iptables规则备份,把规则保存至文件当中,可以防止规则丢失
查看当前的规则
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
138 16695 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
1 80 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
304 22837 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 177 packets, 15647 bytes)
pkts bytes target prot opt in out source destination
使用iptables-save 对iptables规则进行保存,保存的规则输出到一个文件当中,并查看该文件保存的规则
[root@localhost ~]# iptables-save > /usr/local/src/tmp/siyan.ipt
[root@localhost ~]# cat !$
cat /usr/local/src/tmp/siyan.ipt
# Generated by iptables-save v1.4.21 on Mon Jul 16 14:09:02 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [275:24999]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jul 16 14:09:02 2018
清空当前所有的iptables规则,并查看当前是否还存在iptables规则
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 27 packets, 1860 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16 packets, 1568 bytes)
pkts bytes target prot opt in out source destination
使用iptables-restore 反向重定向把存储规则的文件内的规则重新写入iptables当中
[root@localhost ~]# iptables-restore < /usr/local/src/tmp/siyan.ipt
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
25 1728 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
2 107 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
pkts bytes target prot opt in out source destination
如果要想开机启动就加载这些规则的话,需要把规则写入到/etc/sysconfig/iptables文件当中,这样就会开机时加载我们需要的规则了,将备份文件的规则按照格式粘贴到iptables配置文件当中
[root@localhost ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
firewalld防火墙zone了解
fiewalld有九个zone,zone是保存规则的规则集
暂停掉iptables防火墙,启用firewalld
[root@localhost ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@localhost ~]# systemctl stop iptables
[root@localhost ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@localhost ~]# systemctl start firewalld
查看firewalld的九个zone规则集名称,查看firewalld默认的规则集(和iptables一样,如:iptables默认为filter表)
[root@localhost ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block 查看九个zone
[root@localhost ~]# firewall-cmd --get-default-zone
public 默认的zone
drop (丢弃),任何接收的网络数据包都被丢弃,没有任何回复。仅能有发送出去的网络连接。
block (限制)任何接收的网络连接都被IPv4 的icmp-host-prohibited 信息和IPv6 的icmp6-adm-prohibited信息所拒绝。public (公共)在公共区域内使用,不能相信网络内的其他计算机不会对你的计算机造成危害,只能接收经过选取的连接。
external (外部)特别是为路由器启用了伪装功能的外部网。你不能信任来自网络的其他计算,不能相信它们不会对你的计算机造成危害,只能接收经过选择的连接。
dmz (非军事区)用于你的非军事区内的电脑,此区域内可公开访问,可以有限地进入你的内部网络,仅仅接收经过选择的连接。
work(工作)用于工作区。你可以基本相信网络内的其他电脑不会危害你的电脑。仅仅接收经过选择的连接。
home (家庭)用于家庭网络。你可以基本信任网络内的其他计算机不会危害你的计算机。仅仅接收经过选择的连接。
internal (内部)用于内部网络。你可以基本上信任网络内的其他计算机不会威胁你的计算机。仅仅接受经过选择的连接。
trusted (信任)可接受所有的网络连接。
firewall修改zone规则集
firewall-cmd --set-default-zone=work //设定默认zone规则集
[root@localhost ~]# firewall-cmd --set-default-zone=work
success
firewall-cmd --get-default-zone 查看默认规则集
[root@localhost ~]# firewall-cmd --get-default-zone
work
firewall-cmd --get-zone-of-interface=ens33 //查指定网卡的zone规则集
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
work
如果查询的网卡没有zone规则集的话,那就需要我们指定一下规则集
firewall-cmd --zone=work --add-interface=lo //给指定网卡设置zone
[root@localhost ~]# firewall-cmd --zone=public --add-interface=lo
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=lo
public
firewall-cmd --zone =dmz --change- interface=ens33 //对网卡更改zone规则集
[root@localhost ~]# firewall-cmd --zone=dmz --change-interface=ens33
The interface is under control of NetworkManager, setting zone to 'dmz'.
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
dmz
firewall-cmd -- zone=dmz --remove-interface=ens33 //针对网卡删除zone,删除zone后,会变回默认的zone,使用firewall-cmd --get-active-zones查看所有网卡所在的zone
[root@localhost ~]# firewall-cmd --zone=dmz --remove-interface=ens33
The interface is under control of NetworkManager, setting zone to default.
success
firewall-cmd --get-active-zones //查看系统所有网卡所在的zone
[root@localhost ~]# firewall-cmd --get-active-zones
work
interfaces: ens33
public
interfaces: lo
firewall的server操作
service是对所有服务开放的一个规则,services可以放行指定的服务端口,以服务名来指定
firewall-cmd --get-service //列出系统当前所有的service
[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp open*** pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
添加一个服务器的services,相同与iptables内添加一个放行的端口号
[root@localhost ~]# firewall-cmd --zone=public --add-service=http
success
查看增加的services
[root@localhost ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http
永久增加一个services放行端口,--permannet表示为永久保存该配置,如http没有使用,则不会保存到该配置文件当中
[root@localhost ~]# firewall-cmd --zone=public --add-service=ftp --permanent
success
[root@localhost ~]# cat /etc/firewalld/zones/public.xml
Public
For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
~
firewall的zone规则都有模板,firewall用模板来创建这些zones规则,模板存放在/usr/lib/firewall/zones下,zone存储位置
[root@localhost ~]# ls /etc/firewalld/zones/
public.xml public.xml.old
[root@localhost ~]# ls /usr/lib/firewalld/zones/
block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml
需求,在work zone下放行自定义的ftp1121端口,拷贝ftp的模板文件到/etc/firewalld/services/目录下,修改port="1121"
[root@localhost ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
[root@localhost ~]# vim /etc/firewalld/services/ftp.xml
FTP
FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.
在work的zone中增加ftp放行的services,拷贝模板work的zone到/etc/firewalld/zones/目录下,新增一行ftp的配置
[root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@localhost ~]# vim /etc/firewalld/zones/work.xml
Work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
~
重新加载zone的配置,并查看新增的ftp的services放行
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --zone=work --list-services
ssh ftp dhcpv6-client