10月29日任务

10.19 iptables规则备份和恢复

保存和备份iptables规则 

service iptables save //会把规则保存到/etc/sysconfig/iptables 

把iptables规则备份到my.ipt文件中 iptables-save > my.ipt 

恢复刚才备份的规则 iptables-restore < my.ipt

 

[root @test ~]# service iptables save 会将规则保存至配置文件[root @test ~]# cat /etc/sysconfig/iptables

 

将规则备份至其他文件中

[root@test ~]# iptables-save > /tmp/ipt.txt

[root @test ~]# cat !$

cat /tmp/ipt.txt

# Generated by iptables-save v1.4.21 on Sat Oct 27 13:56:42 2018

*filter

:INPUT ACCEPT [37471:2893984]

:FORWARD ACCEPT [132:17511]

:OUTPUT ACCEPT [7652:604535]

COMMIT

# Completed on Sat Oct 27 13:56:42 2018

# Generated by iptables-save v1.4.21 on Sat Oct 27 13:56:42 2018

*nat

:PREROUTING ACCEPT [5281:411531]

:INPUT ACCEPT [4894:368961]

:OUTPUT ACCEPT [402:34072]

:POSTROUTING ACCEPT [405:34204]

-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN

-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN

-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535

-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535

-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE

-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN

-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN

-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535

-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535

-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE

COMMIT

# Completed on Sat Oct 27 13:56:42 2018

# Generated by iptables-save v1.4.21 on Sat Oct 27 13:56:42 2018

*mangle

:PREROUTING ACCEPT [65893:5243791]

:INPUT ACCEPT [37649:2910863]

:FORWARD ACCEPT [132:17511]

:OUTPUT ACCEPT [7750:618753]

:POSTROUTING ACCEPT [7896:638963]

-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

COMMIT

# Completed on Sat Oct 27 13:56:42 2018

 

恢复规则（ 重启后还是会 /etc/sysconfig/iptables中的规则配置 ）

[root@test ~]# iptables-restore < /tmp/ipt.txt

 

10.20 firewalld的9个zone

用service iptables stop 和systemctl stop iptables 有什么区别吗   service这种是早期centos版本管理服务的工具。 centos7 也可以兼容。 具体可以对哪些服务使用，你可以chkconfig --list 看看。

 

打开firewalld 

systemctl disable iptables （iptables开机不启动）

systemctl stop iptables   （停止iptables）

systemctl enable firewalld  （firewalld开机启动）

systemctl start firewalld   （开启firewalld）

firewalld默认有9个zone 

默认zone为public 

firewall-cmd --get-zones //查看所有zone 

firewall-cmd --get-default-zone//查看默认zone

 

 

开启firewalld

1.关闭iptables

[root@test ~]# systemctl disable iptables

Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.

[root@test ~]# systemctl stop iptables

2.开启 firewalld

[root@test ~]# systemctl enable firewalld

Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.

Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.

[root@test ~]# systemctl start firewalld

 

firewalld结构

[root@test ~]# iptables -nvL

Chain INPUT (policy ACCEPT 29 packets, 3907 bytes)

pkts bytes target     prot opt in     out     source               destination         

 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination         

 

Chain OUTPUT (policy ACCEPT 22 packets, 4178 bytes)

pkts bytes target     prot opt in     out     source               destination         

 

Chain FORWARD_IN_ZONES (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain FORWARD_IN_ZONES_SOURCE (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain FORWARD_OUT_ZONES (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain FORWARD_OUT_ZONES_SOURCE (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain FORWARD_direct (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain FWDI_public (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain FWDI_public_allow (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain FWDI_public_deny (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain FWDI_public_log (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain FWDO_public (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain FWDO_public_allow (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain FWDO_public_deny (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain FWDO_public_log (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain INPUT_ZONES (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain INPUT_ZONES_SOURCE (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain INPUT_direct (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain IN_public (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain IN_public_allow (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain IN_public_deny (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain IN_public_log (0 references)

pkts bytes target     prot opt in     out     source               destination         

 

Chain OUTPUT_direct (0 references)

pkts bytes target     prot opt in     out     source               destination   

 

firewalld默认有9个zone     默认zone为public   zone如规则集，规则集表示 zone中自带规则如放行某些端口，限制某些端口

 

查看所有zone

[root@test ~]# firewall-cmd --get-zones

block（icmp） dmz drop（最安全） external（路由器） home（家庭） internal（机房中服务器对服务器） public(部分限制部分放行数据包) trusted（最不安全，无限制） work（公司内网）

