iptables规则备份和恢复
保存和备份iptables规则如下:
service iptables save //会把规则保存到/etc/sysconfig/iptables
把iptables规则备份到my.ipt文件中
iptables-save > my.ipt
恢复刚才备份的规则
iptables-restore < my.ipt
实验:
[root@test-7 ~]# iptables-save > my.ipt
[root@test-7 ~]# iptables -t nat -F #清空
[root@test-7 ~]# iptables -t nat -nvL #查看下
Chain PREROUTING (policy ACCEPT 2 packets, 406 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 2 packets, 406 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (0 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_ZONES (0 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_ZONES_SOURCE (0 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_direct (0 references)
pkts bytes target prot opt in out source destination
Chain POST_public (0 references)
pkts bytes target prot opt in out source destination
Chain POST_public_allow (0 references)
pkts bytes target prot opt in out source destination
Chain POST_public_deny (0 references)
pkts bytes target prot opt in out source destination
Chain POST_public_log (0 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (0 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES_SOURCE (0 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (0 references)
pkts bytes target prot opt in out source destination
Chain PRE_public (0 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_allow (0 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_deny (0 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_log (0 references)
pkts bytes target prot opt in out source destination
[root@test-7 ~]# iptables-restore < my.ipt #恢复
[root@test-7 ~]# iptables -t nat -nvL #查看下,数据又回来了
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.100.102 tcp dpt:1122 to:192.168.133.2:22
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.133.2 0.0.0.0/0 to:192.168.100.102
firewalld的9个zone
1、查看zone类型:
[root@test-7 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
关于9种zone的解析:
查看默认的zone:
[root@test-7 ~]# firewall-cmd --get-default-zone
public
firewalld关于zone的操作
1、设置
[root@test-7 ~]# firewall-cmd --set-default-zone=work
success
2、查看
[root@test-7 ~]# firewall-cmd --get-default-zone
work
3、查看网卡的zone
[root@test-7 ~]# firewall-cmd --get-zone-of-interface=eno16777736
work
给指定的网卡增加zone
更改zone:
firewall-cmd --zone=block --change-interface=eno16777736
查看:
[root@test-7 ~]# firewall-cmd --get-zone-of-interface=eno16777736
block
删除zone
[root@test-7 ~]# firewall-cmd --zone=block --remove-interface=eno16777736
success
查看所有网卡的zone
[root@test-7 ~]# firewall-cmd --get-active-zones
work
interfaces: eno33554984
firewalld关于service的操作
1、查看系统所有的service
firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https
2、查看当前zone下的service
[root@test-7 ~]# firewall-cmd --list-services
dhcpv6-client ipp-client ssh
3、查看指定zone下的service
[root@test-7 ~]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh
添加一个服务到某个zone下
一、临时添加(配置文件中不存在,重启会恢复原配置)
[root@test-7 ~]# firewall-cmd --zone=public --add-service=http
success
查看:
[root@test-7 ~]# firewall-cmd --zone=public --list-services
dhcpv6-client http ssh
二、永久添加
[root@test-7 ~]# firewall-cmd --zone=public --add-service=http --permanent
success
临时删除
1、
[root@test-7 ~]# firewall-cmd --zone=public --remove-service=ssh
success
[root@test-7 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client http
2、[root@test-7 ~]# firewall-cmd --zone=public --remove-service=ftp --permanent