10.19 iptables规则备份和恢复
保存和备份iptables规则
service iptables save //会把规则保存到/etc/sysconfig/iptables
把iptables规则备份到my.ipt文件中 iptables-save > my.ipt
恢复刚才备份的规则 iptables-restore < my.ipt
[root @test ~]# service iptables save 会将规则保存至配置文件[root @test ~]# cat /etc/sysconfig/iptables
将规则备份至其他文件中
[root@test ~]# iptables-save > /tmp/ipt.txt
[root @test ~]# cat !$
cat /tmp/ipt.txt
# Generated by iptables-save v1.4.21 on Sat Oct 27 13:56:42 2018
*filter
:INPUT ACCEPT [37471:2893984]
:FORWARD ACCEPT [132:17511]
:OUTPUT ACCEPT [7652:604535]
COMMIT
# Completed on Sat Oct 27 13:56:42 2018
# Generated by iptables-save v1.4.21 on Sat Oct 27 13:56:42 2018
*nat
:PREROUTING ACCEPT [5281:411531]
:INPUT ACCEPT [4894:368961]
:OUTPUT ACCEPT [402:34072]
:POSTROUTING ACCEPT [405:34204]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sat Oct 27 13:56:42 2018
# Generated by iptables-save v1.4.21 on Sat Oct 27 13:56:42 2018
*mangle
:PREROUTING ACCEPT [65893:5243791]
:INPUT ACCEPT [37649:2910863]
:FORWARD ACCEPT [132:17511]
:OUTPUT ACCEPT [7750:618753]
:POSTROUTING ACCEPT [7896:638963]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sat Oct 27 13:56:42 2018
恢复规则( 重启后还是会 /etc/sysconfig/iptables中的规则配置 )
[root@test ~]# iptables-restore < /tmp/ipt.txt
10.20 firewalld的9个zone
用service iptables stop 和systemctl stop iptables 有什么区别吗 service这种是早期centos版本管理服务的工具。 centos7 也可以兼容。 具体可以对哪些服务使用,你可以chkconfig --list 看看。
打开firewalld
systemctl disable iptables (iptables开机不启动)
systemctl stop iptables (停止iptables)
systemctl enable firewalld (firewalld开机启动)
systemctl start firewalld (开启firewalld)
firewalld默认有9个zone
默认zone为public
firewall-cmd --get-zones //查看所有zone
firewall-cmd --get-default-zone//查看默认zone
开启firewalld
1.关闭iptables
[root@test ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@test ~]# systemctl stop iptables
2.开启 firewalld
[root@test ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@test ~]# systemctl start firewalld
firewalld结构
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 29 packets, 3907 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 22 packets, 4178 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD_IN_ZONES (0 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_IN_ZONES_SOURCE (0 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (0 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES_SOURCE (0 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (0 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (0 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_allow (0 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (0 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (0 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (0 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_allow (0 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (0 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (0 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (0 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES_SOURCE (0 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (0 references)
pkts bytes target prot opt in out source destination
Chain IN_public (0 references)
pkts bytes target prot opt in out source destination
Chain IN_public_allow (0 references)
pkts bytes target prot opt in out source destination
Chain IN_public_deny (0 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (0 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (0 references)
pkts bytes target prot opt in out source destination
firewalld默认有9个zone 默认zone为public zone如规则集,规则集表示 zone中自带规则如放行某些端口,限制某些端口
查看所有zone
[root@test ~]# firewall-cmd --get-zones
block(icmp) dmz drop(最安全) external(路由器) home(家庭) internal(机房中服务器对服务器) public(部分限制部分放行数据包) trusted(最不安全,无限制) work(公司内网)
查看默认zone
[root@test ~]# firewall-cmd --get-default-zone
public
10.21 firewalld关于zone的操作
centos7中自动补全命令包[root@test ~]# yum install -y bash-completion
firewall-cmd --set-default-zone=work //设定默认zone
更改网卡zone前后需要 重启NetworkManager服务( 改了配置文件要重启服务 要重新加载才行 )
开启 systemctl start NetworkManager 关闭 systemctl stop NetworkManager
firewall-cmd --get-zone-of-interface=ens33 //查指定网卡
firewall-cmd --zone=public --add-interface=lo //给指定网卡设置zone
firewall-cmd --zone=dmz --change-interface=lo //针对网卡更改zone
firewall-cmd --zone=dmz --remove-interface=lo //针对网卡删除zone
firewall-cmd --get-active-zones //查看系统所有网卡所在的zone
设定默认zone
[root@test ~]# firewall-cmd --set-default-zone=home
Error: COMMAND_FAILED
[root@test ~]# firewall-cmd --set-default-zone=home
Warning: ZONE_ALREADY_SET: home
success
[root@test ~]# firewall-cmd --get-default-zone
home
查指定网卡
[root@test ~]# firewall-cmd --get-zone-of-interface=ens32
public
[root@test ~]# firewall-cmd --get-zone-of-interface=ens34
public
[root@test ~]# firewall-cmd --get-zone-of-interface=lo
no zone
给指定网卡设置zone
[root@test ~]# firewall-cmd --zone=dmz --add-interface=lo
success
[root@test ~]# firewall-cmd --get-zone-of-interface=ens34
public
针对网卡更改zone
[root@test ~]# firewall-cmd --zone=work --change-interface=ens34
针对网卡删除zone
[root@test ~]# firewall-cmd --zone=dmz --remove-interface=lo
success
查看系统所有网卡所在的zone
[root@test ~]# firewall-cmd --get-active-zones
public
interfaces: ens32 ens34
10.22 firewalld关于service的操作
支持这种写法:firewall-cmd --zone=public --add-service=http --add-service=https --add-service=ftp
firewall-cmd --get-services 查看所有的servies
firewall-cmd --list-services //查看当前zone下有哪些service
firewall-cmd --zone=public --add-service=http //把http增加到public zone下面
firewall-cmd --zone=public --remove-service=http
ls /usr/lib/firewalld/zones/ //zone的配置文件模板
firewall-cmd --zone=public --add-service=http --permanent //更改配置文件,之后会在/etc/firewalld/zones目录下面生成配置文件
需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
vi /etc/firewalld/services/ftp.xml //把21改为1121
cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
vi /etc/firewalld/zones/work.xml //增加一行 <service name="ftp"/>
firewall-cmd --reload //重新加载
firewall-cmd --zone=work --list-services
service是zone下面的子单元,指定的端口 http 80端口 https 443端口 ssh 22端口
查看所有的servies
[root@test ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nfs3 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
查看当前zone
[root@test ~]# firewall-cmd --get-default-zone
home
查看当前zone下有哪些service
[root@test ~]# firewall-cmd --list-services
You're performing an operation over default zone ('home'),
but your connections/interfaces are in zone 'public' (see --get-active-zones)
You most likely need to use --zone=public option.
