1. 保存和备份iptables规则
保存规则的命令是“service iptables save”,它会将防火墙规则保存到/etc/sysconfig/iptables文件内,这个文件就是iptables的配置文件。
备份规则的命令是“iptables-save > filename”,而恢复规则的命令是“iptables-restore < filename”,其中,filename指文件名;
[root@yuioplvlinux-128 ~]# iptables-save > /usr/myipt.rule #备份规则至/usr/myipt.rule
[root@yuioplvlinux-128 ~]# iptables -F #删除规则
[root@yuioplvlinux-128 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 11 packets, 768 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7 packets, 740 bytes)
pkts bytes target prot opt in out source destination
[root@yuioplvlinux-128 ~]# iptables-restore < /usr/myipt.rule #从/usr/myipt.rule恢复规则
[root@yuioplvlinux-128 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7 468 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 5 packets, 588 bytes)
pkts bytes target prot opt in out source destination
2. firewalld防火墙
因为在之前,禁用了firewalld服务,现在需要重新打开,执行的命令如下:
[root@yuioplvlinux-128 ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@yuioplvlinux-128 ~]# systemctl stop iptables
[root@yuioplvlinux-128 ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@yuioplvlinux-128 ~]# systemctl start firewalld
在开启firewalld服务之前,需要先将iptables服务关闭;
关闭之后,查看firewalld的默认规则,会发现这些规则要比netfilter的规则复杂;
[root@yuioplvlinux-128 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 924 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 92 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
1 92 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
1 92 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 12 packets, 1224 bytes)
pkts bytes target prot opt in out source destination
12 1224 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens37 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * ens37 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (3 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (3 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 IN_public all -- ens37 * 0.0.0.0/0 0.0.0.0/0 [goto]
1 92 IN_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (3 references)
pkts bytes target prot opt in out source destination
1 92 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
1 92 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
1 92 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
1 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
firewalld有两个概念需要注意,分别是zone和service,每一个zone里面有不同的iptables规则,默认一共有9个zone,CentOS默认的zone为public。
[root@yuioplvlinux-128 ~]# firewall-cmd --get-zones #获取系统所有的zone
block dmz drop external home internal public trusted work
[root@yuioplvlinux-128 ~]# firewall-cmd --get-default-zone #查看系统默认的zone
public
9个zone:
1)drop(丢弃):任何收到的网络数据包都被丢弃,没有任何回复。仅能有发送出去的网络连接;
2)block(限制):任何接受的网络连接都被IPv4的icmp-host-prohibited信息和IPv6的icmp6-adm-prohibited信息所拒绝;
3)public(公共):在公共区域内使用,不能相信网络内的其它计算机不会对你的计算机造成危害,只能接受进过选取的连接;
4)external(外部):特别是为路由器启用了伪装功能的外部网,你不能信任来自网络的其他计算,不能相信它们不会对你的计算机造成危害,只能接受经过选择的连接;
5)dmz(非军事区):用于你的非军事区内计算机,此区域内可公开访问,可以有限地进入你的内部网络,仅仅接受经过选择的连接;
6)work(工作):用于工作区,你可以基本相信网络内的其它计算机不会危害你的计算机,仅仅接受经过选择的连接;
7)home(家庭):用于家庭网络,你可以基本上信任网络内的其它计算机不会威胁你的计算机,仅仅接受经过选择的连接;
8)internal(内部):用于内部网络,你可以基本上信任网络内的其它计算机不会危害你的计算机,仅仅接受经过选择的连接;
9)trusted(信任):可接受所有的网络连接。
2.1 zone的操作
修改默认的zone为work;
[root@yuioplvlinux-128 ~]# firewall-cmd --set-default-zone=work
success
[root@yuioplvlinux-128 ~]# firewall-cmd --get-default-zone
work
查看指定网卡所在的zone;
[root@yuioplvlinux-128 ~]# firewall-cmd --get-zone-of-interface=ens33
work
[root@yuioplvlinux-128 ~]# firewall-cmd --get-zone-of-interface=ens37
work
[root@yuioplvlinux-128 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
给指定网卡设置zone;
[root@yuioplvlinux-128 ~]# firewall-cmd --zone=public --add-interface=lo
success
[root@yuioplvlinux-128 ~]# firewall-cmd --get-zone-of-interface=lo
public
针对网卡更改zone;
[root@yuioplvlinux-128 ~]# firewall-cmd --zone=dmz --change-interface=lo
success
[root@yuioplvlinux-128 ~]# firewall-cmd --get-zone-of-interface=lo
dmz
针对网卡删除zone;
[root@yuioplvlinux-128 ~]# firewall-cmd --zone=dmz --remove-interface=lo
success
[root@yuioplvlinux-128 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
查看系统所有网卡所在的zone;
[root@yuioplvlinux-128 ~]# firewall-cmd --get-active-zones
work
interfaces: ens33
2.2 service的操作
查看所有的services,加不加‘s’都可以;
[root@yuioplvlinux-128 ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@yuioplvlinux-128 ~]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
查看当前zone下有哪些service;
[root@yuioplvlinux-128 ~]# firewall-cmd --list-services
ssh dhcpv6-client
把http添加到public zone下面;
[root@yuioplvlinux-128 ~]# firewall-cmd --zone=public --add-service=http
success
[root@yuioplvlinux-128 ~]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client http
这些service都是由一个个配置文件定义的,配置文件的模板在/usr/lib/firewalld/zones/目录下,真正生效的配置在/etc/firewalld/services目录下面(默认为空);
[root@yuioplvlinux-128 ~]# ls /usr/lib/firewalld/zones/
block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml
ftp服务自定义端口1121,需要在work zone下放行ftp:
[root@yuioplvlinux-128 ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
[root@yuioplvlinux-128 ~]# vim /etc/firewalld/services/ftp.xml
把默认的21端口改为1121端口,如下:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/>
<module name="nf_conntrack_ftp"/>
</service>
[root@yuioplvlinux-128 ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@yuioplvlinux-128 ~]# vim /etc/firewalld/zones/work.xml
增加一行“<service name="ftp"/>”;
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>
重新加载,可以看到work zone下面多了一个ftp。
[root@yuioplvlinux-128 ~]# firewall-cmd --reload
success
[root@yuioplvlinux-128 ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp
---------------------
作者:秦晋一时繁华
来源:CSDN
原文:https://blog.csdn.net/yuioplv/article/details/80274616
版权声明:本文为博主原创文章,转载请附上博文链接!
支付宝微信扫一扫,打赏作者吧~本文链接:https://www.kinber.cn/post/352.html 转载需授权!
推荐本站淘宝优惠价购买喜欢的宝贝:
您阅读本篇文章共花了: 