7.16任务

10.19 iptables规则备份和恢复

service iptables save #会把规则保存到/etc/sysconfig/iptables里去

但是我想把它保存到别的地方，就可以这么做。

[root@localhost: ~]# iptables-save > ipt.txt
[root@localhost: ~]# cat ipt.txt 
# Generated by iptables-save v1.4.21 on Tue Jul 17 12:30:12 2018
*filter
:INPUT ACCEPT [17:5576]
:FORWARD ACCEPT [71:9230]
:OUTPUT ACCEPT [397:42107]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Tue Jul 17 12:30:12 2018
# Generated by iptables-save v1.4.21 on Tue Jul 17 12:30:12 2018
*nat
:PREROUTING ACCEPT [27:1994]
:INPUT ACCEPT [9:776]
:OUTPUT ACCEPT [116:8741]
:POSTROUTING ACCEPT [117:8793]
-A PREROUTING -d 192.168.16.100/32 -p tcp -m tcp --dport 1122 -j DNAT --to-destination 192.168.17.101:22
-A POSTROUTING -s 192.168.17.101/32 -j SNAT --to-source 192.168.16.100
COMMIT
# Completed on Tue Jul 17 12:30:12 2018

想要恢复也很容易，使用

[root@localhost: ~]# iptables -t nat -F
[root@localhost: ~]# iptables -t filter -F
[root@localhost: ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@localhost: ~]# iptables  -nvL
Chain INPUT (policy ACCEPT 66 packets, 4452 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 37 packets, 4180 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@localhost: ~]# iptables-restore < ipt.txt 
[root@localhost: ~]# iptables  -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6   428 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 512 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@localhost: ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.16.100       tcp dpt:1122 to:192.168.17.101:22

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      *       192.168.17.101       0.0.0.0/0            to:192.168.16.100

但是开机加载的规则就是/etc/sysconfig/iptables里的规则。

 

10.20 firewalld的9个zone

CentOs7以及以后的版本所用的防火墙firewalld。

先把iptables禁用掉。

[root@localhost: ~]# systemctl disable iptables.service 
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@localhost: ~]# systemctl stop iptables.service 
[root@localhost: ~]# systemctl enable firewalld.service 
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.    
[root@localhost: ~]# systemctl start firewalld.service 
[root@localhost: ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   280 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    1   108 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1   108 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1   108 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 2 packets, 264 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   388 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public  all  --  ens33  *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDI_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public  all  --  *      ens33   0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDO_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_public  all  --  ens33  *       0.0.0.0/0            0.0.0.0/0           [goto] 
    1   108 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   108 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1   108 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1   108 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   108 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination

上面就是firewalld自带的filter表。

firewalld有9个zone，每一个zone就是一个规则集，默认为public。

[root@localhost: ~]# firewall-cmd --get-zones //查询所有zone
block dmz drop external home internal public trusted work
[root@localhost: ~]# firewall-cmd --get-default-zone //查询默认
public

zone的介绍：

1. drop 任何接收的网络数据包都会被丢弃，没有任何回复。仅能有发送出去的网络连接。
2. block 任何接收的网络连接都被IPv4的icmp-host-prohibited信息和IPv6的icmp6-adm-prohibited信息所拒绝。
3. public 在公共区域内使用，不能相信网络内的其他计算机不会对你的计算机造成危害，只能接收经过选取的连接。
4. external 特别是为路由器启用了伪装功能的外部网。你不能信任来自网络的其他计算机，不能相信他们不会对你的计算机造成危害，只能接收经过选择的连接。
5. dmz 用于你的非军事区内的电脑，此区域内可公开访问，可以有限地进入你的内部网络，仅仅接收经过选择的网络。
6. home 用于家庭网络。你可以基本信任网络内的其他计算机不会危害你的计算机，仅仅接收经过选择的连接。
7. work 用于工作区。你可以基本相信网络内的其他计算机不会危害你的计算机，仅仅接收经过选择的连接。
8. internal 用于内部网络。你可以基本上信任网络内的其他计算机不会威胁你的计算机。仅仅接收经过选择的连接。
9. trusted 可接受所有的连接。

