10.19 iptables规则备份和恢复
备份(另存为):iptables-save
iptables-save > /tmp/ipt.txt
恢复:
iptables-restore < /tmp/ipt.txt
10.20 firewalld的9个zone
## 关闭iptables
[root@greenfinch ~]# systemctl disable iptables
[root@greenfinch ~]# systemctl stop iptables
## 开启firewalld
[root@greenfinch ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@greenfinch ~]# systemctl start firewalld
注意:此时防火墙的规则已发生改变,可以使用命令 iptables -nvL 查看。
关于9种zone的解析:
查看系统zone的类型:
[root@greenfinch ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block
查看系统默认的zone:
[root@greenfinch ~]# firewall-cmd --get-default-zone
public
10.21 firewalld关于zone的操作
[root@greenfinch ~]# firewall-cmd --set-default-zone=work ## 设置默认的zone
success
[root@greenfinch ~]# firewall-cmd --get-default-zone ## 查看系统默认的zone
work
查看指定网卡的zone:
[root@greenfinch ~]# firewall-cmd --get-zone-of-interface=ens33
work
[root@greenfinch ~]# firewall-cmd --get-zone-of-interface=ens37
work
[root@greenfinch ~]# firewall-cmd --get-zone-of-interface=lo
no zone
- 给指定网卡增加zone,两种方法:
方法1:编辑网卡配置文件(复制系统网卡配置文件进行更名)的方法为其添加zone(配置完成后重启网络服务,并重新加载firewalld服务:systemctl restart firewalld)。
方法2:
[root@greenfinch ~]# firewall-cmd --zone=dmz --add-interface=ens37
success
[root@greenfinch ~]# firewall-cmd --get-zone-of-interface=ens37
dmz
[root@greenfinch ~]# firewall-cmd --zone=public --add-interface=lo
success
[root@greenfinch ~]# firewall-cmd --get-zone-of-interface=lo
public
- 给指定网卡更改zone
[root@greenfinch ~]# firewall-cmd --zone=block --change-interface=ens37
success
[root@greenfinch ~]# firewall-cmd --get-zone-of-interface=ens37
block
- 给指定网卡删除zone
[root@greenfinch ~]# firewall-cmd --zone=block --remove-interface=ens37
The interface is under control of NetworkManager and already bound to the default zone
The interface is under control of NetworkManager, setting zone to default.
success
[root@greenfinch ~]# firewall-cmd --get-zone-of-interface=ens37
work
- 查看系统中所有网卡所在的zone
[root@greenfinch ~]# firewall-cmd --get-active-zones
work
interfaces: ens33
public
interfaces: lo
10.22 firewalld关于service的操作
- 查看系统所有service:firewall-cmd --get-services
- 查看当前zone下的service:firewall-cmd --list-services
- 查看指定zone下的service:firewall-cmd --zone=public --list-services
添加一个服务到某个zone下:
- 临时添加(配置文件中不存在,重启会恢复原配置)
[root@greenfinch ~]# firewall-cmd --zone=public --add-service=http
success
[root@greenfinch ~]# firewall-cmd --zone=public --add-service=ftp
success
[root@greenfinch ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http ftp
- 永久添加(更改配置文件):
firewall-cmd --zone=public --add-service=ftp --permanent
zone的系统配置文件位置 /etc/firewalld/zones/
[root@greenfinch ~]# ls /etc/firewalld/zones/
public.xml public.xml.old
[root@greenfinch ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks o not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
</zone>
说明:public.xml.old相当于一个备份文件,每次编辑public.xml时,系统会自动将原public.xml内容备份到public.xml.old文件中去。
- zone配置文件模板
[root@greenfinch ~]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
- firewalld内各项服务的配置文件模板
[root@greenfinch ~]# ls /usr/lib/firewalld/
icmptypes ipsets services xmlschema zones
实例需求:ftp服务自定义端口1121,需要在work zone下面放行ftp。
步骤一:复制ftp的配置文件到 /etc/firewalld/services/
[root@greenfinch ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
步骤二:编辑该文件,将port="21"改为port="1121"
[root@greenfinch ~]# vim /etc/firewalld/services/ftp.xml
步骤三:复制workzone的配置文件到/etc/firewalld/zones/
[root@greenfinch ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
步骤四:编辑该文件,增加一行“<service name="ftp"/>”
[root@greenfinch ~]# vim /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>
步骤五:重新加载
[root@greenfinch ~]# firewall-cmd --reload
执行结果验证
[root@greenfinch ~]# firewall-cmd --zone=work --list-service
ssh dhcpv6-client ftp