Redhat7-禁用firewalld&开启iptables&systemctl使用简介

防火墙服务默认使用的是 firewalld ，而不是 iptables 。如果想改用 iptables ，可以参考以下步骤：

1.安装

[root@localhost ~]# yum install iptables-services

2.屏蔽该服务

[root@localhost ~]# systemctl mask firewalld# systemctl mask firewalld 屏蔽服务（让它不能启动）# ln -s '/dev/null''/etc/systemd/system/firewalld.service'# systemctl unmask firewalld 显示服务（如 firewalld.service）# rm '/etc/systemd/system/firewalld.service'

3.启用iptables

[root@localhost ~]# systemctl enable iptables#如果需要使用 ip6tables , 需另外加一行[root@localhost ~]# systemctl enable ip6tables

4.启动iptables，停止firewalld

#停止firewalld服务，开启 iptables服务[root@localhost ~]# systemctl stop firewalld[root@localhost ~]# systemctl start iptables# 同上，如果需要使用 ip6tables , 需另外加一条[root@localhost ~]# systemctl start ip6tables

到此就可以像以前使用iptables了，但看完这个流程，有的同学可能不理解systemctl是干啥的，下面简要说一下：

systemctl相当于之前service和chkconfig的融合体。可以使用它永久性启用/禁止或临时关闭/启动某个服务。

[root@localhost init.d]# systemctl  #可以列出当前运行的服务状态UNIT                                                               LOAD   ACTIVE SUB       DESCRIPTIONproc-sys-fs-binfmt_misc.automount                                  loaded active waiting   Arbitrary Executable File Formats File System Automount Pointsys-devices-pci0000:00-0000:00:02.0-backlight-acpi_video0.device   loaded active plugged   /sys/devices/pci0000:00/0000:00:02.0/backlight/acpi_video0sys-devices-pci0000:00-0000:00:1b.0-sound-card0.device             loaded active plugged   6 Series/C200 Series Chipset Family High Definition Audio Controllsys-devices-pci0000:00-0000:00:1c.5-0000:03:00.0-net-enp3s0.device loaded active plugged   RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (P8 serisys-devices-pci0000:00-0000:00:1f.2-ata5-host4-target4:0:0-4:0:0:0-block-sda-sda1.device loaded active plugged   WDC_WD5003ABYX-01WERA1 EFI\x20System\x20Partsys-devices-pci0000:00-0000:00:1f.2-ata5-host4-target4:0:0-4:0:0:0-block-sda-sda2.device loaded active plugged   WDC_WD5003ABYX-01WERA1 2sys-devices-pci0000:00-0000:00:1f.2-ata5-host4-target4:0:0-4:0:0:0-block-sda-sda3.device loaded active plugged   LVM PV 00d05P-rKKJ-nWdn-ejxs-kpY4-GE0k-3o4TFsys-devices-pci0000:00-0000:00:1f.2-ata5-host4-target4:0:0-4:0:0:0-block-sda.device loaded active plugged   WDC_WD5003ABYX-01WERA1sys-devices-platform-serial8250-tty-ttyS0.device                   loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS0sys-devices-platform-serial8250-tty-ttyS1.device                   loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS1sys-devices-platform-serial8250-tty-ttyS2.device                   loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS2sys-devices-platform-serial8250-tty-ttyS3.device                   loaded active plugged   /sys/devices/platform/serial8250/tty/ttyS3sys-devices-virtual-block-dm\x2d0.device                           loaded active plugged   /sys/devices/virtual/block/dm-0sys-devices-virtual-block-dm\x2d1.device                           loaded active plugged   /sys/devices/virtual/block/dm-1sys-devices-virtual-block-dm\x2d2.device                           loaded active plugged   /sys/devices/virtual/block/dm-2sys-module-configfs.device                                         loaded active plugged   /sys/module/configfssys-subsystem-net-devices-enp3s0.device                            loaded active plugged   RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (P8 seri-.mount                                                            loaded active mounted   /boot-efi.mount                                                     loaded active mounted   /boot/efi