查看默认zone

[root@test ~]# firewall-cmd --get-default-zone

public

 

 

10.21 firewalld关于zone的操作

centos7中自动补全命令包[root@test ~]# yum install -y bash-completion

 

firewall-cmd --set-default-zone=work //设定默认zone 

更改网卡zone前后需要 重启NetworkManager服务（ 改了配置文件要重启服务  要重新加载才行 ） 

开启 systemctl start NetworkManager    关闭 systemctl stop NetworkManager

firewall-cmd --get-zone-of-interface=ens33 //查指定网卡 

firewall-cmd --zone=public --add-interface=lo //给指定网卡设置zone 

firewall-cmd --zone=dmz --change-interface=lo //针对网卡更改zone 

firewall-cmd --zone=dmz  --remove-interface=lo  //针对网卡删除zone 

firewall-cmd --get-active-zones  //查看系统所有网卡所在的zone

 

设定默认zone 

[root@test ~]# firewall-cmd --set-default-zone=home

Error: COMMAND_FAILED

[root@test ~]# firewall-cmd --set-default-zone=home

Warning: ZONE_ALREADY_SET: home

success

[root@test ~]# firewall-cmd --get-default-zone

home

 

查指定网卡 

[root@test ~]# firewall-cmd --get-zone-of-interface=ens32

public

[root@test ~]# firewall-cmd --get-zone-of-interface=ens34

public

 

[root@test ~]# firewall-cmd --get-zone-of-interface=lo

no zone

给指定网卡设置zone

[root@test ~]# firewall-cmd --zone=dmz --add-interface=lo

success

 

[root@test ~]# firewall-cmd --get-zone-of-interface=ens34

public

针对网卡更改zone 

[root@test ~]# firewall-cmd --zone=work --change-interface=ens34

 

针对网卡删除zone 

[root@test ~]# firewall-cmd --zone=dmz  --remove-interface=lo

success

 

查看系统所有网卡所在的zone

[root@test ~]# firewall-cmd --get-active-zones

public

  interfaces: ens32 ens34

 

 

10.22 firewalld关于service的操作

支持这种写法：firewall-cmd --zone=public --add-service=http --add-service=https --add-service=ftp

 

firewall-cmd --get-services  查看所有的servies 

firewall-cmd --list-services  //查看当前zone下有哪些service 

 firewall-cmd --zone=public --add-service=http //把http增加到public zone下面 

 firewall-cmd --zone=public --remove-service=http 

 ls /usr/lib/firewalld/zones/ //zone的配置文件模板 

 firewall-cmd --zone=public --add-service=http --permanent //更改配置文件，之后会在/etc/firewalld/zones目录下面生成配置文件 

 需求：ftp服务自定义端口1121，需要在work zone下面放行ftp 

 cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services 

 vi /etc/firewalld/services/ftp.xml //把21改为1121

 cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/ 

 vi /etc/firewalld/zones/work.xml //增加一行 <service name="ftp"/> 

 firewall-cmd --reload //重新加载 

 firewall-cmd --zone=work --list-services

 

 

 

service是zone下面的子单元，指定的端口 http 80端口 https 443端口 ssh  22端口

 

查看所有的servies 

[root@test ~]# firewall-cmd --get-services

RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nfs3 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

 

 

查看当前zone   

[root@test ~]# firewall-cmd --get-default-zone

home

 

查看当前zone下有哪些service 

[root@test ~]# firewall-cmd --list-services

You're performing an operation over default zone ('home'),

but your connections/interfaces are in zone 'public' (see --get-active-zones)

You most likely need to use --zone=public option.

 

ssh mdns samba-client dhcpv6-client

 

查看指定zone有哪些service 

[root@test ~]# firewall-cmd --list-services --zone=public

dhcpv6-client ssh

 

把服务增加到public zone下面

[root@test ~]#  firewall-cmd --zone=public --add-service=http

success

[root@test ~]#  firewall-cmd --zone=public --add-service=https

success

[root@test ~]#  firewall-cmd --zone=public --add-service=ftp

success

 

[root@test ~]# firewall-cmd --list-services --zone=public  （内存里面增加service ）

dhcpv6-client ssh http https ftp

 

将服务添加到配置文件中   --permanent永久的

[root@test ~]# firewall-cmd --zone=public --add-service=http --permanent

success

配置文件/etc/firewalld/zones目录下面生成配置文件 

（ /etc/firewalld/为系统 firewalld服务配置文件：  

[root@test ~]# ls /etc/firewalld/services/     [root@test ~]# ls /etc/firewalld/zones/ ）

