RHEL7、CentOS7防火墙管理

　　经常start、stop、restart操作防火墙有两种方式：

1、service iptables stop

2、/etc/init.d/iptables stop

　　但是经常会有这种错误，因为在RHEL7、CentOS种其实没有这个服务。

[root@rhel7 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.0 (Maipo)
[root@rhel7 ~]# service iptables stop
Redirecting to /bin/systemctl stop  iptables.service
[root@rhel7 ~]# /etc/init.d/iptables stop
-bash: /etc/init.d/iptables: No such file or directory

　　或者

[root@CTU1000094955 ~]#  cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 
[root@CTU1000094955 ~]# service iptables stop
Redirecting to /bin/systemctl stop  iptables.service
Failed to stop iptables.service: Unit iptables.service not loaded.
[root@CTU1000094955 ~]# /etc/init.d/iptables stop
-bash: /etc/init.d/iptables: No such file or directory

　　原来在RHEL7、CentOS7开始，使用systemctl工具来管理服务程序，包括了service和chkconfig。

[root@CTU1000094955 ~]# systemctl list-unit-files|grep firewall
firewalld.service                           disabled

　　那么systemctl管理防火墙：

启动一个服务：systemctl start firewalld.service
关闭一个服务：systemctl stop firewalld.service
重启一个服务：systemctl restart firewalld.service
显示一个服务的状态：systemctl status firewalld.service
在开机时启用一个服务：systemctl enable firewalld.service
在开机时禁用一个服务：systemctl disable firewalld.service
查看服务是否开机启动：systemctl is-enabled firewalld.service;echo $?
查看已启动的服务列表：systemctl list-unit-files|grep enabled

示例：

1、关闭防火墙并查看运行状态

[root@CTU1000094955 ~]# systemctl stop firewalld.service
[root@CTU1000094955 ~]# systemctl list-unit-files |grep firewall
firewalld.service                           disabled
[root@CTU1000094955 ~]# firewall-cmd --permanent --list-port
FirewallD is not running
[root@CTU1000094955 ~]# systemctl status firewalld.service
?.firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)

Nov 25 16:16:52 CTU1000094955 systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 25 16:16:52 CTU1000094955 systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 25 16:17:03 CTU1000094955 systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 25 16:18:10 CTU1000094955 systemd[1]: Stopping firewalld - dynamic firewall daemon...
Nov 25 16:18:11 CTU1000094955 systemd[1]: Stopped firewalld - dynamic firewall daemon.

2、开启防火墙并查看防护墙状态

[root@CTU1000094955 ~]# systemctl start firewalld.service
[root@CTU1000094955 ~]# systemctl status firewalld.service
?.firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since Sat 2017-11-25 16:20:44 CST; 5s ago
 Main PID: 7677 (firewalld)
   CGroup: /system.slice/firewalld.service
           ?..7677 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Nov 25 16:20:43 CTU1000094955 systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 25 16:20:44 CTU1000094955 systemd[1]: Started firewalld - dynamic firewall daemon.
[root@CTU1000094955 ~]# systemctl list-unit-files |grep firewall
firewalld.service                           disabled
[root@CTU1000094955 ~]# firewall-cmd --permanent --list-port
10001/tcp 80/tcp

　　与此同时，还可以通过firewall -cmd来操作防火墙

[root@CTU1000094955 ~]# man firewall-cmd
FIREWALL-CMD(1)                                                                        firewall-cmd                                                                        FIREWALL-CMD(1)

NAME
       firewall-cmd - firewalld command line client

SYNOPSIS
       firewall-cmd [OPTIONS...]

DESCRIPTION
       firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration.

       The runtime configuration in firewalld is separated from the permanent configuration. This means that things can get changed in the runtime or permanent configuration.

OPTIONS
       The following options are supported:

   General Options
       -h, --help
           Prints a short help text and exits.

       -V, --version
           Print the version string of firewalld. This option is not combinable with other options.

       -q, --quiet
           Do not print status messages.

   Status Options
       --state
           Check whether the firewalld daemon is active (i.e. running). Returns an exit code 0 if it is active, NOT_RUNNING otherwise (see the section called ?.XIT CODES?.. This will
           also print the state to STDOUT.

       --reload
           Reload firewall rules and keep state information. Current permanent configuration will become new runtime configuration, i.e. all runtime only changes done until reload are
           lost with reload if they have not been also in permanent configuration.

       --complete-reload

3、查看防火墙是否运行

[root@CTU1000094955 ~]# firewall-cmd --state
running

4、查看默认通过防火墙

[root@CTU1000094955 ~]# firewall-cmd --permanent --list-port
10001/tcp 80/tcp

　　刚才测试添加了10001、80两个端口，参数--permanent 是永久配置机子重启依然有效。

5、删除默认通过防火墙的端口

[root@CTU1000094955 ~]# firewall-cmd --permanent --remove-port=80/tcp
success
[root@CTU1000094955 ~]# firewall-cmd --permanent --list-port
10001/tcp

　　可以看到刚刚能通过防火墙的80端口现在已经查不到了。

6、添加端口到防火墙例外

[root@CTU1000094955 ~]# firewall-cmd --permanent --zone=public --add-port=80/tcp
success
[root@CTU1000094955 ~]# firewall-cmd --permanent --list-port
10001/tcp 80/tcp

　　现在80端口又回来了。