CentOS8的基础防火墙配置

发表评论

systemctl使用
systemctl unmask firewalld #执行命令,即可实现取消服务的锁定
systemctl mask firewalld # 下次需要锁定该服务时执行
systemctl start firewalld.service #启动防火墙
systemctl stop firewalld.service #停止防火墙
systemctl reloadt firewalld.service #重载配置
systemctl restart firewalld.service #重启服务
systemctl status firewalld.service #显示服务的状态
systemctl enable firewalld.service #在开机时启用服务
systemctl disable firewalld.service #在开机时禁用服务
systemctl is-enabled firewalld.service #查看服务是否开机启动
systemctl list-unit-files|grep enabled #查看已启动的服务列表
systemctl –failed #查看启动失败的服务列表

firewall-cmd使用
firewall-cmd –state #查看防火墙状态
firewall-cmd –reload #更新防火墙规则
firewall-cmd –state #查看防火墙状态
firewall-cmd –reload #重载防火墙规则
firewall-cmd –list-ports #查看所有打开的端口
firewall-cmd –list-services #查看所有允许的服务
firewall-cmd –get-services #获取所有支持的服务

/usr/lib/firewalld/services

#区域相关
firewall-cmd –list-all-zones #查看所有区域信息
firewall-cmd –get-active-zones #查看活动区域信息
firewall-cmd –set-default-zone=public #设置public为默认区域
firewall-cmd –get-default-zone #查看默认区域信息
firewall-cmd –zone=public –add-interface=eth0 #将接口eth0加入区域public
#接口相关
firewall-cmd –zone=public –remove-interface=eth0 #从区域public中删除接口eth0
firewall-cmd –zone=default –change-interface=eth0 #修改接口eth0所属区域为default
firewall-cmd –get-zone-of-interface=eth0 #查看接口eth0所属区域

用例
firewall-cmd –query-port=8080/tcp # 查询端口是否开放

firewall-cmd –add-port=80/tcp –permanent #永久添加80端口例外(全局)
firewall-cmd –remove-port=80/tcp –permanent #永久删除80端口例外(全局)
firewall-cmd –add-port=65001-65010/tcp –permanent #永久增加65001-65010例外(全局)
firewall-cmd –zone=public –add-port=80/tcp –permanent #永久添加80端口例外(区域public)
firewall-cmd –zone=public –remove-port=80/tcp –permanent #永久删除80端口例外(区域public)
firewall-cmd –zone=public –add-port=65001-65010/tcp –permanent #永久增加65001-65010例外(区域public)

firewall-cmd –reload #重启防火墙(修改配置后要重启防火墙)

nginx+v2ray

发表评论

参照这个文章的配置,

https://www.ecsoe.com/archives/38.html

一次成功

先安装了nginx+ssl,再安装v2ray,调整配置。

yum -y update
bash <(curl -L -s https://install.direct/go.sh)
systemctl enable v2ray
vi /etc/nginx/conf.d/v2ray.conf

server {
    listen       443 ssl;
    server_name  example.com;

    ssl_certificate    /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key    /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    error_page 497  https://$host$request_uri;

location /ray {
    proxy_pass       http://127.0.0.1:10000;
    proxy_redirect             off;
    proxy_http_version         1.1;
    proxy_set_header Upgrade   $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host      $http_host;
    }
}


{
  "inbounds": [
    {
      "port": 10000,
      "listen":"127.0.0.1",
      "protocol": "vmess",
      "settings": {
        "clients": [
          {
            "id": "你的UUID",
            "alterId": 64
          }
        ]
      },
      "streamSettings": {
        "network": "ws",
        "wsSettings": {
        "path": "/ray"
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {}
    }
  ]
}


vi /etc/selinux/config
SELINUX=disabled
setenforce 0

yii 邮件发送问题解决

发表评论

yii邮件发送,一直报错

Swift_TransportException
Expected response code 250 but got code “550”, with message “550 5.7.1 Request not taken sender domain mismatch !

