10月29日任务
10.19 iptables规则备份和恢复
10.20 firewalld的9个zone
10.21 firewalld关于zone的操作
10.22 firewalld关于service的操作
iptables规则备份和恢复
- iptables 备份
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 44 packets, 3152 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 26 packets, 2584 bytes)
pkts bytes target prot opt in out source destination
- iptables 恢复
[root@localhost ~]# iptables-restore /etc/sysconfig/iptables
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10 692 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 6 packets, 744 bytes)
pkts bytes target prot opt in out source destination
- 将规则保存到指定文件
[root@localhost ~]# iptables-save > /tmp/iptables.txt
[root@localhost ~]# cat /tmp/iptables.txt
# Generated by iptables-save v1.4.21 on Fri ... 19:54:19 ...
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [249:23866]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri ... 19:54:19 ...
[root@localhost ~]#
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 28 packets, 1900 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1508 bytes)
pkts bytes target prot opt in out source destination
- 从指定文件加载iptables规则
[root@localhost ~]# iptables-restore < /tmp/iptables.txt
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
pkts bytes target prot opt in out source destination
如果想开机加载iptables规则表,最好将规则保存在默认的文件即/etc/sysconfig/iptables,使用service iptables save即可
firewalld服务
默认centos7启动的是firewalld,如果你没修改过,直接使用就可以了;
如果你将firewalld关闭了,开启了iptables,那么需要执行下面的命令来修改:
# 先关闭iptables
[root@localhost ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@localhost ~]# systemctl stop iptables
# 启动firewalld(同时设置开机启动)
[root@localhost ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@localhost ~]# systemctl start firewalld
firewalld的9个zone
zone是firewalld的一个单位,是一个规则集,其自带某些规则。
firewalld下有9个zone,如下所示:
- 查看系统所有的zone
[root@localhost ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block
- 查看系统的默认zone
[root@localhost ~]# firewall-cmd --get-default-zone
public
使用firewall-cmd命令查看配置firewalld服务(注意不是firewalld-cmd)
zone的简单介绍
| zone名 | 说明 |
|---|---|
| drop | 丢弃任何接收到的数据包(最安全,只出不进) |
| block | 任何接收的数据包都被icmp-host-prohibited(ipv4)和icmp6-adm-prohibited(ipv6)信息拒绝。 |
| public | 在公共区域内使用,无法确保其他计算机对本区域的安全性,选择性接收数据包。 |
| external | 外部网络,可以基本信任该区域内的其他计算机不会对你产生危害,仅选择的接收数据包。 |
| dmz | 用于你的非军事区内的计算机,该区域可公开访问,可以有限地进入你的内部网络 |
| work | 工作区,可以基本信任该区域内的其他计算机不会对你产生危害,仅选择的接收数据包。 |
| home | 家庭网络,可以基本信任该区域内的其他计算机不会对你产生危害,仅选择的接收数据包 |
| internal | 内部网络,可以基本信任该区域内的其他计算机不会对你产生危害,仅选择的接收数据包。 |
| trusted | 接收所有接收到的数据包 |
对于这9个zone,主要了解即可,并不是都会用的上;上述的zone安全性依次递增
firewalld关于zone的操作
- 设置默认的zone
[root@localhost ~]# firewall-cmd --set-default-zone=work
success
[root@localhost ~]# firewall-cmd --get-default-zone
work
针对指定网卡的zone设置
- 查看指定网卡的zone
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
work
- 添加指定网卡至某个zone内
# 将网卡lo添加到zone public中
[root@localhost ~]# firewall-cmd --zone=public --add-interface=lo
success
# 查看网卡所属的zone用以验证
[root@localhost ~]# firewall-cmd --get-active-zones
work
interfaces: ens33
public
interfaces: lo
- 修改网络的所属zone
[root@localhost ~]# firewall-cmd --zone=dmz --change-interface=lo
success
[root@localhost ~]# firewall-cmd --get-active-zones
dmz
interfaces: lo
work
interfaces: ens33
- 移除zone内的网卡
[root@localhost ~]# firewall-cmd --zone=dmz --remove-interface=lo
success