[root@localhost init.d]# systemd-cgls   #该命令可以树状形式列出运行的进程|-1 /usr/lib/systemd/systemd --switched-root --system --deserialize 21|-user.slice| `-user-0.slice|   |-session-61.scope|   | |-12073 sshd: root@pts/1    |   | |-12077 -bash|   | |-12103 systemd-cgls|   | `-12104 less|   `-session-58.scope|     |-11507 sshd: root@pts/0    |     |-11511 -bash|     `-11530 /usr/bin/python -Es /usr/sbin/firewalld`-system.slice  |-tuned.service  | `-1284 /usr/bin/python -Es /usr/sbin/tuned -l -P  |-postfix.service  | |- 3228 /usr/libexec/postfix/master -w  | |- 3279 qmgr -l -t unix -u  | `-12052 pickup -l -t unix -u  |-sshd.service  | `-1282 /usr/sbin/sshd -D  |-polkit.service  | `-891 /usr/lib/polkit-1/polkitd --no-debug  |-wpa_supplicant.service  | `-889 /usr/sbin/wpa_supplicant -u -f /var/log/wpa_supplicant.log -c /etc/wpa_supplicant/wpa_supplicant.conf -u -f /var/log/wpa_supplicant.log -P /var/run  |-NetworkManager.service  | `-771 /usr/sbin/NetworkManager --no-daemon  |-crond.service  | `-691 /usr/sbin/crond -n  |-systemd-logind.service  | `-684 /usr/lib/systemd/systemd-logind  |-irqbalance.service  | `-682 /usr/sbin/irqbalance --foreground  |-rsyslog.service  | `-679 /usr/sbin/rsyslogd -n  |-dbus.service  | `-676 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation  |-auditd.service  | `-651 /sbin/auditd -n  |-systemd-udevd.service  | `-529 /usr/lib/systemd/systemd-udevd  |-lvm2-lvmetad.service  | `-526 /usr/sbin/lvmetad -f

具体使用

1、相对于之前service iptables stop/start/status/restart/reload 等
启动服务：systemctl start iptables
关闭服务：systemctl stop iptables
重启服务：systemctl restart iptables
显示服务状态：systemctl status iptables
2、相对于之前的chkconfig iptables on/off/list 等
在开机时启用服务：systemctl enable iptables
在开机时禁用服务：systemctl disable iptables
查看服务是否开机启动：systemctl is-enabled iptables
查看已启动的服务列表：systemctl list-unit-files|grep enabled
查看启动失败的服务列表：systemctl –failed

PS：使用命令 systemctl is-enabled iptables 得到的值可以是enable、disable或static，这里的 static 它是指对应的 Unit 文件中没有定义[Install]区域，因此无法配置为开机启动服务。

说明：启用服务就是在当前“runlevel”的配置文件目/etc/systemd/system/multi-user.target.wants/里，建立/usr/lib/systemd/system里面对应服务配置文件的软链接；禁用服务就是删除此软链接，添加服务就是添加软连接。如下：

[root@localhost ~]# systemctl mask firewalld  #屏蔽服务（让它不能启动）ln -s '/dev/null''/etc/systemd/system/firewalld.service'[root@localhost ~]# systemctl unmask firewalld #显示服务（如firewalld.service）rm '/etc/systemd/system/firewalld.service'#mask的释义（mask是disabled的升级版，效果更强大）：[root@localhost ~]# man systemctl mask NAME...           Mask one or more unit files, as specified on the command line. This will link these units to /dev/null, making it impossible to start them.           This is a stronger version of disable, since it prohibits all kinds of activation of the unit, including enablement and manual activation. Use           this option with care. This honors the --runtime option to only mask temporarily until the next reboot of the system. The --now option can be           used to ensure that the units are also stopped.unmask NAME...           Unmask one or more unit files, as specified on the command line. This will undo the effect of mask.