其实说的比较清楚了。是Request not taken sender domain mismatch

但是web.php已经修改了,找了半天,发现

config\params.php

下面的adminEmail也要修改成一致的才行。

如何让外网访问小米路由器的硬盘文件

发表评论

解决只能lan口访问,不能wan口访问硬盘资源的问题。

1、小米路由器要开启ssh
2、ssh到小米路由器,编辑/etc/samba/smb.conf.template 文件,将其中的interfaces那一行改为

interfaces = br-lan eth0.2

3、编辑/etc/config/firewall文件,在文件最后添加以下内容:

config rule 'samba_udp'                                
        option src 'wan'                    
        option dest_port '137 138'             
        option proto 'udp'                                  
        option target 'ACCEPT'                  
        option name 'samba_incoming_udp'

config rule 'samba_tcp'        
        option src 'wan'                                   
        option dest_port '139 445'            
        option proto 'tcp'                
        option target 'ACCEPT'                 
        option name 'samba_incoming_tcp'

4、执行/etc/init.d/samba restart命令重启samba服务
5、执行/etc/init.d/firewall restart命令重启防火墙

用\\xxx.xxx.xxx.xxx 访问试试。xxx是小米路由器的wan ip地址

nginx日志按天切割的脚本

发表评论

本脚本原版来自 lnmp.org,修改如下:
不需要写每个日志文件,除了error日志,其他的都自动切割
不按照年月分目录,放在一个目录,这样好处理点。
用法就是放在服务器上 chmod +x,然后加到crontab里

cat /root/bin/cut_nginx_logs.sh
#!/bin/bash
#function:cut nginx log files for lnmp
#author: http://lnmp.org
#modified by http://www.juyimeng.com/lnmp-nginx-log-cut-per-day-rotation.html

#set the path to nginx log files
log_files_path="/home/wwwlogs/"
#log_files_dir=${log_files_path}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")
log_files_dir=${log_files_path}bak/
#set nginx log files you want to cut
#get log files list,exclude error.log
log_files_name=($(/bin/find $log_files_path -maxdepth 1 -name "*.log" |grep -v error| awk -F/ '{ print $NF }'))
#set the path to nginx.
nginx_sbin="/usr/local/nginx/sbin/nginx"
#Set how long you want to save
save_days=15
############################################
#Please do not modify the following script #
############################################
mkdir -p $log_files_dir
log_files_num=${#log_files_name[@]}

#cut nginx log files
for((i=0;i&lt;$log_files_num;i++));do
mv ${log_files_path}${log_files_name[i]} ${log_files_dir}$(date -d "yesterday" +"%Y%m%d_%s")_${log_files_name[i]}
done
#delete $save_days ago nginx log files
find $log_files_path -mtime +$save_days -exec rm -rf {} \;
#reload nginx
$nginx_sbin -s reload

openwrt shadowsocks chinadns 自动脚本

发表评论

k2定时脚本

[email protected]:~# crontab -l
0 1 * * *  /etc/shadowsocks/update.sh    >> /var/log/shadowsocks_watchdog.log 2>&1
*/10 * * * * /etc/shadowsocks/checknet.sh  >> /var/log/shadowsocks_watchdog.log 2>&1
0 1 * * 7 echo "" > /var/log/shadowsocks_watchdog.log

更新ip地址

[email protected]:~# cat /etc/shadowsocks/update.sh
wget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ \
{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/chinadns_chnroute.txt \
 && /etc/init.d/shadowsocks restart && /etc/init.d/chinadns restart
[email protected]:~#
检查网络状态,发现有问题就重启
[email protected]:~# cat /etc/shadowsocks/checknet.sh
#!/bin/sh

LOGTIME=$(date "+%Y-%m-%d %H:%M:%S")
wget --spider --quiet --tries=1 --timeout=10 www.google.co.jp
if [ "$?" == "0" ]; then
        echo '['$LOGTIME'] No Problem.'
        exit 0
else
        wget --spider --quiet --tries=1 --timeout=10 www.baidu.com
        if [ "$?" == "0" ]; then
                echo '['$LOGTIME'] Problem decteted, restarting shadowsocks.'
                /etc/init.d/shadowsocks restart
                /etc/init.d/chinadns restart
        else
                echo '['$LOGTIME'] Network Problem. Do nothing.'
        fi
fi
[email protected]:~#