iptables规则备份
把规则备份到/etc/sysconfig/iptables中
service iptables save
把iptables 股则备份到my.ipt文件中
iptables-save > my.ipt
恢复刚才的备份:
iptables-restore < my.ipt
重启规则(/etc/sysconfig/iptables规则调用出来):
service iptables restart
firewalled防火墙机制
firewalld默认有9个zone,默认使用public,每个zone表示一个规则集。
查看所有的的zone
[root@shuai-01 ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block
查看默认的zone(当前的zone):
[root@shuai-01 ~]# firewall-cmd --get-default-zone
public
关于zone的操作
设定默认的zone(work):
[root@shuai-01 ~]# firewall-cmd --set-default-zone=work
success
查询指定网卡(ens33)zone:
[root@shuai-01 ~]# firewall-cmd --get-zone-of-interface=ens33
work
给指定网卡(lo)设置zone(public):
[root@shuai-01 ~]# firewall-cmd --zone=public --add-interface=lo
success
给指定的网卡(ens33)更改zone(dmz):
[root@shuai-01 ~]# firewall-cmd --zone=public --change-interface=ens33
The interface is under control of NetworkManager, setting zone to 'public'.
success
删除指定网卡的zone:
[root@shuai-01 ~]# firewall-cmd --zone=public --remove-interface=lo
success
查询系统所有网卡所在的zone:
[root@shuai-01 ~]# firewall-cmd --get-active-zones
work
interfaces: ens37 ens33
firewalld关于service的操作
service是zone下的一个子单元,一个指定的端口。
查看所有的service:
[root@shuai-01 ~]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
查看当前zone下有哪些service
[root@shuai-01 ~]# firewall-cmd --list-service
ssh dhcpv6-client
查看指定zone(public)有哪些service:
[root@shuai-01 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh
向指定的zone(public)中,添加service(http):
[root@shuai-01 ~]# firewall-cmd --zone=public --add-service=http
success
[root@shuai-01 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http
向指定的zone(public)中,添加service(http)并保存到配置文件中:
[root@shuai-01 ~]# firewall-cmd --zone=public --add-service=ftp --permanent
success
[root@shuai-01 ~]# ls /etc/firewall/zones
ls: 无法访问/etc/firewall/zones: 没有那个文件或目录
[root@shuai-01 ~]# ls /etc/firewalld/zones
public.xml public.xml.old
[root@shuai-01 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ftp"/>
<service name="dhcpv6-client"/>
<service name="ssh"/>
</zone>
更改的配置文件,之后会在/etc/firewalld/zones目录下面生成配置文件
zone配置文件的模板:/usr/lib/firewalld/zones
[root@shuai-01 ~]# ls /usr/lib/firewalld/zones
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
service配置文件模板:/usr/lib/firewalld/service
[root@shuai-01 ~]# ls /usr/lib/firewalld/services
amanda-client.xml kpasswd.xml rpc-bind.xml
amanda-k5-client.xml ldaps.xml rsyncd.xml
bacula-client.xml ldap.xml samba-client.xml
bacula.xml libvirt-tls.xml samba.xml
ceph-mon.xml libvirt.xml sane.xml
ceph.xml mdns.xml smtps.xml
dhcpv6-client.xml mosh.xml smtp.xml
dhcpv6.xml mountd.xml snmptrap.xml
dhcp.xml ms-wbt.xml snmp.xml
dns.xml mysql.xml squid.xml
docker-registry.xml nfs.xml ssh.xml
dropbox-lansync.xml ntp.xml synergy.xml
freeipa-ldaps.xml openvpn.xml syslog-tls.xml
freeipa-ldap.xml pmcd.xml syslog.xml
freeipa-replication.xml pmproxy.xml telnet.xml
ftp.xml pmwebapis.xml tftp-client.xml
high-availability.xml pmwebapi.xml tftp.xml
https.xml pop3s.xml tinc.xml
http.xml pop3.xml tor-socks.xml
imaps.xml postgresql.xml transmission-client.xml
imap.xml privoxy.xml vdsm.xml
ipp-client.xml proxy-dhcp.xml vnc-server.xml
ipp.xml ptp.xml wbem-https.xml
ipsec.xml pulseaudio.xml xmpp-bosh.xml
iscsi-target.xml puppetmaster.xml xmpp-client.xml
kadmin.xml radius.xml xmpp-local.xml
kerberos.xml RH-Satellite-6.xml xmpp-server.xml
1.案例:把ftp默认的端口改成1121,然后在work zone 下放行ftp
把ftp文件拷贝到/etc/firewalld/services下面去
[root@shuai-01 ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
然后编辑。把端口改成1121(service的自定义端口)
[root@shuai-01 ~]# vi /etc/firewalld/services/ftp.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>FTP</short> <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description> <port protocol="tcp" port="1121"/> <module name="nf_conntrack_ftp"/> </service>
把/usr/lib/firewalld/zone/work.xml 考备到/etc/firewalld/zones下
[root@shuai-01 ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
编辑/etc/firewalld/zones/work.xml
[root@shuai-01 ~]# vim /etc/firewalld/zones/work.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Work</short> <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="ftp"/> </zone>
重新加载服务
[root@shuai-01 ~]# firewall-cmd --reload success
-查看work下的service
[root@shuai-01 ~]# firewall-cmd --zone=work --list-service ssh dhcpv6-client ftp