iptables 防火墙规则 的备份恢复

在维护服务器时，通过iptables命令配置好的iptables规则是保存在内存中的，当服务器重启之后，这些规则将丢失，如何确保重启之后，原先配置的iptables规则能自动生效。

方案1：
重启之前，备份当前的iptables规则，然后在服务器启动时，将规则导入iptables。
相关脚本：
备份iptables规则，将规则文件保存到当前用户目录下。
iptables-save > ~/iptables.bak

还原iptables规则：
iptables-restore < ~/iptables.bak

将还原规则写入自启动脚本中，脚本文件是 /etc/rc.local

方案2：
直接将iptables规则保存到iptables的配置文件/etc/sysconfig/iptables。

 [zhangzq@realweb netcert]$ cat iptables.bak
# Generated by iptables-save v1.2.11 on Tue Dec 14 13:49:16 2010
*nat
:PREROUTING ACCEPT [1513:84880]
:POSTROUTING ACCEPT [2181:130860]
:OUTPUT ACCEPT [2181:130860]
COMMIT
# Completed on Tue Dec 14 13:49:16 2010
# Generated by iptables-save v1.2.11 on Tue Dec 14 13:49:16 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3517770272:2320868460003]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 81 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.201 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 221.223.80.195 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.250 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 221.223.85.185 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 221.223.80.128 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 122.70.220.136 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 123.115.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 123.117.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.198 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.199 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p tcp -m state --state NEW -m tcp --dport 873 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p udp -m state --state NEW -m udp --dport 873 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.242 -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT
-A RH-Firewall-1-INPUT -s 111.193.206.253 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.209 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.244 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.17.106 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.206 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Dec 14 13:49:16 2010

转载于:https://blog.51cto.com/zhangziqiang/347299