iptables规则备份和恢复
iptables规则备份和恢复
[root@localhost ~]# iptables-save > /tmp/ipt.txt
[root@localhost ~]# cat /tmp/ipt.txt
# Generated by iptables-save v1.4.21 on Fri Mar 16 05:49:36 2018
*nat
:PREROUTING ACCEPT [2:123]
:INPUT ACCEPT [1:52]
:OUTPUT ACCEPT [1:71]
:POSTROUTING ACCEPT [2:123]
-A PREROUTING -d 192.168.12.128/32 -p tcp -m tcp --dport 1122 -j DNAT --to-destination 192.168.100.100:22
-A POSTROUTING -s 192.168.100.100/32 -j SNAT --to-source 192.168.12.128
COMMIT
# Completed on Fri Mar 16 05:49:36 2018
# Generated by iptables-save v1.4.21 on Fri Mar 16 05:49:36 2018
*filter
:INPUT ACCEPT [288:21940]
:FORWARD ACCEPT [55:7156]
:OUTPUT ACCEPT [182:26748]
COMMIT
# Completed on Fri Mar 16 05:49:36 2018
[root@localhost ~]# iptables-restore < /tmp/ipt.txt
firewalld的9个zone
firewalld的9个zone
打开firewalled
[root@localhost ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@localhost ~]# systemctl stop iptables
[root@localhost ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@localhost ~]# systemctl start firewalld
默认使用public的zone,即规则集
[root@localhost ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@localhost ~]# firewall-cmd --get-default-zone
public
9个zone
firewalld关于zone的操作
firewalld关于zone的操作
[root@localhost ~]# firewall-cmd --set-default-zone=work
success
[root@localhost ~]# firewall-cmd --get-default-zone
work
查指定网卡
[root@localhost ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.12.128 netmask 255.255.255.0 broadcast 192.168.12.255
inet6 fe80::20c:29ff:fe92:105d prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:92:10:5d txqueuelen 1000 (Ethernet)
RX packets 11453 bytes 8021159 (7.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3727 bytes 457491 (446.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::20c:29ff:fe92:1067 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:92:10:67 txqueuelen 1000 (Ethernet)
RX packets 132 bytes 13476 (13.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 202 bytes 28378 (27.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# firewall-cmd --get-zone-of-interface=eno16777736
public
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37
no zone
如果发现no zone需要将该网卡的配置文件配置好
再重启网络服务
重启firewalld服务
[root@localhost ~]# ls /etc/sysconfig/network-scripts/
ifcfg-ens33 ifdown-ppp ifup-eth ifup-sit
ifcfg-lo ifdown-routes ifup-ippp ifup-Team
ifdown ifdown-sit ifup-ipv6 ifup-TeamPort
ifdown-bnep ifdown-Team ifup-isdn ifup-tunnel
ifdown-eth ifdown-TeamPort ifup-plip ifup-wireless
ifdown-ippp ifdown-tunnel ifup-plusb init.ipv6-global
ifdown-ipv6 ifup ifup-post network-functions
ifdown-isdn ifup-aliases ifup-ppp network-functions-ipv6
ifdown-post ifup-bnep ifup-routes
[root@localhost ~]# systemctl restart network
[root@localhost ~]# systemctl restart firewalld
[root@localhost network-scripts]# !vim
vim ifcfg-ens37
[root@localhost network-scripts]# systemctl restart network
[root@localhost network-scripts]# systemctl restart firewalld
[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37
public
还可以单独给网卡设置zone
[root@localhost network-scripts]# firewall-cmd --zone=public --remove-interface=ens37
success
[root@localhost network-scripts]# firewall-cmd --zone=dmz --add-interface=ens37
success
[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37
dmz
[root@localhost network-scripts]# firewall-cmd --zone=public --change-interface=ens37
success
[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37
[root@localhost network-scripts]# firewall-cmd --get-active-zones
