保存和备份iptables规则

• 内容：
  保存iptables规则
  service iptables save 把iptables规则备份到my.ipt文件中：
  iptables-save > my.ipt
  恢复刚才备份的规则：
  iptables-restore < my.ipt

---

1.保存规则

[root@linux-128 ~]# service iptables saveiptables: Saving firewall rules to /etc/sysconfig/iptables:[  确定  ]

系统它会保存到配置文件/etc/sysconfig/iptables中

查看一下规则 [root@linux-128 ~]# cat /etc/sysconfig/iptables

# Generated by iptables-save v1.4.21 on Mon Dec  4 02:46:23 2017*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [162:11232]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT# Completed on Mon Dec  4 02:46:23 2017

2.备份规则

[root@linux-128 ~]# iptables-save >/tmp/myiptables.rule

3.查看规则

[root@linux-128 ~]# cat /tmp/myiptables.rule# Generated by iptables-save v1.4.21 on Mon Dec  4 02:49:42 2017*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [261:20920]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT# Completed on Mon Dec  4 02:49:42 2017

4.恢复规则

[root@linux-128 ~]# iptables-restore 

恢复规则一般使用备份规则中，注意：服务器或者重启iptables，它会自动加载配置文件中的规则

---

firewalld的9个zone

• 打开firewalld

• systemctl disable iptables • systemctl stop iptables • systemctl enable firewalld • systemctl start firewalld • firewalld默认有9个zone • 默认zone为public • firewall-cmd --get-zones //查看所有zone • firewall-cmd --get-default-zone//查看默认zone

---

1. 关闭开机自动启动netfilter

[root@linux-128 ~]# systemctl disable iptablesRemoved symlink /etc/systemd/system/basic.target.wants/iptables.service.

2. 关闭netfilter

[root@linux-128 ~]# systemctl stop iptables

3. 设置开机启动firewalld

[root@linux-128 ~]# systemctl enable firewalldCreated symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.

4. 启动firewalld

[root@linux-128 ~]# systemctl start firewalld

5. 查看firewalld的默认规则

[root@linux-128 ~]# iptables -t nat -nvLChain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination    0     0 PREROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0    0     0 PREROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0    0     0 PREROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destinationChain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination    0     0 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination    0     0 POSTROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0    0     0 POSTROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0    0     0 POSTROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0Chain OUTPUT_direct (1 references) pkts bytes target     prot opt in     out     source               destinationChain POSTROUTING_ZONES (1 references) pkts bytes target     prot opt in     out     source               destination    0     0 POST_public  all  --  *      ens33   0.0.0.0/0            0.0.0.0/0           [goto]    0     0 POST_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto]Chain POSTROUTING_ZONES_SOURCE (1 references) pkts bytes target     prot opt in     out     source               destinationChain POSTROUTING_direct (1 references) pkts bytes target     prot opt in     out     source               destinationChain POST_public (2 references) pkts bytes target     prot opt in     out     source               destination    0     0 POST_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0    0     0 POST_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0    0     0 POST_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0Chain POST_public_allow (1 references) pkts bytes target     prot opt in     out     source               destinationChain POST_public_deny (1 references) pkts bytes target     prot opt in     out     source               destinationChain POST_public_log (1 references) pkts bytes target     prot opt in     out     source               destinationChain PREROUTING_ZONES (1 references) pkts bytes target     prot opt in     out     source               destination    0     0 PRE_public  all  --  ens33  *       0.0.0.0/0            0.0.0.0/0           [goto]    0     0 PRE_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto]Chain PREROUTING_ZONES_SOURCE (1 references) pkts bytes target     prot opt in     out     source               destinationChain PREROUTING_direct (1 references) pkts bytes target     prot opt in     out     source               destinationChain PRE_public (2 references) pkts bytes target     prot opt in     out     source               destination    0     0 PRE_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0    0     0 PRE_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0    0     0 PRE_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0Chain PRE_public_allow (1 references) pkts bytes target     prot opt in     out     source               destinationChain PRE_public_deny (1 references) pkts bytes target     prot opt in     out     source               destinationChain PRE_public_log (1 references) pkts bytes target     prot opt in     out     source               destination

6. firewalld有9个zone；zone是firewalld的一个单位，centos7默认是public.

