2014-07-25
2014-08-01 修訂
CentOS 7.0 開始,服務的管理使用變成用 systemctl,例如 httpd 的使用可用下面幾種方式
# systemctl status|start|stop|restart|reload httpd
OR
# service httpd status|start|stop|restart|reload
OR
# apachectl configtest| graceful
service httpd 會自動重導指令到 systemctl 命令,問題不大。
但是防火牆就有問題了,因為架網站時本機測試正常,遠端關了防火牆卻仍連不上,所以做了點研究測試。
[root@localhost ~]# yum -y install httpd
[root@localhost ~]# service httpd restart
Redirecting to /bin/systemctl restart httpd.service
[root@localhost ~]# service httpd status
Redirecting to /bin/systemctl status httpd.service
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: active (running) since Fri 2014-07-25 15:54:58 CST; 21s ago
Main PID: 14250 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
? ? 14250 /usr/sbin/httpd -DFOREGROUND
? ? 14251 /usr/sbin/httpd -DFOREGROUND
? ? 14252 /usr/sbin/httpd -DFOREGROUND
? ? 14253 /usr/sbin/httpd -DFOREGROUND
? ? 14254 /usr/sbin/httpd -DFOREGROUND
? ? 14255 /usr/sbin/httpd -DFOREGROUND
Jul 25 15:54:58 localhost.localdomain systemd[1]: Starting The Apache HTTP Se...
Jul 25 15:54:58 localhost.localdomain httpd[14250]: AH00558: httpd: Could not...
Jul 25 15:54:58 localhost.localdomain systemd[1]: Started The Apache HTTP Ser...
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]# ps aux | grep httpd
root 14250 0.0 0.2 209484 4804 ? Ss 15:54 0:00 /usr/sbin/http -DFOREGROUND
apache 14251 0.0 0.1 211568 2968 ? S 15:54 0:00 /usr/sbin/http -DFOREGROUND
apache 14252 0.0 0.1 211568 2968 ? S 15:54 0:00 /usr/sbin/http -DFOREGROUND
apache 14253 0.0 0.1 211568 2968 ? S 15:54 0:00 /usr/sbin/http -DFOREGROUND
apache 14254 0.0 0.1 211568 2968 ? S 15:54 0:00 /usr/sbin/http -DFOREGROUND
apache 14255 0.0 0.1 211568 2968 ? S 15:54 0:00 /usr/sbin/http -DFOREGROUND
root 14276 0.0 0.0 112640 980 pts/1 R+ 15:55 0:00 grep --color=auto httpd
[root@localhost ~]#
[root@localhost ~]# service iptables stop
Redirecting to /bin/systemctl stop iptables.service
(下圖) 本機上測試正常
(下圖) 遠端去連失敗
檢查防火牆狀態,是 inactive 的
[root@localhost ~]# service iptables -L
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
[root@localhost ~]# service iptables status
Redirecting to /bin/systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
Active: inactive (dead)
Jul 25 15:56:53 localhost.localdomain systemd[1]: Stopped IPv4 firewall with ...
Hint: Some lines were ellipsized, use -l to show in full.
列出防火牆 rules,居然仍有
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
[root@localhost ~]#
經過研究發現,應該要改用 firewall-cmd 命令
要暫時開放 http port,可執行
# firewall-cmd --add-service=http
要永久開放 http port,可執行
# firewall-cmd --permanent --add-service=http
# systemctl restart firewalld
要停掉
[root@localhost ~]# systemctl stop firewalld
下面確認一下,真的停掉了
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]#
(下圖) 再從遠端連上網站看看,成功了
也就是 service iptables stop 無法停掉防火牆了 ( 看下面訊息該有支援,Bug 嗎 ?)
[root@localhost ~]# service iptables
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
設定 httpd 隨作業系統啟動
systemctl enable httpd
其他常用 firewall-cmd 命令
# firewall-cmd --state
# firewall-cmd --list-all
# firewall-cmd --list-interfaces
# firewall-cmd --get-service
# firewall-cmd --query-service service_name
# firewall-cmd --add-port=8080/tcp
(完)
相關
[研究] CentOS 7.0 x64 的網站架設與防火牆
http://shaurong.blogspot.tw/2014/07/centos-linux-701406.html
Installing LAMP (Linux, Apache, MariaDB, PHP/PhpMyAdmin) in RHEL/CentOS 7.0
http://www.tecmint.com/install-lamp-in-centos-7/
沒有留言:
張貼留言