[root@test ~]# cat /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>

<zone>

  <short>Public</short>

  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

  <service name="dhcpv6-client"/>

  <service name="ssh"/>

  <service name="http"/>

</zone>

 

zone的配置文件模板 

[root@test ~]# ls /usr/lib/firewalld/zones

block.xml  dmz.xml  drop.xml  external.xml  home.xml  internal.xml  public.xml  trusted.xml  work.xml

 

service 的配置文件模板 

[root@test ~]# ls /usr/lib/firewalld/services/

amanda-client.xml        freeipa-replication.xml  libvirt-tls.xml           pop3.xml             snmp.xml

amanda-k5-client.xml     freeipa-trust.xml        libvirt.xml               postgresql.xml       spideroak-lansync.xml

bacula-client.xml        ftp.xml                  managesieve.xml           privoxy.xml          squid.xml

bacula.xml               ganglia-client.xml       mdns.xml                  proxy-dhcp.xml       ssh.xml

bitcoin-rpc.xml          ganglia-master.xml       mosh.xml                  ptp.xml              synergy.xml

bitcoin-testnet-rpc.xml  high-availability.xml    mountd.xml                pulseaudio.xml       syslog-tls.xml

bitcoin-testnet.xml      https.xml                mssql.xml                 puppetmaster.xml     syslog.xml

bitcoin.xml              http.xml                 ms-wbt.xml                quassel.xml          telnet.xml

ceph-mon.xml             imaps.xml                mysql.xml                 radius.xml           tftp-client.xml

ceph.xml                 imap.xml                 nfs3.xml                  RH-Satellite-6.xml   tftp.xml

cfengine.xml             ipp-client.xml           nfs.xml                   rpc-bind.xml         tinc.xml

condor-collector.xml     ipp.xml                  nrpe.xml                  rsh.xml              tor-socks.xml

ctdb.xml                 ipsec.xml                ntp.xml                   rsyncd.xml           transmission-client.xml

dhcpv6-client.xml        iscsi-target.xml         openvpn.xml               samba-client.xml     vdsm.xml

dhcpv6.xml               kadmin.xml               ovirt-imageio.xml         samba.xml            vnc-server.xml

dhcp.xml                 kerberos.xml             ovirt-storageconsole.xml  sane.xml             wbem-https.xml

dns.xml                  kibana.xml               ovirt-vmconsole.xml       sips.xml             xmpp-bosh.xml

docker-registry.xml      klogin.xml               pmcd.xml                  sip.xml              xmpp-client.xml

dropbox-lansync.xml      kpasswd.xml              pmproxy.xml               smtp-submission.xml  xmpp-local.xml

elasticsearch.xml        kshell.xml               pmwebapis.xml             smtps.xml            xmpp-server.xml

freeipa-ldaps.xml        ldaps.xml                pmwebapi.xml              smtp.xml

freeipa-ldap.xml         ldap.xml                 pop3s.xml                 snmptrap.xml

 

实测：

需求：ftp服务自定义端口1121，需要在work zone下面放行ftp 

方法：配置文件的方式

1.将模板配置文件拷贝至 [root@test ~]# ls /etc/firewalld/services/

[root@test ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/

2.修改ftp默认端口

[root@test ~]# vim /etc/firewalld/services/ftp.xml

<?xml version="1.0" encoding="utf-8"?>

<service>

  <short>FTP</short>

  <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>

  <port protocol="tcp" port=" 1121"/>

  <module name="nf_conntrack_ftp"/>

</service>

3.将work的配置文件模板拷贝至 /etc/firewalld/zones/

[root@test ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/

4.编辑work模板，增加service   ftp服务

[root@test ~]# vi /etc/firewalld/zones/work.xml

<?xml version="1.0" encoding="utf-8"?>

<zone>

  <short>Work</short>

  <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

  <service name="ssh"/>

  <service name="dhcpv6-client"/>

   <service name="ftp"/>

</zone>

5.重新加载服务

[root@test ~]# firewall-cmd --reload

success

 

查看

[root@test ~]# firewall-cmd --zone=work --list-services

ssh dhcpv6-client ftp

 

 

总结（实测中得出结果）：

firewall下面有两个角色zone和service 

zone:规则集合，每个zone下面都有对应iptables规则，每个zone下面有一些service，service作为白名单，放行service。

如果某些服务需要放行，把服务增加到配置文件中，重新加载就会生效

service：可以自定义

转载于:https://my.oschina.net/u/3803396/blog/2253320