dmz
interfaces: eno16777736
public
interfaces: ens37
firewalld关于service的操作
firewalld关于service的操作
trusted和block是没有service的
[root@localhost network-scripts]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@localhost network-scripts]# firewall-cmd --get-default-zone
public
指定zone添加service
--permanent 写入配置文件
[root@localhost network-scripts]# firewall-cmd --list-service
dhcpv6-client ssh
[root@localhost network-scripts]# firewall-cmd --zone=public --add-service=http
success
[root@localhost network-scripts]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http
[root@localhost network-scripts]# firewall-cmd --zone=public --add-service=ftp --permanent
success
[root@localhost ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="ftp"/>
</zone>
[root@localhost ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@localhost ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="ftp"/>
<service name="http"/>
</zone>
zones的配置文件以及备份
service的模板
[root@localhost ~]# ls /etc/firewalld/zones/
public.xml public.xml.old
[root@localhost ~]# ls /etc/firewalld/zones/
public.xml public.xml.old
[root@localhost ~]# ls /etc/firewalld/services/
[root@localhost ~]# ls /usr/lib
lib/ lib64/ libexec/
[root@localhost ~]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
[root@localhost ~]# ls /usr/lib/firewalld/services/
amanda-client.xml nrpe.xml
amanda-k5-client.xml ntp.xml
bacula-client.xml openvpn.xml
bacula.xml ovirt-imageio.xml
bitcoin-rpc.xml ovirt-storageconsole.xml
bitcoin-testnet-rpc.xml ovirt-vmconsole.xml
bitcoin-testnet.xml pmcd.xml
bitcoin.xml pmproxy.xml
ceph-mon.xml pmwebapis.xml
ceph.xml pmwebapi.xml
cfengine.xml pop3s.xml
condor-collector.xml pop3.xml
ctdb.xml postgresql.xml
dhcpv6-client.xml privoxy.xml
dhcpv6.xml proxy-dhcp.xml
dhcp.xml ptp.xml
dns.xml pulseaudio.xml
docker-registry.xml puppetmaster.xml
dropbox-lansync.xml quassel.xml
elasticsearch.xml radius.xml
freeipa-ldaps.xml RH-Satellite-6.xml
freeipa-ldap.xml rpc-bind.xml
freeipa-replication.xml rsh.xml
freeipa-trust.xml rsyncd.xml
ftp.xml samba-client.xml
ganglia-client.xml samba.xml
ganglia-master.xml sane.xml
high-availability.xml sips.xml
https.xml sip.xml
http.xml smtp-submission.xml
imaps.xml smtps.xml
imap.xml smtp.xml
ipp-client.xml snmptrap.xml
ipp.xml snmp.xml
ipsec.xml spideroak-lansync.xml
iscsi-target.xml squid.xml
kadmin.xml ssh.xml
kerberos.xml synergy.xml
kibana.xml syslog-tls.xml
klogin.xml syslog.xml
kpasswd.xml telnet.xml
kshell.xml tftp-client.xml
ldaps.xml tftp.xml
ldap.xml tinc.xml
libvirt-tls.xml tor-socks.xml
libvirt.xml transmission-client.xml
managesieve.xml vdsm.xml
mdns.xml vnc-server.xml
mosh.xml wbem-https.xml
mountd.xml xmpp-bosh.xml
mssql.xml xmpp-client.xml
ms-wbt.xml xmpp-local.xml
mysql.xml xmpp-server.xml
nfs.xml
需求:ftp服务自动以端口1121,需要在work zone下面放行ftp
[root@localhost ~]# firewall-cmd --set-default-zone=work
success
[root@localhost ~]# firewall-cmd --get-default-zone
work
[root@localhost ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client
[root@localhost ~]# vim /etc/firewalld/services/ftp.xml
(修改端口21为1121)
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short> <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/>
<module name="nf_conntrack_ftp"/>
</service>
[root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@localhost ~]# vim /etc/firewalld/zones/work.xml
(增加一行)
<service name="ftp"/>
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp
网友评论