iptables 规则备份和恢复,firewalld防火墙机制

  1. iptables规则备份

    把规则备份到/etc/sysconfig/iptables中

     service iptables save
    

    把iptables 股则备份到my.ipt文件中

    iptables-save > my.ipt
    

    恢复刚才的备份:

    iptables-restore < my.ipt
    

    重启规则(/etc/sysconfig/iptables规则调用出来):

    service iptables restart
    

firewalled防火墙机制

firewalld默认有9个zone,默认使用public,每个zone表示一个规则集。这里写图片描述

查看所有的的zone

[root@shuai-01 ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block

查看默认的zone(当前的zone):

[root@shuai-01 ~]# firewall-cmd --get-default-zone
public

关于zone的操作

设定默认的zone(work):

[root@shuai-01 ~]# firewall-cmd --set-default-zone=work
success

查询指定网卡(ens33)zone:

[root@shuai-01 ~]# firewall-cmd --get-zone-of-interface=ens33
work

给指定网卡(lo)设置zone(public):

[root@shuai-01 ~]# firewall-cmd --zone=public --add-interface=lo
success

给指定的网卡(ens33)更改zone(dmz):

[root@shuai-01 ~]# firewall-cmd --zone=public --change-interface=ens33
The interface is under control of NetworkManager, setting zone to 'public'.
success

删除指定网卡的zone:

[root@shuai-01 ~]# firewall-cmd --zone=public --remove-interface=lo
success

查询系统所有网卡所在的zone:

[root@shuai-01 ~]# firewall-cmd --get-active-zones
work
  interfaces: ens37 ens33

firewalld关于service的操作

service是zone下的一个子单元,一个指定的端口。

查看所有的service:

[root@shuai-01 ~]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

查看当前zone下有哪些service

[root@shuai-01 ~]# firewall-cmd --list-service
ssh dhcpv6-client

查看指定zone(public)有哪些service:

[root@shuai-01 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh

向指定的zone(public)中,添加service(http):

[root@shuai-01 ~]# firewall-cmd --zone=public --add-service=http
success
[root@shuai-01 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http

向指定的zone(public)中,添加service(http)并保存到配置文件中:

[root@shuai-01 ~]# firewall-cmd --zone=public --add-service=ftp --permanent
success
[root@shuai-01 ~]# ls /etc/firewall/zones
ls: 无法访问/etc/firewall/zones: 没有那个文件或目录
[root@shuai-01 ~]# ls /etc/firewalld/zones
public.xml  public.xml.old
[root@shuai-01 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ftp"/>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
</zone>

更改的配置文件,之后会在/etc/firewalld/zones目录下面生成配置文件

zone配置文件的模板:/usr/lib/firewalld/zones

[root@shuai-01 ~]# ls /usr/lib/firewalld/zones
block.xml  drop.xml      home.xml      public.xml   work.xml
dmz.xml    external.xml  internal.xml  trusted.xml

service配置文件模板:/usr/lib/firewalld/service

[root@shuai-01 ~]# ls /usr/lib/firewalld/services
amanda-client.xml        kpasswd.xml         rpc-bind.xml
amanda-k5-client.xml     ldaps.xml           rsyncd.xml
bacula-client.xml        ldap.xml            samba-client.xml
bacula.xml               libvirt-tls.xml     samba.xml
ceph-mon.xml             libvirt.xml         sane.xml
ceph.xml                 mdns.xml            smtps.xml
dhcpv6-client.xml        mosh.xml            smtp.xml
dhcpv6.xml               mountd.xml          snmptrap.xml
dhcp.xml                 ms-wbt.xml          snmp.xml
dns.xml                  mysql.xml           squid.xml
docker-registry.xml      nfs.xml             ssh.xml
dropbox-lansync.xml      ntp.xml             synergy.xml
freeipa-ldaps.xml        openvpn.xml         syslog-tls.xml
freeipa-ldap.xml         pmcd.xml            syslog.xml
freeipa-replication.xml  pmproxy.xml         telnet.xml
ftp.xml                  pmwebapis.xml       tftp-client.xml
high-availability.xml    pmwebapi.xml        tftp.xml
https.xml                pop3s.xml           tinc.xml
http.xml                 pop3.xml            tor-socks.xml
imaps.xml                postgresql.xml      transmission-client.xml
imap.xml                 privoxy.xml         vdsm.xml
ipp-client.xml           proxy-dhcp.xml      vnc-server.xml
ipp.xml                  ptp.xml             wbem-https.xml
ipsec.xml                pulseaudio.xml      xmpp-bosh.xml
iscsi-target.xml         puppetmaster.xml    xmpp-client.xml
kadmin.xml               radius.xml          xmpp-local.xml
kerberos.xml             RH-Satellite-6.xml  xmpp-server.xml

1.案例:把ftp默认的端口改成1121,然后在work zone 下放行ftp

  • 把ftp文件拷贝到/etc/firewalld/services下面去

    [root@shuai-01 ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
    
  • 然后编辑。把端口改成1121(service的自定义端口)

     [root@shuai-01 ~]# vi /etc/firewalld/services/ftp.xml
    
    <?xml version="1.0" encoding="utf-8"?>
    <service>
      <short>FTP</short>
      <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
      <port protocol="tcp" port="1121"/>
      <module name="nf_conntrack_ftp"/>
    </service>
    
  • 把/usr/lib/firewalld/zone/work.xml 考备到/etc/firewalld/zones下

    [root@shuai-01 ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
    
  • 编辑/etc/firewalld/zones/work.xml

    [root@shuai-01 ~]# vim /etc/firewalld/zones/work.xml
    
    <?xml version="1.0" encoding="utf-8"?>
    <zone>
      <short>Work</short>
      <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
      <service name="ssh"/>
      <service name="dhcpv6-client"/>
      <service name="ftp"/>
    </zone>
    
  • 重新加载服务

    [root@shuai-01 ~]# firewall-cmd --reload
    success
    

    -查看work下的service

    [root@shuai-01 ~]# firewall-cmd --zone=work --list-service
    ssh dhcpv6-client ftp
    
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值