iptables规则备份和恢复、firewall的zone的操作、service的操作

iptables规则备份和恢复

保存和备份iptables规则如下：

service iptables save //会把规则保存到/etc/sysconfig/iptables

把iptables规则备份到my.ipt文件中

 iptables-save > my.ipt

 恢复刚才备份的规则

 iptables-restore < my.ipt

实验：

[root@test-7 ~]# iptables-save > my.ipt

[root@test-7 ~]# iptables -t nat -F  #清空

[root@test-7 ~]# iptables -t nat -nvL #查看下

Chain PREROUTING (policy ACCEPT 2 packets, 406 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 2 packets, 406 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (0 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING_ZONES (0 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING_ZONES_SOURCE (0 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING_direct (0 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain POST_public (0 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain POST_public_allow (0 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain POST_public_deny (0 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain POST_public_log (0 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain PREROUTING_ZONES (0 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain PREROUTING_ZONES_SOURCE (0 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain PREROUTING_direct (0 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_public (0 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_public_allow (0 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_public_deny (0 references)

 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_public_log (0 references)

 pkts bytes target     prot opt in     out     source               destination         

[root@test-7 ~]# iptables-restore < my.ipt #恢复

[root@test-7 ~]# iptables -t nat -nvL  #查看下，数据又回来了

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.100.102      tcp dpt:1122 to:192.168.133.2:22

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 SNAT       all  --  *      *       192.168.133.2        0.0.0.0/0            to:192.168.100.102

firewalld的9个zone

1、查看zone类型：

[root@test-7 ~]# firewall-cmd --get-zones

block dmz drop external home internal public trusted work

关于9种zone的解析：

查看默认的zone:

[root@test-7 ~]# firewall-cmd --get-default-zone

public

firewalld关于zone的操作

1、设置

[root@test-7 ~]# firewall-cmd --set-default-zone=work

success

2、查看

[root@test-7 ~]# firewall-cmd --get-default-zone 

work

3、查看网卡的zone

[root@test-7 ~]# firewall-cmd --get-zone-of-interface=eno16777736

work

给指定的网卡增加zone

更改zone:

firewall-cmd --zone=block --change-interface=eno16777736

查看：

[root@test-7 ~]# firewall-cmd --get-zone-of-interface=eno16777736

block

删除zone

[root@test-7 ~]# firewall-cmd --zone=block --remove-interface=eno16777736

success

查看所有网卡的zone

[root@test-7 ~]# firewall-cmd --get-active-zones

work

  interfaces: eno33554984

firewalld关于service的操作

1、查看系统所有的service

firewall-cmd --get-services

RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https

2、查看当前zone下的service

[root@test-7 ~]# firewall-cmd --list-services 

dhcpv6-client ipp-client ssh

3、查看指定zone下的service

[root@test-7 ~]# firewall-cmd --zone=public --list-services 

dhcpv6-client ssh

添加一个服务到某个zone下

一、临时添加（配置文件中不存在，重启会恢复原配置）

[root@test-7 ~]# firewall-cmd --zone=public --add-service=http

success

查看：

[root@test-7 ~]# firewall-cmd --zone=public --list-services 

dhcpv6-client http ssh

二、永久添加

[root@test-7 ~]# firewall-cmd --zone=public --add-service=http --permanent

success

临时删除

1、

[root@test-7 ~]# firewall-cmd --zone=public --remove-service=ssh

success

[root@test-7 ~]# firewall-cmd --zone=public --list-service

dhcpv6-client http

2、[root@test-7 ~]# firewall-cmd --zone=public --remove-service=ftp --permanent

本文转自方向对了，就不怕路远了！51CTO博客，原文链接：http://blog.51cto.com/jacksoner/2046630 ，如需转载请自行联系原作者