7. 查看所有的zone

[root@linux-128 ~]# firewall-cmd --get-zoneswork drop internal external trusted home dmz public block  //刚好9个zone

8. 查看系统默认的zone

[root@linux-128 ~]# firewall-cmd --get-default-zonepublic

9. 9个zone的介绍

---

firewalld关于zone的操作

• firewall-cmd --set-default-zone=work //设定默认zone

• firewall-cmd --get-zone-of-interface=ens33 //查指定网卡 • firewall-cmd --zone=public --add-interface=lo //给指定网卡设置zone • firewall-cmd --zone=dmz --change-interface=lo //针对网卡更改zone • firewall-cmd --zone=dmz --remove-interface=lo //针对网卡删除zone • firewall-cmd --get-active-zones //查看系统所有网卡所在的zone

---

1. 修改默认的zone值

[root@linux-128 ~]# firewall-cmd --get-default-zone   //查看系统默认的zonepublic[root@linux-128 ~]# firewall-cmd --set-default-zone=work //修改默认的zone值success[root@linux-128 ~]# firewall-cmd --get-default-zone  //查看系统默认的zonework

2. 查看指定网卡所在zone

[root@linux-128 ~]# firewall-cmd --get-zone-of-interface=ens33work

3. 给指定的网卡设置zone

[root@linux-128 ~]# firewall-cmd --zone=home --add-interface=lo     //指定网卡lo为zonesuccess[root@linux-128 ~]# firewall-cmd --get-zone-of-interface=lo   //查看网卡lo的zonehome

4. 针对网卡更改zone

[root@linux-128 ~]# firewall-cmd --zone=dmz --change-interface=lo  //将网卡lo的zone修改成dmzsuccess[root@linux-128 ~]# firewall-cmd --get-zone-of-interface=lo  //查看网卡lo的zonedmz

5. 针对网卡删除zone

[root@linux-128 ~]# firewall-cmd --zone=dmz  --remove-interface=losuccess[root@linux-128 ~]# firewall-cmd --get-zone-of-interface=lono zone

6. 查看系统所有网卡所在的zone

[root@linux-128 ~]# firewall-cmd --get-active-zoneswork  interfaces: ens33

---

firewalld关于service的操作

• firewall-cmd --get-services 查看所有的servies

• firewall-cmd --list-services //查看当前zone下有哪些service • firewall-cmd --zone=public --add-service=http //把http增加到public zone下面 • firewall-cmd --zone=public --remove-service=http • ls /usr/lib/firewalld/zones/ //zone的配置文件模板 • firewall-cmd --zone=public --add-service=http --permanent //更改配置文件，之后会在/etc/firewalld/zones目录下面生成配置文件 • 需求：ftp服务自定义端口1121，需要在work zone下面放行ftp • cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services • vi /etc/firewalld/services/ftp.xml //把21改为1121 • cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/ • vi /etc/firewalld/zones/work.xml //增加一行 • <service name="ftp"/> • firewall-cmd --reload //重新加载 • firewall-cmd --zone=work --list-services

---

1. 查看所有的servies

[root@linux-128 ~]# firewall-cmd --get-servicesRH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

2. 查看当前zone下有哪些service

[root@linux-128 ~]# firewall-cmd --get-default-zone   //查看当前系统默认的zonework[root@linux-128 ~]# firewall-cmd --list-services   //查看当前系统默认的zone下有那些servicessh dhcpv6-client

3. 查看指定zone下有那些service

[root@linux-128 ~]# firewall-cmd --zone=public --list-servicesdhcpv6-client ssh http

4. 添加一个service到指定的zone下 [root@linux-128 ~]# firewall-cmd --zone=public --add-service=ftp //将服务ftp添加到public下 success [root@linux-128 ~]# firewall-cmd --zone=public --list-services //查看public下的service dhcpv6-client ssh http ftp

5. 删除指定zone下的service

[root@linux-128 ~]# firewall-cmd --zone=public --remove-service=http //删除public下的服务httpsuccess[root@linux-128 ~]# firewall-cmd --zone=public --list-services  dhcpv6-client ssh ftp

6. zone的配置文件模板 [root@linux-128 ~]# ls /usr/lib/firewalld/zones block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml

7. 更改zone的配置文件

[root@linux-128 ~]# firewall-cmd --zone=public --add-service=http --permanentsuccess[root@linux-128 ~]# cat /etc/firewalld/zones/public.xml
    
      
     
      Public
       
     
      For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
       
       
         //已经添加  
     
    

在添加一个service ftp

[root@linux-128 ~]# firewall-cmd --zone=public --add-service=ftp --permanentsuccess[root@linux-128 ~]# cat /etc/firewalld/zones/public.xml
    
      
     
      Public
       
     
      For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
       
        //已经添加  
       
       
     
    

案例：需求：ftp服务自定义端口1121，需要在work zone下面放行ftp

拷贝配置文件ftp.xml

[root@linux-128 ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services[root@linux-128 ~]# vi /etc/firewalld/services/ftp.xml

配置文件如下：

    
      
     
      FTP
       
     
      FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.
       
       
     
    

拷贝配置文件work.xml

[root@linux-128 ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/[root@linux-128 ~]# vi /etc/firewalld/zones/work.xml

配置文件如下：

    
      
     
      Work
       
     
      For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
       
       
       
     
    

重新加载 firewall-cmd --reload

[root@linux-128 ~]# firewall-cmd --reloadsuccess

查看work下面的service

[root@linux-128 ~]# firewall-cmd --zone=work --list-servicesssh dhcpv6-client ftp

---