[root@localhost ~]# firewall-cmd --get-active-zones
work
interfaces: ens33
firewalld关于service的操作
基本使用
列出当前系统内所有的service
[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication
ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd
pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy
syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@localhost ~]# firewall-cmd --get-services | sed -r 's/ /\n/g' | wc -l
81
统计后当前系统共81个服务
- 列出指定zone内的所有服务
[root@localhost ~]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh
- 给指定的zone添加新服务
[root@localhost ~]# firewall-cmd --zone=public --add-service=http
success
[root@localhost ~]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh http
# 在末尾添加--permanent参数可以将修改写入系统,而不是暂存在内存中
[root@localhost ~]# firewall-cmd --zone=public --add-service=http --permanent
success
# /etc/firewalld/zones/目录下存放了zone的配置文件
# 执行了--add-services参数命令后会将原配置文件备份为.old文件
[root@localhost ~]# ls /etc/firewalld/zones/
public.xml public.xml.old
[root@localhost ~]# cat /etc/firewalld/zones/public.xml.old
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
</zone>
[root@localhost ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="http"/>
<service name="ssh"/>
</zone>
- 删除指定的zone内的范围(必须存在)
[root@localhost ~]# firewall-cmd --zone=public --remove-service=http
success
[root@localhost ~]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh
firwalld的zone和services的模板配置文件
# zone的模板配置文件目录/usr/lib/firewalld/zones/
[root@localhost ~]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
# services的模板配置文件目录/usr/lib/firewalld/services/
[root@localhost ~]# ls /usr/lib/firewalld/services/
amanda-client.xml kpasswd.xml rpc-bind.xml
amanda-k5-client.xml ldaps.xml rsyncd.xml
bacula-client.xml ldap.xml samba-client.xml
bacula.xml libvirt-tls.xml samba.xml
ceph-mon.xml libvirt.xml sane.xml
ceph.xml mdns.xml smtps.xml
dhcpv6-client.xml mosh.xml smtp.xml
dhcpv6.xml mountd.xml snmptrap.xml
dhcp.xml ms-wbt.xml snmp.xml
dns.xml mysql.xml squid.xml
docker-registry.xml nfs.xml ssh.xml
dropbox-lansync.xml ntp.xml synergy.xml
freeipa-ldaps.xml openvpn.xml syslog-tls.xml
freeipa-ldap.xml pmcd.xml syslog.xml
freeipa-replication.xml pmproxy.xml telnet.xml
ftp.xml pmwebapis.xml tftp-client.xml
high-availability.xml pmwebapi.xml tftp.xml
https.xml pop3s.xml tinc.xml
http.xml pop3.xml tor-socks.xml
imaps.xml postgresql.xml transmission-client.xml
imap.xml privoxy.xml vdsm.xml
ipp-client.xml proxy-dhcp.xml vnc-server.xml
ipp.xml ptp.xml wbem-https.xml
ipsec.xml pulseaudio.xml xmpp-bosh.xml
iscsi-target.xml puppetmaster.xml xmpp-client.xml
kadmin.xml radius.xml xmpp-local.xml
kerberos.xml RH-Satellite-6.xml xmpp-server.xml
配置实例
将ftp服务添加至work zone,修改ftp默认端口为1121
- 拷贝ftp服务的模板配置文件
[root@localhost ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
- 修改默认端口
[root@localhost ~]# vi /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/> # 修改port为1121
<module name="nf_conntrack_ftp"/>
</service>
- 拷贝work zone的模板文件
[root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@localhost ~]# vi /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
# 新增下面的service行
<service name="ftp"/>
</zone>
- 重新加载firewalld服务
[root@localhost ~]# firewall-cmd --reload
success
- 验证是否正确添加
[root@localhost ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp
扫一扫
8785
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