drop是最安全的。 public会放行一些连接，比如22，80端口；也禁止一些连接。

10.21 firewalld关于zone的操作

[root@localhost: ~]# firewall-cmd --set-de
--set-default-zone=  --set-description=   
[root@localhost: ~]# firewall-cmd --set-default-zone=work 
success
[root@localhost: ~]# firewall-cmd --get-default-zone 
work

可以更改默认的zone。

也可以查看指定的网卡是什么zone

[root@localhost: ~]# firewall-cmd --get-zone-of-interface=ens33
work
[root@localhost: ~]# firewall-cmd --get-zone-of-interface=ens37
no zone //暗红色
[root@localhost: ~]# firewall-cmd --get-zone-of-interface=lo
no zone //暗红色

ens37是no zone， 只需要添加配置文件，重启一下网络服务即可。

也可以主动给网卡设置zone。

[root@localhost: ~]# firewall-cmd --zone=dmz --add-interface=ens37
The interface is under control of NetworkManager, setting zone to 'dmz'.
success
[root@localhost: ~]# firewall-cmd --get-zone-of-interface=ens37
no zone
[root@localhost: ~]# firewall-cmd --zone=dmz --add-interface=ens33
The interface is under control of NetworkManager, setting zone to 'dmz'.
success
[root@localhost: ~]# firewall-cmd --get-zone-of-interface=ens33
dmz

实验说明，没有配置文件，主动设置也不会成功。

[root@localhost: ~]# tail -1 /etc/sysconfig/network-scripts/ifcfg-ens33
ZONE=dmz

他会把配置文件中增加一行ZONE。

[root@localhost: ~]# firewall-cmd --get-zone-of-interface=ens37
trusted
[root@localhost: ~]# firewall-cmd --zone=public --add-interface=ens37
Error: ZONE_CONFLICT: 'ens37' already bound to a zone

不可以重复添加zone，但是可以更改。

[root@localhost: ~]# firewall-cmd --zone=public --change-interface=ens37
success
[root@localhost: ~]# firewall-cmd --get-zone-of-interface=ens37
public

删除zone的时候一定要把zone写对。

[root@localhost: ~]# firewall-cmd --get-zone-of-interface=lo
trusted
[root@localhost: ~]# firewall-cmd --zone=public --remove-interface=lo
Error: ZONE_CONFLICT: remove_interface(public, lo): zoi='trusted'
[root@localhost: ~]# firewall-cmd --zone=trusted --remove-interface=lo
success
[root@localhost: ~]# firewall-cmd --get-zone-of-interface=lo
no zone

10.22 firewalld关于service的操作

service是firewalld下面的一个子单元，可以理解为一个指定的一个端口。

查看所有的service

[root@localhost: ~]# firewall-cmd --get-services 
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp open ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

查看默认zone的service和指定zone的service.

[root@localhost: ~]# firewall-cmd --list-services 
You're performing an operation over default zone ('work'),
but your connections/interfaces are in zone 'dmz,public' (see --get-active-zones)
You most likely need to use --zone=dmz option.

ssh dhcpv6-client
[root@localhost: ~]# firewall-cmd --zone=dmz --list-services 
ssh

添加service的方法，只在内存中，重启无效

[root@localhost: ~]# firewall-cmd --zone=public --list-services 
ssh dhcpv6-client
[root@localhost: ~]# firewall-cmd --zone=public --add-service=http
success
[root@localhost: ~]# firewall-cmd --zone=public --add-service=ftp
success
[root@localhost: ~]# firewall-cmd --zone=public --add-service=https
success
[root@localhost: ~]# firewall-cmd --zone=public --list-services 
ssh dhcpv6-client http ftp https

也可以更改配置文件

[root@localhost: ~]# firewall-cmd --zone=public --add-service=ftp --permanent
success
[root@localhost: ~]# ls /etc/firewalld/zones/public.xml
/etc/firewalld/zones/public.xml
[root@localhost: ~]# cat !$
cat /etc/firewalld/zones/public.xml


  Public
  For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
  
  
  

可以看到ftp已经有了，但是http和其他的并不是永久的。

[root@localhost: ~]# ls /etc/firewalld/zones/
public.xml  public.xml.old

每次更改之后，都会把上一次的配置保存成.old文件。

[root@localhost: ~]# ls /usr/lib/firewalld/zones/
block.xml  dmz.xml  drop.xml  external.xml  home.xml  internal.xml  public.xml  trusted.xml  work.xml
[root@localhost: ~]# ls /usr/lib/firewalld/services/
amanda-client.xml        dns.xml                  ipp-client.xml    mosh.xml                  pop3s.xml           sane.xml               tftp.xml
amanda-k5-client.xml     docker-registry.xml      ipp.xml           mountd.xml                pop3.xml            sips.xml               tinc.xml
bacula-client.xml        dropbox-lansync.xml      ipsec.xml         mssql.xml                 postgresql.xml      sip.xml                tor-socks.xml
bacula.xml               elasticsearch.xml        iscsi-target.xml  ms-wbt.xml                privoxy.xml         smtp-submission.xml    transmission-client.xml
bitcoin-rpc.xml          freeipa-ldaps.xml        kadmin.xml        mysql.xml                 proxy-dhcp.xml      smtps.xml              vdsm.xml
bitcoin-testnet-rpc.xml  freeipa-ldap.xml         kerberos.xml      nfs.xml                   ptp.xml             smtp.xml               vnc-server.xml
bitcoin-testnet.xml      freeipa-replication.xml  kibana.xml        nrpe.xml                  pulseaudio.xml      snmptrap.xml           wbem-https.xml
bitcoin.xml              freeipa-trust.xml        klogin.xml        ntp.xml                   puppetmaster.xml    snmp.xml               xmpp-bosh.xml
ceph-mon.xml             ftp.xml                  kpasswd.xml       open.xml               quassel.xml         spideroak-lansync.xml  xmpp-client.xml
ceph.xml                 ganglia-client.xml       kshell.xml        ovirt-imageio.xml         radius.xml          squid.xml              xmpp-local.xml
cfengine.xml             ganglia-master.xml       ldaps.xml         ovirt-storageconsole.xml  RH-Satellite-6.xml  ssh.xml                xmpp-server.xml
condor-collector.xml     high-availability.xml    ldap.xml          ovirt-vmconsole.xml       rpc-bind.xml        synergy.xml
ctdb.xml                 https.xml                libvirt-tls.xml   pmcd.xml                  rsh.xml             syslog-tls.xml
dhcpv6-client.xml        http.xml                 libvirt.xml       pmproxy.xml               rsyncd.xml          syslog.xml
dhcpv6.xml               imaps.xml                managesieve.xml   pmwebapis.xml             samba-client.xml    telnet.xml
dhcp.xml                 imap.xml                 mdns.xml          pmwebapi.xml              samba.xml           tftp-client.xml

模板保存在/usr/lib/firewalld/文件夹下。

需求：ftp服务自定义端口1121，需要在work zone下放行ftp

[root@localhost: ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
[root@localhost: ~]# vim /etc/firewalld/services/ftp.xml //更改端口1121
[root@localhost: ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@localhost: ~]# vim !$work.xml //添加ftp服务
vim /etc/firewalld/zones/work.xml

之后重新加载服务

[root@localhost: ~]# firewall-cmd --reload
success
[root@localhost: ~]# firewall-cmd --zone=work --list-services 
ssh dhcpv6-client ftp

 

转载于:https://my.oschina.net/u/3866688/blog/1858070