ssh mdns samba-client dhcpv6-client
查看指定zone有哪些service
[root@test ~]# firewall-cmd --list-services --zone=public
dhcpv6-client ssh
把服务增加到public zone下面
[root@test ~]# firewall-cmd --zone=public --add-service=http
success
[root@test ~]# firewall-cmd --zone=public --add-service=https
success
[root@test ~]# firewall-cmd --zone=public --add-service=ftp
success
[root@test ~]# firewall-cmd --list-services --zone=public (内存里面增加service )
dhcpv6-client ssh http https ftp
将服务添加到配置文件中 --permanent永久的
[root@test ~]# firewall-cmd --zone=public --add-service=http --permanent
success
配置文件/etc/firewalld/zones目录下面生成配置文件
( /etc/firewalld/为系统 firewalld服务配置文件:
[root@test ~]# ls /etc/firewalld/services/ [root@test ~]# ls /etc/firewalld/zones/ )
[root@test ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="http"/>
</zone>
zone的配置文件模板
[root@test ~]# ls /usr/lib/firewalld/zones
block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml
service 的配置文件模板
[root@test ~]# ls /usr/lib/firewalld/services/
amanda-client.xml freeipa-replication.xml libvirt-tls.xml pop3.xml snmp.xml
amanda-k5-client.xml freeipa-trust.xml libvirt.xml postgresql.xml spideroak-lansync.xml
bacula-client.xml ftp.xml managesieve.xml privoxy.xml squid.xml
bacula.xml ganglia-client.xml mdns.xml proxy-dhcp.xml ssh.xml
bitcoin-rpc.xml ganglia-master.xml mosh.xml ptp.xml synergy.xml
bitcoin-testnet-rpc.xml high-availability.xml mountd.xml pulseaudio.xml syslog-tls.xml
bitcoin-testnet.xml https.xml mssql.xml puppetmaster.xml syslog.xml
bitcoin.xml http.xml ms-wbt.xml quassel.xml telnet.xml
ceph-mon.xml imaps.xml mysql.xml radius.xml tftp-client.xml
ceph.xml imap.xml nfs3.xml RH-Satellite-6.xml tftp.xml
cfengine.xml ipp-client.xml nfs.xml rpc-bind.xml tinc.xml
condor-collector.xml ipp.xml nrpe.xml rsh.xml tor-socks.xml
ctdb.xml ipsec.xml ntp.xml rsyncd.xml transmission-client.xml
dhcpv6-client.xml iscsi-target.xml openvpn.xml samba-client.xml vdsm.xml
dhcpv6.xml kadmin.xml ovirt-imageio.xml samba.xml vnc-server.xml
dhcp.xml kerberos.xml ovirt-storageconsole.xml sane.xml wbem-https.xml
dns.xml kibana.xml ovirt-vmconsole.xml sips.xml xmpp-bosh.xml
docker-registry.xml klogin.xml pmcd.xml sip.xml xmpp-client.xml
dropbox-lansync.xml kpasswd.xml pmproxy.xml smtp-submission.xml xmpp-local.xml
elasticsearch.xml kshell.xml pmwebapis.xml smtps.xml xmpp-server.xml
freeipa-ldaps.xml ldaps.xml pmwebapi.xml smtp.xml
freeipa-ldap.xml ldap.xml pop3s.xml snmptrap.xml
实测:
需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
方法:配置文件的方式
1.将模板配置文件拷贝至 [root@test ~]# ls /etc/firewalld/services/
[root@test ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
2.修改ftp默认端口
[root@test ~]# vim /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
1121"/>
<module name="nf_conntrack_ftp"/>
</service>
3.将work的配置文件模板拷贝至 /etc/firewalld/zones/
[root@test ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
4.编辑work模板,增加service ftp服务
[root@test ~]# vi /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>
5.重新加载服务
[root@test ~]# firewall-cmd --reload
success
查看
[root@test ~]# firewall-cmd --zone=work --list-services
ftp
总结(实测中得出结果):
firewall下面有两个角色zone和service
zone:规则集合,每个zone下面都有对应iptables规则,每个zone下面有一些service,service作为白名单,放行service。
如果某些服务需要放行,把服务增加到配置文件中,重新加载就会生效
service:可以自定义
