Shulou(Shulou.com)06/01 Report--

Centos7 basic document II. Centos7 service control 1. Service script file

For Linux, systemctl is an init program that can be used as an alternative to sysVinit and Upstat.

Centos7 service scripts are stored in: / usr/lib/systemd/, there are system (system) commands and user (users) commands, such as the need to boot can be run without logging in the service of the system, that is: / usr/lib/systemd/system directory, each service ends with .server. It is generally divided into three parts: [unit] [service] [install]

[unit]: part is mainly the description of the service, including the description and after, where after describes the service type

[service]: part is the main part of the service and the setting of some specific running parameters of the service, where type-forKing is the form of background operation, pidfiel is the file path where PID is stored, and execstart is the specific running command of the service.

[install]: some settings related to service installation, which can be set to users.

2. Use of systemctl command

The systemctl command serves as a combination of service and chkconfig commands.

The basic operation format of the systemctl command:

Systemctl Action .service (Service name)

3. Analyze the status of the system

Systemctl or systemctl list-units / / output the activated unit

Systemctl list-units-type=service / / Services that list the status of active

Systemctl list-unit-files / / list all installed services

Systemctl-- failed / / shows the services that failed to start

All available unit files are stored in the / usr/lib/systemd/system and / etc/systemd/syetem/ directories (or high priority)

Use the unit:

A unit can be: (.service) (.mount) (.sockets)

Systemctl start / / start the unit immediately

Systemctl stop / / stop unit

Systemctl restart / / restart unit

Systemctl reload / / reload the unit configuration

Systemctl status / / output unit running status

Systemctl is-enabled / / check whether the unit is set to start automatically

Systemctl enable / / Boot Auto start Unit

Systemctl disable / / cancel boot auto-start unit

Systemctl is-active / / check whether the unit is running

Systemctl daemon-reload / / reload systemd to scan for new or changed units.

Power management:

Systemctl reboot / / restart

Systemctl poweroff / / shutdown

Other types of units can be filtered out through type

Systemctl list-unit-files-type service

II. Differences between firewalls of centos7 and 1.centos7

Centos7 already uses firewalld as its firewall by default, and its practical method has changed. Iptables-based firewalls are not enabled by default, but they can still be used.

Firewalld, IPtables, ebtables and other firewalls coexist in centos7. Firewalld is used as the firewall by default, and the management tools are firewalld-config and firewalld-cmd.

The use of basic commands of 2.firewalld Firewall

1) systemctl status {firewalld,iptables,ebtables} / / View the running status of various firewalls

2) disable firewall iptables,:systemctl mask iptables or

For service in iptables ebtables;do

Systemctl mask $(service) .service

Done / / disable using for loop statement

3) undisable firewall iptables:systemctl unmask iptables

4) check whether several services are running

Systemctl status service name or systemctl is-active service name

Zone of the 3.firewalld firewall (zone)

Firewalld provides firewall management tools that support network / firewall zone definition of network links and interface security levels, with runtime configuration and permanent configuration options. It also supports interfaces that allow services or applications to add firewall rules directly. The previous iptables makes it static and needs to be reloaded after each modification. On the contrary, firewalld's firewall does not need to restart the entire firewall.

The concept of the firewalld region:

Packets must pass through one of these zone to the kernel, and the rules defined in different zone are different. According to the security of the network connected by the network card, which zone is used for the traffic of this network card? for example, all the traffic of eth0 uses the filtering rules of zone1, and the traffic used by Eth2 is zone2.

Predefined services: a collection of ports and protocol number entries

Port and protocol: tcp and udp ports are defined. Ports can be one or a range of ports.

ICMP blocking: you can select messages from the internet control message protocol, which can be information requests or responses to information requests or error conditions.

Camouflage: private network addresses can be mapped to public network ip addresses, which is a regular address translation.

Port forwarding: a port can be mapped to another port and other hosts

Detailed explanation of the area of 4.firewalld

1) if the drop area (drop zone) is used, any packets entering the area will be discarded. Here, similar to the iptables-j DROP we learned before, using the drop area will no longer have any response.

2) blocking area (block zone) the blocking area will reject the incoming network connection and return icmp-host-prohibited. Only the server has established the connection will be passed, that is, only the system is allowed to initialize the network connection.

3) external area (external zone) this area is equivalent to the enabled masquerade option for routing, and only the specified connection will be accepted, that is, other connections to the ssh will be discarded or not accepted.

4) the public zone accepts only those selected connections, and only ssh and dhcp6-client are allowed by default. This zone is the default region.

5) the quarantined area (DMZ zone) can be defined in this area if you want to allow only some services to be accessed externally, and it also has the feature of ssh only through the selected connection.

6) work area (work zone) in this area, we can only define internal networks, such as private network communications, to be allowed.

7) the home area (home zone), which is dedicated to the home network, also allows only selected connections to pass through the same as the home area.

8) Internal area (internal zone) this area is similar to the work area and can only be passed through the selected connection.

9) the trust zone (trust zone) allows all networks to pass through, because trusted is the most trusted, even if there are no services, then it is allowed, because trusted allows all connections.

Control rule of 5.firewalld 1. If the source ip address of a client packet matches the source of the zone, then the packet is processed by the zone, and a source can only belong to one zon. two。 If a client packet enters an interface of the server that matches the interface of zone, then the rules of the zone process the packet. An interface can only belong to one zone, not multiple zone at the same time. 3. If none of the above matches, then the default zone is applied, that is, public. General Application of 6.firewalld Command

Firewall-cmd-- state / / get the status of firewalld

Firewall-cmd-- reload / / reload the firewall without changing the state

Firewall-cmd-- get-zone / / get the list of supported regions

Firewall-cmd-- get-services / / get all supported services

To list the default valid services, you can also go to the following directory or get

Cd / usr/lib/firewalld/services/*.xml

If you want to define a service yourself, you can modify the configuration file here.

Firewall-cmd-- get-icmptypes / / get all supported icmp types

Firewall-cmd-- list-all-zones / / lists the features of all enabled areas

Firewall-cmd-- zone=public-- list-all / / lists all the features of the designated area

Firewall-cmd-- get-default-zone / / View the default area

In the file / etc/firewalld/firewalld.conf can be defined as defaultzone=public

Firewall-cmd-- set-default-zone= zone name / / sets the default zone

Firewall-cmd-- get-active-zones / / get the active area

Firewall-cmd-- get-zone-of-interface= Nic name / / View which zone an interface belongs to

Firewall-cmd-- add-interface = Nic name-- zone= zone name / / adds the specified interface to an area

Firewall-cmd-- change-interface= Nic name-- zone= area name / / transfer an interface to another zone

Firewall-cmd-- remove-interface= Nic name-- zone= area name / / removes an interface from the specified area

Firewall-cmd-- query-interface= Nic name-- zone= area name / / check whether an area contains the interface queried

Firewall-cmd-- list-services-- zone= zone name / / list the enabled services in the zone

Firewall-cmd-panic-on / / enable emergency mode to block all connections in case of emergency

Firewall-cmd-- panic-off / / disables emergency mode

Firewall-cmd-- query-panic / / query emergency mode

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.