iptables规则备份和恢复
- 介绍:之前说道,我们设定的防火墙规则只保存在内存中,重启失效。那么怎么保存规则呢 如下
- 保存规则命令:
- 这里能看到出现了一个路径,这就是我们的规则所保存的路径。
- 以后要是遇到需要备份防火墙规则,只要复制这个文件的副本就行了
[root@centos001 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]
- 保存、恢复规则至指定的地方
[root@centos001 ~]# iptables-save > /tmp/ipt.txt //保存
[root@centos001 ~]# iptables-restore < /tmp/ipt.txt //恢复
firewalld的9个zone
- 准备 :
之前我们关闭了firewalld,现在要开启,所以要把iptables先禁用掉
[root@centos001 ~]# systemctl disable iptables
[root@centos001 ~]# systemctl stop iptables
[root@centos001 ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@centos001 ~]# systemctl start firewalld
- 介绍:
- 我们可以先查看一下firewalld的规则,用iptables -nvL(注意最后一个L是大写)查看其默认规则
- firewalld的规则有两个基础概念,分别是zone(可以当作是个单位)和service,每个zone里面有不同的iptables规则,默认一共9个zone,
而centos7默认的zone为public- 每个zone都是相当于一个规则集(就是里面有属于它自己的规则)
- 命令:查看所有zone
[root@centos001 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
- 命令:查询系统默认的zone
[root@centos001 ~]# firewall-cmd --get-default-zone
public //这里能看到默认的zone是public
- zone的解释
firewalld关于zone的操作
- 设定默认的zone是什么
[root@centos001 ~]# firewall-cmd --set-default-zone=work//设定默认zone是,并查看
success
[root@centos001 ~]# firewall-cmd --get-default-zone
work
- 查看网卡的zone
[root@centos001 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
- 当zone没有的时候
[root@centos001 ~]# cd /etc/sysconfig/network-scripts/ //1.复制配置文件到网卡
[root@centos001 network-scripts]# ls
ifcfg-e ifdown-ib ifdown-Team ifup-ippp ifup-sit
ifcfg-ens ifdown-ippp ifdown-TeamPort ifup-ipv6 ifup-Team
ifcfg-ens33 ifdown-ipv6 ifdown-tunnel ifup-isdn ifup-TeamPort
ifcfg-ens33:0 ifdown-isdn ifup ifup-plip ifup-tunnel
ifcfg-lo ifdown-post ifup-aliases ifup-plusb ifup-wireless
ifdown ifdown-ppp ifup-bnep ifup-post init.ipv6-global
ifdown-bnep ifdown-routes ifup-eth ifup-ppp network-functions
ifdown-eth ifdown-sit ifup-ib ifup-routes network-functions-ipv6
[root@centos001 network-scripts]# cp ifcfg-ens33 ifcfg-ens37
[root@centos001 network-scripts]# vi /etc/sysconfig/network-scripts/ifcfg-ens37 //2.配置下这个文件
[root@centos001 network-scripts]# uuidgen ens37 //这里是查询uuid
0868ef08-a957-44d8-9554-c4966a7f0bf5
[root@centos001 network-scripts]# vi /etc/sysconfig/network-scripts/ifcfg-ens37
[root@centos001 network-scripts]# systemctl restart network.service //3.重启网络服务
Job for network.service failed because the control process exited with error code. See "systemctl status network.service" and "journalctl -xe" for details.
[root@centos001 network-scripts]# systemctl restart firewalld //4.重启firewalld服务
[root@centos001 network-scripts]# firewall-cmd --get-zone-of-interface=ens37 //5.重新运行查看网卡的zone
no zone //这里出错了 坑能是我们网络环境的问题
- 给指定的网卡设置zone
[root@centos001 network-scripts]# firewall-cmd --zone=public --add-interface=lo //设定并查看
success
[root@centos001 network-scripts]# firewall-cmd --get-zone-of-interface=lo
public
- 针对指定网卡修改zone
[root@centos001 network-scripts]# firewall-cmd --zone=block --change-interface=lo //修改并查看
success
[root@centos001 network-scripts]# firewall-cmd --get-zone-of-interface=lo
block
- 针对指定网卡删除zone
- 这里最后显示no zone的原因是:没有开启NetworkManager服务
[root@centos001 network-scripts]# firewall-cmd --zone=block --remove-interface=lo
success
[root@centos001 network-scripts]# firewall-cmd --get-zone-of-interface=lo
no zone
- 查看系统所有网卡所在的zone
firewall-cmd --get-active-zones //查看系统所有网卡所在的zone
firewalld关于service的操作
- 介绍:什么是service 其实之所以有9中zone,其原因是因为每一个zone里面都是用了不同的service,而service就是针对一个服务(端口)做的iptables规则。
service的用法:
- 列出当前系统里的所有service
firewall-cmd --get-services 查看所有的servies
-查看当前zone下有哪些service
[root@centos001 network-scripts]# firewall-cmd --get-default-zone //查看当前的zone是什么
work
[root@centos001 network-scripts]# firewall-cmd --list-services
ssh dhcpv6-client
- 查看指定zone下的service
[root@centos001 network-scripts]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http
- 把http增加到public zone下面
- 这里设定的只会保存在内存中,下个命令将介绍什么保存至配置文件
[root@centos001 network-scripts]# firewall-cmd --zone=public --add-service=http
success
[root@centos001 network-scripts]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http
- 将添加的service 保存至配置文件
firewall-cmd --zone=public --add-service=http --permanent
更改配置文件,之后会在/etc/firewalld/zones目录下面生成配置文件
[root@centos001 network-scripts]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@centos001 network-scripts]# ls /etc/firewalld/zones/public.xml //保存的路径
/etc/firewalld/zones/public.xml
[root@centos001 network-scripts]# ls /etc/firewalld/zones/
public.xml public.xml.old
[root@centos001 network-scripts]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="http"/> //能看到我们添加的service
</zone>
- zone的配置文件模板
ls /usr/lib/firewalld/zones/
需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
- 首先要将ftp的服务做一下更改,然后吧ftp添加到work zone
- 复制模版一
cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
- 修改配置文件
vi /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/> //这里修改为1121
<module name="nf_conntrack_ftp"/>
</service>
- 复制模版二
cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
- 修改配置文件 vi /etc/firewalld/zones/work.xml 增加一行<service name="ftp"/>
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>
- 重新加载
[root@centos001 ~]# firewall-cmd --reload
success
- 查看结果
[root@centos001 ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp //新添加的ftp
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
