linux 学习笔记-033-日常运维-iptables 规则备份和恢复,firewalld 的 9 个 zone,zone 的操作,service 的操作

发布于 2018-01-30  293 次阅读


iptables 规则备份和恢复

service iptables save:会把规则保存到/etc/sysconfig/iptables

iptables-save > 01.txt:把规则备份到指定文件

[root@am-01:~#] iptables-save > 01.txt

[root@am-01:~#] cat 01.txt

# Generated by iptables-save v1.4.21 on Sun Jan 21 21:24:05 2018

*nat

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -d 192.168.133.130/32 -p tcp -m tcp --dport 1122 -j DNAT --to-destination 192.168.100.100:22

-A POSTROUTING -s 192.168.100.100/32 -j SNAT --to-source 192.168.133.130

COMMIT

# Completed on Sun Jan 21 21:24:05 2018

iptables-restore < 01.txt :恢复规则

[root@am-01:~#] iptables -t nat -F

[root@am-01:~#] iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

[root@am-01:~#] iptables-restore < 01.txt

[root@am-01:~#] iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target   prot opt in   out  source         destination         

  0     0    DNAT     tcp  --  *    *   0.0.0.0/0     192.168.133.130      tcp dpt:1122 to:192.168.100.100:22



Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target  prot opt in   out   source            destination         

    0     0 SNAT     all  --  *    *   192.168.100.100     0.0.0.0/0            to:192.168.133.130

firewalld

firewalld 的 9 个 zone

打开 firewalld,关闭 iptables

[root@am-01:~#] systemctl disable iptables.service

rm '/etc/systemd/system/basic.target.wants/iptables.service'

[root@am-01:~#] systemctl stop iptables.service

[root@am-01:~#] systemctl enable firewalld.service

ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'

ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.service'

[root@am-01:~#] systemctl start firewalld.service

默认有 9 个 zone,默认使用 public

[root@am-01:~#] firewall-cmd --get-zones

block dmz drop external home internal public trusted work

查询默认的 zone

[root@am-01:~#] firewall-cmd --get-default-zone

public

9 个 zone 的解释

linux 学习笔记-033-日常运维-iptables 规则备份和恢复,firewalld 的 9 个 zone,zone 的操作,service 的操作

关于 zone 的操作

设置默认的 zone

[root@am-01:~#] firewall-cmd --set-default-zone=work

success

[root@am-01:~#] firewall-cmd --get-default-zone

work

查询指定网卡所在的 zone

[root@am-01:~#] firewall-cmd --get-zone-of-interface=eno16777736

work

[root@am-01:~#] firewall-cmd --get-zone-of-interface=lo

no zone

给指定网卡设置 zone

[root@am-01:~#] firewall-cmd --zone=dmz --add-interface=lo

success

[root@am-01:~#] firewall-cmd --get-zone-of-interface=lo

dmz

给指定网卡更改 zone

[root@am-01:~#] firewall-cmd --zone=public --change-interface=eno16777736

success

[root@am-01:~#] firewall-cmd --get-zone-of-interface=eno16777736

public

针对网卡删除 zone

[root@am-01:~#] firewall-cmd --zone=dmz --remove-interface=lo

success

[root@am-01:~#] firewall-cmd --get-zone-of-interface=lo

no zone

查看系统所有网卡所在的 zone

[root@am-01:~#] firewall-cmd --get-active-zones

public

  interfaces: eno16777736

关于 service 的操作

查询所有的 service

[root@am-01:~#] firewall-cmd --get-services

RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

查看当前默认 zone 的 service

[root@am-01:~#] firewall-cmd --list-services

dhcpv6-client ipp-client ssh

查看指定 zone 的 service

[root@am-01:~#] firewall-cmd --zone=public --list-services

dhcpv6-client ssh

为指定的 zone 增加 service

[root@am-01:~#] firewall-cmd --zone=public --add-service=http

success

[root@am-01:~#] firewall-cmd --zone=public --add-service=ftp

success

[root@am-01:~#] firewall-cmd --zone=public --list-services

dhcpv6-client ftp http ssh

为指定的 zone 增加 service 并写入配置文件,配置文件在/etc/firewalld/zones/目录下

配置文件的模板在:/usr/lib/firewalld/zones/

[root@am-01:~#] firewall-cmd --zone=public --add-service=http --permanent

success

[root@am-01:~#] cat /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>

<zone>

  <short>Public</short>

  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

  <service name="dhcpv6-client"/>

  <service name="http"/>

  <service name="ssh"/>

</zone>

[root@am-01:~#] ls /usr/lib/firewalld/zones/

block.xml  drop.xml      home.xml      public.xml   work.xml

dmz.xml    external.xml  internal.xml  trusted.xml

实践

ftp 服务自定义端口 1121,需要在 work zone 下面放行 ftp(此处使用修改配置文件的方法实现)

[root@am-01:~#] cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/

[root@am-01:~#] vim /etc/firewalld/services/ftp.xml

  <port protocol="tcp" port="1121"/>

[root@am-01:~#] cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/

[root@am-01:~#] vim /etc/firewalld/zones/work.xml

  <service name="ftp"/>

[root@am-01:~#] firewall-cmd --reload

success

[root@am-01:~#] firewall-cmd --list-services

dhcpv6-client ftp ipp-client ssh