Redhat7-禁用firewalld&开启iptables&systemctl使用简介

Redhat7-禁用firewalld&开启iptables&systemctl使用简介

 

防火墙服务默认使用的是 firewalld ，而不是 iptables 。若是想改用 iptables ，能够参考如下步骤：

1.安装

[root@localhost ~]# yum install iptables-services

• 1

2.屏蔽该服务

[root@localhost ~]# systemctl mask firewalld

# systemctl mask firewalld 屏蔽服务（让它不能启动）
# ln -s '/dev/null''/etc/systemd/system/firewalld.service'
# systemctl unmask firewalld 显示服务（如 firewalld.service）
# rm '/etc/systemd/system/firewalld.service'

3.启用iptables

[root@localhost ~]# systemctl enable iptables
#若是须要使用 ip6tables , 需另外加一行
[root@localhost ~]# systemctl enable ip6tables

4.启动iptables，中止firewalld

#中止firewalld服务，开启 iptables服务
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl start iptables
# 同上，若是须要使用 ip6tables , 需另外加一条
[root@localhost ~]# systemctl start ip6tables

到此就能够像之前使用iptables了，但看完这个流程，有的同窗可能不理解systemctl是干啥的，下面简要说一下：

systemctl至关于以前service和chkconfig的融合体。可使用它永久性启用/禁止或临时关闭/启动某个服务。

[root@localhost init.d]# systemctl  #能够列出当前运行的服务状态
UNIT                                                               LOAD   ACTIVE SUB       DESCRIPTION
proc-sys-fs-binfmt_misc.automount                                  loaded active waiting   Arbitrary Executable File Formats File System Automount Point
sys-devices-pci0000:00-0000:00:02.0-backlight-acpi_video0.device   loaded active plugged   /sys/devices/pci0000:00/0000:00:02.0/backlight/acpi_video0
sys-devices-pci0000:00-0000:00:1b.0-sound-card0.device             loaded active plugged   6 Series/C200 Series Chipset Family High Definition Audio Controll
sys-devices-pci0000:00-0000:00:1c.5-0000:03:00.0-net-enp3s0.device loaded active plugged   RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (P8 seri
sys-devices-pci0000:00-0000:00:1f.2-ata5-host4-target4:0:0-4:0:0:0-block-sda-sda1.device loaded active plugged   WDC_WD5003ABYX-01WERA1 EFI\x20System\x20Part
sys-devices-pci0000:00-0000:00:1f.2-ata5-host4-target4:0:0-4:0:0:0-block-sda-sda2.device loaded active plugged   WDC_WD5003ABYX-01WERA1 2
sys-devices-pci0000:00-0000:00:1f.2-ata5-host4-target4:0:0-4:0:0:0-block-sda-sda3.device loaded active plugged   LVM PV 00d05P-rKKJ-nWdn-ejxs-kpY4-GE0k-3o4TF
sys-devices-pci0000:00-0000:00:1f.2-ata5-host4-target4:0:0-4:0:0:0-block-sda.device loaded active plugged   WDC_WD5003ABYX-01WERA1
sys-devices-platform-serial8250-tty-ttyS0.device                   loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS0
sys-devices-platform-serial8250-tty-ttyS1.device                   loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS1
sys-devices-platform-serial8250-tty-ttyS2.device                   loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS2
sys-devices-platform-serial8250-tty-ttyS3.device                   loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS3
sys-devices-virtual-block-dm\x2d0.device                           loaded active plugged   /sys/devices/virtual/block/dm-0
sys-devices-virtual-block-dm\x2d1.device                           loaded active plugged   /sys/devices/virtual/block/dm-1
sys-devices-virtual-block-dm\x2d2.device                           loaded active plugged   /sys/devices/virtual/block/dm-2
sys-module-configfs.device                                         loaded active plugged   /sys/module/configfs
sys-subsystem-net-devices-enp3s0.device                            loaded active plugged   RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (P8 seri
-.mount                                                            loaded active mounted   /
boot-efi.mount                                                     loaded active mounted   /boot/efi

[root@localhost init.d]# systemd-cgls   #该命令能够树状形式列出运行的进程
|-1 /usr/lib/systemd/systemd --switched-root --system --deserialize 21
|-user.slice
| `-user-0.slice
|   |-session-61.scope
|   | |-12073 sshd: root@pts/1    
|   | |-12077 -bash
|   | |-12103 systemd-cgls
|   | `-12104 less
|   `-session-58.scope
|     |-11507 sshd: root@pts/0    
|     |-11511 -bash
|     `-11530 /usr/bin/python -Es /usr/sbin/firewalld
`-system.slice
  |-tuned.service
  | `-1284 /usr/bin/python -Es /usr/sbin/tuned -l -P
  |-postfix.service
  | |- 3228 /usr/libexec/postfix/master -w
  | |- 3279 qmgr -l -t unix -u
  | `-12052 pickup -l -t unix -u
  |-sshd.service
  | `-1282 /usr/sbin/sshd -D
  |-polkit.service
  | `-891 /usr/lib/polkit-1/polkitd --no-debug
  |-wpa_supplicant.service
  | `-889 /usr/sbin/wpa_supplicant -u -f /var/log/wpa_supplicant.log -c /etc/wpa_supplicant/wpa_supplicant.conf -u -f /var/log/wpa_supplicant.log -P /var/run
  |-NetworkManager.service
  | `-771 /usr/sbin/NetworkManager --no-daemon
  |-crond.service
  | `-691 /usr/sbin/crond -n
  |-systemd-logind.service
  | `-684 /usr/lib/systemd/systemd-logind
  |-irqbalance.service
  | `-682 /usr/sbin/irqbalance --foreground
  |-rsyslog.service
  | `-679 /usr/sbin/rsyslogd -n
  |-dbus.service
  | `-676 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
  |-auditd.service
  | `-651 /sbin/auditd -n
  |-systemd-udevd.service
  | `-529 /usr/lib/systemd/systemd-udevd
  |-lvm2-lvmetad.service
  | `-526 /usr/sbin/lvmetad -f

具体使用

一、相对于以前service iptables stop/start/status/restart/reload 等 
启动服务：systemctl start iptables 
关闭服务：systemctl stop iptables 
重启服务：systemctl restart iptables 
显示服务状态：systemctl status iptables 
二、相对于以前的chkconfig iptables on/off/list 等 
在开机时启用服务：systemctl enable iptables 
在开机时禁用服务：systemctl disable iptables 
查看服务是否开机启动：systemctl is-enabled iptables 
查看已启动的服务列表：systemctl list-unit-files|grep enabled 
查看启动失败的服务列表：systemctl –failed

PS：使用命令 systemctl is-enabled iptables 获得的值能够是enable、disable或static，这里的 static 它是指对应的 Unit 文件中没有定义[Install]区域，所以没法配置为开机启动服务。

说明：启用服务就是在当前“runlevel”的配置文件目/etc/systemd/system/multi-user.target.wants/里，创建/usr/lib/systemd/system里面对应服务配置文件的软连接；禁用服务就是删除此软连接，添加服务就是添加软链接。以下：

[root@localhost ~]# systemctl mask firewalld  #屏蔽服务（让它不能启动）
ln -s '/dev/null''/etc/systemd/system/firewalld.service'
[root@localhost ~]# systemctl unmask firewalld #显示服务（如firewalld.service）
rm '/etc/systemd/system/firewalld.service'

#mask的释义（mask是disabled的升级版，效果更强大）：
[root@localhost ~]# man systemctl
 mask NAME...
           Mask one or more unit files, as specified on the command line. This will link these units to /dev/null, making it impossible to start them.
           This is a stronger version of disable, since it prohibits all kinds of activation of the unit, including enablement and manual activation. Use
           this option with care. This honors the --runtime option to only mask temporarily until the next reboot of the system. The --now option can be
           used to ensure that the units are also stopped.

unmask NAME...
           Unmask one or more unit files, as specified on the command line. This will undo the effect of mask.