10.19 iptables规则备份和恢复
·把iptables规则另存到指定文件中:
iptables-save > 文件
[root@localhost ~]# iptables-save > /tmp/ipt.txt [root@localhost ~]# cat /tmp/ipt.txt # Generated by iptables-save v1.4.21 on Sun Jan 21 15:59:07 2018 *nat :PREROUTING ACCEPT [62:5016] :INPUT ACCEPT [2:470] :OUTPUT ACCEPT [15:1140] :POSTROUTING ACCEPT [19:1348] -A PREROUTING -d 192.168.65.128/32 -p tcp -m tcp --dport 1122 -j DNAT --to-destination 192.168.100.100:22 -A POSTROUTING -s 192.168.100.100/32 -j SNAT --to-source 192.168.65.128 COMMIT # Completed on Sun Jan 21 15:59:07 2018 # Generated by iptables-save v1.4.21 on Sun Jan 21 15:59:07 2018 *filter :INPUT ACCEPT [165:11638] :FORWARD ACCEPT [105:7991] :OUTPUT ACCEPT [105:9040] COMMIT # Completed on Sun Jan 21 15:59:07 2018
·把指定文件中的iptables规则恢复:
iptables-restore < 文件
[root@localhost ~]# iptables -t nat -F [root@localhost ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [root@localhost ~]# iptables-restore < /tmp/ipt.txt [root@localhost ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 1 packets, 76 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.65.128 tcp dpt:1122 to:192.168.100.100:22 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 76 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.65.128
10.20 firewalld的9个zone
禁掉iptables,打开firewalld
[root@localhost ~]# systemctl disable iptables Removed symlink /etc/systemd/system/basic.target.wants/iptables.service. [root@localhost ~]# systemctl stop iptables [root@localhost ~]# systemctl enable firewalld Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service. Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service. [root@localhost ~]# systemctl start firewalld [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 30 1980 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1 92 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 1 92 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 1 92 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1 76 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 1 76 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 1 76 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 1 76 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 1 76 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 1 76 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 17 packets, 1576 bytes) pkts bytes target prot opt in out source destination 17 1576 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD_IN_ZONES (1 references) pkts bytes target prot opt in out source destination 0 0 FWDI_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto] 1 76 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] Chain FORWARD_IN_ZONES_SOURCE (1 references) pkts bytes target prot opt in out source destination Chain FORWARD_OUT_ZONES (1 references) pkts bytes target prot opt in out source destination 1 76 FWDO_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto] Chain FORWARD_OUT_ZONES_SOURCE (1 references) pkts bytes target prot opt in out source destination Chain FORWARD_direct (1 references) pkts bytes target prot opt in out source destination Chain FWDI_public (2 references) pkts bytes target prot opt in out source destination 1 76 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 1 76 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 1 76 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDI_public_allow (1 references) pkts bytes target prot opt in out source destination Chain FWDI_public_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDI_public_log (1 references) pkts bytes target prot opt in out source destination Chain FWDO_public (2 references) pkts bytes target prot opt in out source destination 1 76 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 1 76 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 1 76 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDO_public_allow (1 references) pkts bytes target prot opt in out source destination Chain FWDO_public_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDO_public_log (1 references) pkts bytes target prot opt in out source destination Chain INPUT_ZONES (1 references) pkts bytes target prot opt in out source destination 1 92 IN_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] Chain INPUT_ZONES_SOURCE (1 references) pkts bytes target prot opt in out source destination Chain INPUT_direct (1 references) pkts bytes target prot opt in out source destination Chain IN_public (2 references) pkts bytes target prot opt in out source destination 1 92 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 1 92 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 1 92 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain IN_public_allow (1 references) pkts bytes target prot opt in out source destination 1 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW Chain IN_public_deny (1 references) pkts bytes target prot opt in out source destination Chain IN_public_log (1 references) pkts bytes target prot opt in out source destination Chain OUTPUT_direct (1 references) pkts bytes target prot opt in out source destination
