iptables规则备份和恢复、firewalld的9个zone、firewalld关于zone的操作、firewalld关于service的操作

iptables规则备份和恢复

iptables规则备份和恢复

[root@localhost ~]# iptables-save > /tmp/ipt.txt
[root@localhost ~]# cat /tmp/ipt.txt 
# Generated by iptables-save v1.4.21 on Fri Mar 16 05:49:36 2018
*nat
:PREROUTING ACCEPT [2:123]
:INPUT ACCEPT [1:52]
:OUTPUT ACCEPT [1:71]
:POSTROUTING ACCEPT [2:123]
-A PREROUTING -d 192.168.12.128/32 -p tcp -m tcp --dport 1122 -j DNAT --to-destination 192.168.100.100:22
-A POSTROUTING -s 192.168.100.100/32 -j SNAT --to-source 192.168.12.128
COMMIT
# Completed on Fri Mar 16 05:49:36 2018
# Generated by iptables-save v1.4.21 on Fri Mar 16 05:49:36 2018
*filter
:INPUT ACCEPT [288:21940]
:FORWARD ACCEPT [55:7156]
:OUTPUT ACCEPT [182:26748]
COMMIT
# Completed on Fri Mar 16 05:49:36 2018
[root@localhost ~]# iptables-restore < /tmp/ipt.txt 

firewalld的9个zone

firewalld的9个zone

打开firewalled

[root@localhost ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@localhost ~]# systemctl stop iptables
[root@localhost ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@localhost ~]# systemctl start firewalld

默认使用public的zone，即规则集

[root@localhost ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@localhost ~]# firewall-cmd --get-default-zone
public

9个zone

firewalld关于zone的操作

firewalld关于zone的操作

[root@localhost ~]# firewall-cmd --set-default-zone=work
success
[root@localhost ~]# firewall-cmd --get-default-zone
work

查指定网卡

[root@localhost ~]# ifconfig
eno16777736: flags=4163  mtu 1500
        inet 192.168.12.128  netmask 255.255.255.0  broadcast 192.168.12.255
        inet6 fe80::20c:29ff:fe92:105d  prefixlen 64  scopeid 0x20
        ether 00:0c:29:92:10:5d  txqueuelen 1000  (Ethernet)
        RX packets 11453  bytes 8021159 (7.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3727  bytes 457491 (446.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163  mtu 1500
        inet 192.168.100.1  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::20c:29ff:fe92:1067  prefixlen 64  scopeid 0x20
        ether 00:0c:29:92:10:67  txqueuelen 1000  (Ethernet)
        RX packets 132  bytes 13476 (13.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 202  bytes 28378 (27.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost ~]# firewall-cmd --get-zone-of-interface=eno16777736
public
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37
no zone

如果发现no zone需要将该网卡的配置文件配置好
再重启网络服务
重启firewalld服务

[root@localhost ~]# ls /etc/sysconfig/network-scripts/
ifcfg-ens33  ifdown-ppp       ifup-eth     ifup-sit
ifcfg-lo     ifdown-routes    ifup-ippp    ifup-Team
ifdown       ifdown-sit       ifup-ipv6    ifup-TeamPort
ifdown-bnep  ifdown-Team      ifup-isdn    ifup-tunnel
ifdown-eth   ifdown-TeamPort  ifup-plip    ifup-wireless
ifdown-ippp  ifdown-tunnel    ifup-plusb   init.ipv6-global
ifdown-ipv6  ifup             ifup-post    network-functions
ifdown-isdn  ifup-aliases     ifup-ppp     network-functions-ipv6
ifdown-post  ifup-bnep        ifup-routes
[root@localhost ~]# systemctl restart network
[root@localhost ~]# systemctl restart firewalld
[root@localhost network-scripts]# !vim
vim ifcfg-ens37
[root@localhost network-scripts]# systemctl restart network
[root@localhost network-scripts]# systemctl restart firewalld
[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37
public

还可以单独给网卡设置zone

[root@localhost network-scripts]# firewall-cmd --zone=public --remove-interface=ens37
success
[root@localhost network-scripts]# firewall-cmd --zone=dmz --add-interface=ens37
success
[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37
dmz
[root@localhost network-scripts]# firewall-cmd --zone=public --change-interface=ens37
success
[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37
[root@localhost network-scripts]# firewall-cmd --get-active-zones
dmz
  interfaces: eno16777736
public
  interfaces: ens37

firewalld关于service的操作

firewalld关于service的操作

trusted和block是没有service的

[root@localhost network-scripts]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@localhost network-scripts]# firewall-cmd --get-default-zone
public

