enabled
emergency.target static
final.target static
getty.target static
graphical.target static
halt.target disabled
hibernate.target static
hybrid-sleep.target static
initrd-fs.target static
initrd-root-fs.target static
initrd-switch-root.target static
initrd.target static
iprutils.target disabled
kexec.target disabled
local-fs-pre.target static
local-fs.target static
machines.target disabled
multi-user.target enabled
- 查看target包含所有的unit:systemctl list-dependencies multi-user.target
[root@aminglinux ~]# systemctl list-dependencies multi-user.target
multi-user.target
● ├─auditd.service
● ├─brandbot.path
● ├─chronyd.service
● ├─crond.service
● ├─dbus.service
● ├─firewalld.service
● ├─irqbalance.service
● ├─kdump.service
● ├─network.service
● ├─NetworkManager.service
● ├─plymouth-quit-wait.service
● ├─plymouth-quit.service
● ├─postfix.service
● ├─rsyslog.service
● ├─sshd.service
● ├─sysstat.service
● ├─systemd-ask-password-wall.path
● ├─systemd-logind.service
● ├─systemd-readahead-collect.service
● ├─systemd-readahead-replay.service
● ├─systemd-update-utmp-runlevel.service
● ├─systemd-user-sessions.service
● ├─tuned.service
lines 1-24
-
查看系统默认的target:systemctl get-default
-
设置默认的target:systemctl set-default multi-user.target
[root@aminglinux ~]# systemctl get-default
multi-user.target
[root@aminglinux ~]# systemctl set-default multi-user.target
Removed symlink /etc/systemd/system/default.target.
Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
service、unit、target之间的联系:
- 一个service属于一种unit;
- 多个unit组成了一个target;
- 一个target包含多个service;查看/usr/lib/systemd/system/sshd.service里面[install]部份的内容,定义了该service属于哪一个target。
[root@aminglinux ~]# cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
扫一扫
327
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