(有很多firewalld自带规则)
·firewalld默认有9个zone
·默认zone为public
·每个zone就是规则集,自带一些规则
·查看所有zone:
[root@localhost ~]# firewall-cmd --get-zones block dmz drop external home internal public trusted work
·查看默认zone:
[root@localhost ~]# firewall-cmd --get-default-zone public
9个zone:
10.21 firewalld关于zone的操作
·设定默认zone:irewall-cmd --set-default-zone=zone名
[root@localhost ~]# firewall-cmd --set-default-zone=work success [root@localhost ~]# firewall-cmd --get-default-zone work
·查指定网卡的zone:firewall-cmd --get-zone-of-interface=网卡名
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33 work [root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37 no zone
(如果是no zone,请给ens37添加配置文件)
·给指定网卡设置zone:firewall-cmd --zone=dmz --add-interface=网卡名
[root@localhost ~]# firewall-cmd --zone=dmz --add-interface=ens37 success [root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37 dmz [root@localhost ~]# firewall-cmd --zone=public --add-interface=lo success [root@localhost ~]# firewall-cmd --get-zone-of-interface=lo public
·针对网卡修改zone:firewall-cmd --zone=dmz --change-interface=网卡名
[root@localhost ~]# firewall-cmd --zone=dmz --change-interface=lo success [root@localhost ~]# firewall-cmd --get-zone-of-interface=lo dmz
·针对网卡删除zone:firewall-cmd --zone=dmz --remove-interface=网卡名
[root@localhost ~]# firewall-cmd --zone=dmz --remove-interface=lo success [root@localhost ~]# firewall-cmd --get-zone-of-interface=lo no zone
·查看系统所有网卡所在的zone:firewall-cmd --get-active-zones
[root@localhost ~]# firewall-cmd --zone=block --add-interface=ens37 success [root@localhost ~]# firewall-cmd --get-active-zones work interfaces: ens33 block interfaces: ens37
·删除设定的网卡指定的zone,网卡zone会变为默认zone:
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37 block [root@localhost ~]# firewall-cmd --set-default-zone=home success [root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37 block [root@localhost ~]# firewall-cmd --zone=block --remove-interface=ens37 The interface is under control of NetworkManager, setting zone to default. success [root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37 home ##删除block zone下的ens37网卡后,ens37的zone变为默认home
10.22 firewalld关于service的操作
·列出系统中的service:firewalld-cmd --get-services
[root@localhost ~]# firewall-cmd --get-services RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
·查看当前zone下有哪些service:firewall-cmd --list-services
[root@localhost ~]# firewall-cmd --list-services ssh mdns samba-client dhcpv6-client [root@localhost ~]# firewall-cmd --zone=public --list-services ssh dhcpv6-client [root@localhost ~]# firewall-cmd --zone=block --list-services [root@localhost ~]# firewall-cmd --zone=home --list-services ssh mdns samba-client dhcpv6-client
·把http增加到public zone下面:
[root@localhost ~]# firewall-cmd --zone=public --add-service=http success [root@localhost ~]# firewall-cmd --zone=public --list-services ssh dhcpv6-client http
(只是写到内存中,重启后失效,永久保存需要写入配置文件 /etc/firewalld/zones 中)
·更改配置文件,之后会在/etc/firewalld/zones目录下面生成配置文件:
[root@localhost ~]# firewall-cmd --zone=public --add-service=ftp --permanent success [root@localhost ~]# cat /etc/firewalld/zones/public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="ftp"/> </zone> [root@localhost ~]# firewall-cmd --zone=public --add-service=http --permanent success [root@localhost ~]# cat /etc/firewalld/zones/public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="ftp"/> <service name="http"/> </zone>
·zone的配置模板:
[root@localhost ~]# ls /etc/firewalld/zones/ public.xml public.xml.old
(public.xml.old为系统自动备份文件)
例子:
·需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
1,拷贝ftp模板到 /etc/firewalld/services/ 下
[root@localhost ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
2,把ftp.xml中,port改为1121
3,把work模板拷贝到 /etc/firewalld/zones/ 下
[root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
4,,增加一行:
5,重新加载firewalld服务:firewall-cmd --reload
[root@localhost ~]# firewall-cmd --reload success
6,查看指定zone的service
[root@localhost ~]# firewall-cmd --zone=work --list-services ssh dhcpv6-client ftp
思路:zone是规则集合,每个zone下都有对应的iptables规则,每个zone下有一些service,service就是白名单,如果有某个服务的需求,那么可以把服务增加到配置文件中予以放行。
先修改service的参数,在吧service加入zone