指定zone添加service
--permanent 写入配置文件

[root@localhost network-scripts]# firewall-cmd --list-service
dhcpv6-client ssh
[root@localhost network-scripts]# firewall-cmd --zone=public --add-service=http
success
[root@localhost network-scripts]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http
[root@localhost network-scripts]# firewall-cmd --zone=public --add-service=ftp --permanent
success
[root@localhost ~]# cat /etc/firewalld/zones/public.xml


  Public
  For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
  
  
  

[root@localhost ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@localhost ~]# cat /etc/firewalld/zones/public.xml


  Public
  For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
  
  
  
  

zones的配置文件以及备份
service的模板

[root@localhost ~]# ls /etc/firewalld/zones/
public.xml  public.xml.old
[root@localhost ~]# ls /etc/firewalld/zones/
public.xml  public.xml.old
[root@localhost ~]# ls /etc/firewalld/services/
[root@localhost ~]# ls /usr/lib
lib/     lib64/   libexec/ 
[root@localhost ~]# ls /usr/lib/firewalld/zones/
block.xml  drop.xml      home.xml      public.xml   work.xml
dmz.xml    external.xml  internal.xml  trusted.xml
[root@localhost ~]# ls /usr/lib/firewalld/services/
amanda-client.xml        nrpe.xml
amanda-k5-client.xml     ntp.xml
bacula-client.xml        openvpn.xml
bacula.xml               ovirt-imageio.xml
bitcoin-rpc.xml          ovirt-storageconsole.xml
bitcoin-testnet-rpc.xml  ovirt-vmconsole.xml
bitcoin-testnet.xml      pmcd.xml
bitcoin.xml              pmproxy.xml
ceph-mon.xml             pmwebapis.xml
ceph.xml                 pmwebapi.xml
cfengine.xml             pop3s.xml
condor-collector.xml     pop3.xml
ctdb.xml                 postgresql.xml
dhcpv6-client.xml        privoxy.xml
dhcpv6.xml               proxy-dhcp.xml
dhcp.xml                 ptp.xml
dns.xml                  pulseaudio.xml
docker-registry.xml      puppetmaster.xml
dropbox-lansync.xml      quassel.xml
elasticsearch.xml        radius.xml
freeipa-ldaps.xml        RH-Satellite-6.xml
freeipa-ldap.xml         rpc-bind.xml
freeipa-replication.xml  rsh.xml
freeipa-trust.xml        rsyncd.xml
ftp.xml                  samba-client.xml
ganglia-client.xml       samba.xml
ganglia-master.xml       sane.xml
high-availability.xml    sips.xml
https.xml                sip.xml
http.xml                 smtp-submission.xml
imaps.xml                smtps.xml
imap.xml                 smtp.xml
ipp-client.xml           snmptrap.xml
ipp.xml                  snmp.xml
ipsec.xml                spideroak-lansync.xml
iscsi-target.xml         squid.xml
kadmin.xml               ssh.xml
kerberos.xml             synergy.xml
kibana.xml               syslog-tls.xml
klogin.xml               syslog.xml
kpasswd.xml              telnet.xml
kshell.xml               tftp-client.xml
ldaps.xml                tftp.xml
ldap.xml                 tinc.xml
libvirt-tls.xml          tor-socks.xml
libvirt.xml              transmission-client.xml
managesieve.xml          vdsm.xml
mdns.xml                 vnc-server.xml
mosh.xml                 wbem-https.xml
mountd.xml               xmpp-bosh.xml
mssql.xml                xmpp-client.xml
ms-wbt.xml               xmpp-local.xml
mysql.xml                xmpp-server.xml
nfs.xml

需求：ftp服务自动以端口1121，需要在work zone下面放行ftp

[root@localhost ~]# firewall-cmd --set-default-zone=work
success
[root@localhost ~]# firewall-cmd --get-default-zone
work
[root@localhost ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client
[root@localhost ~]# vim /etc/firewalld/services/ftp.xml 
（修改端口21为1121）


  FTP  FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.
  
  

[root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@localhost ~]# vim /etc/firewalld/zones/work.xml 
（增加一行）

[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp