RHEL7、CentOS7防火牆管理

　　經常start、stop、restart操作防火牆有兩種方式：

1、service iptables stop

2、/etc/init.d/iptables stop

　　但是經常會有這種錯誤，因為在RHEL7、CentOS種其實沒有這個服務。

[root@rhel7 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.0 (Maipo)
[root@rhel7 ~]# service iptables stop
Redirecting to /bin/systemctl stop  iptables.service
[root@rhel7 ~]# /etc/init.d/iptables stop
-bash: /etc/init.d/iptables: No such file or directory

　　或者

[root@CTU1000094955 ~]#  cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 
[root@CTU1000094955 ~]# service iptables stop
Redirecting to /bin/systemctl stop  iptables.service
Failed to stop iptables.service: Unit iptables.service not loaded.
[root@CTU1000094955 ~]# /etc/init.d/iptables stop
-bash: /etc/init.d/iptables: No such file or directory

　　原來在RHEL7、CentOS7開始，使用systemctl工具來管理服務程序，包括了service和chkconfig。

[root@CTU1000094955 ~]# systemctl list-unit-files|grep firewall
firewalld.service                           disabled

　　那么systemctl管理防火牆：

啟動一個服務：systemctl start firewalld.service
關閉一個服務：systemctl stop firewalld.service
重啟一個服務：systemctl restart firewalld.service
顯示一個服務的狀態：systemctl status firewalld.service
在開機時啟用一個服務：systemctl enable firewalld.service
在開機時禁用一個服務：systemctl disable firewalld.service
查看服務是否開機啟動：systemctl is-enabled firewalld.service;echo $?
查看已啟動的服務列表：systemctl list-unit-files|grep enabled

示例：

1、關閉防火牆並查看運行狀態

[root@CTU1000094955 ~]# systemctl stop firewalld.service
[root@CTU1000094955 ~]# systemctl list-unit-files |grep firewall
firewalld.service                           disabled
[root@CTU1000094955 ~]# firewall-cmd --permanent --list-port
FirewallD is not running
[root@CTU1000094955 ~]# systemctl status firewalld.service
?.firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)

Nov 25 16:16:52 CTU1000094955 systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 25 16:16:52 CTU1000094955 systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 25 16:17:03 CTU1000094955 systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 25 16:18:10 CTU1000094955 systemd[1]: Stopping firewalld - dynamic firewall daemon...
Nov 25 16:18:11 CTU1000094955 systemd[1]: Stopped firewalld - dynamic firewall daemon.

2、開啟防火牆並查看防護牆狀態

[root@CTU1000094955 ~]# systemctl start firewalld.service
[root@CTU1000094955 ~]# systemctl status firewalld.service
?.firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Sat 2017-11-25 16:20:44 CST; 5s ago
 Main PID: 7677 (firewalld)
   CGroup: /system.slice/firewalld.service
           ?..7677 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Nov 25 16:20:43 CTU1000094955 systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 25 16:20:44 CTU1000094955 systemd[1]: Started firewalld - dynamic firewall daemon.
[root@CTU1000094955 ~]# systemctl list-unit-files |grep firewall
firewalld.service                           disabled
[root@CTU1000094955 ~]# firewall-cmd --permanent --list-port
10001/tcp 80/tcp

　　與此同時，還可以通過firewall -cmd來操作防火牆

[root@CTU1000094955 ~]# man firewall-cmd
FIREWALL-CMD(1)                                                                        firewall-cmd                                                                        FIREWALL-CMD(1)

NAME
       firewall-cmd - firewalld command line client

SYNOPSIS
       firewall-cmd [OPTIONS...]

DESCRIPTION
       firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration.

       The runtime configuration in firewalld is separated from the permanent configuration. This means that things can get changed in the runtime or permanent configuration.

OPTIONS
       The following options are supported:

   General Options
       -h, --help
           Prints a short help text and exits.

       -V, --version
           Print the version string of firewalld. This option is not combinable with other options.

       -q, --quiet
           Do not print status messages.

   Status Options
       --state
           Check whether the firewalld daemon is active (i.e. running). Returns an exit code 0 if it is active, NOT_RUNNING otherwise (see the section called ?.XIT CODES?.. This will
           also print the state to STDOUT.

       --reload
           Reload firewall rules and keep state information. Current permanent configuration will become new runtime configuration, i.e. all runtime only changes done until reload are
           lost with reload if they have not been also in permanent configuration.

       --complete-reload

3、查看防火牆是否運行

[root@CTU1000094955 ~]# firewall-cmd --state
running

4、查看默認通過防火牆

[root@CTU1000094955 ~]# firewall-cmd --permanent --list-port
10001/tcp 80/tcp

　　剛才測試添加了10001、80兩個端口，參數--permanent 是永久配置機子重啟依然有效。

5、刪除默認通過防火牆的端口

[root@CTU1000094955 ~]# firewall-cmd --permanent --remove-port=80/tcp
success
[root@CTU1000094955 ~]# firewall-cmd --permanent --list-port
10001/tcp

　　可以看到剛剛能通過防火牆的80端口現在已經查不到了。

6、添加端口到防火牆例外

[root@CTU1000094955 ~]# firewall-cmd --permanent --zone=public --add-port=80/tcp
success
[root@CTU1000094955 ~]# firewall-cmd --permanent --list-port
10001/tcp 80/tcp

　　現在80端口又回來了。