-
iptables規則備份
把規則備份到/etc/sysconfig/iptables中
把iptables 股則備份到my.ipt檔案中service iptables save
恢複剛才的備份:iptables-save > my.ipt
重新開機規則(/etc/sysconfig/iptables規則調用出來):iptables-restore < my.ipt
service iptables restart
firewalled防火牆機制
firewalld預設有9個zone,預設使用public,每個zone表示一個規則集。
檢視所有的的zone
[[email protected] ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block
檢視預設的zone(目前的zone):
[[email protected] ~]# firewall-cmd --get-default-zone
public
關于zone的操作
設定預設的zone(work):
[[email protected] ~]# firewall-cmd --set-default-zone=work
success
查詢指定網卡(ens33)zone:
[ro[email protected] ~]# firewall-cmd --get-zone-of-interface=ens33
work
給指定網卡(lo)設定zone(public):
[[email protected] ~]# firewall-cmd --zone=public --add-interface=lo
success
給指定的網卡(ens33)更改zone(dmz):
[[email protected] ~]# firewall-cmd --zone=public --change-interface=ens33
The interface is under control of NetworkManager, setting zone to 'public'.
success
删除指定網卡的zone:
[[email protected] ~]# firewall-cmd --zone=public --remove-interface=lo
success
查詢系統所有網卡所在的zone:
[[email protected] ~]# firewall-cmd --get-active-zones
work
interfaces: ens37 ens33
firewalld關于service的操作
service是zone下的一個子單元,一個指定的端口。
檢視所有的service:
[[email protected] ~]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
檢視目前zone下有哪些service
[[email protected] ~]# firewall-cmd --list-service
ssh dhcpv6-client
檢視指定zone(public)有哪些service:
[[email protected] ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh
向指定的zone(public)中,添加service(http):
[[email protected] ~]# firewall-cmd --zone=public --add-service=http
success
[[email protected] ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http
向指定的zone(public)中,添加service(http)并儲存到配置檔案中:
[[email protected] ~]# firewall-cmd --zone=public --add-service=ftp --permanent
success
[[email protected] ~]# ls /etc/firewall/zones
ls: 無法通路/etc/firewall/zones: 沒有那個檔案或目錄
[[email protected] ~]# ls /etc/firewalld/zones
public.xml public.xml.old
[[email protected] ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ftp"/>
<service name="dhcpv6-client"/>
<service name="ssh"/>
</zone>
更改的配置檔案,之後會在/etc/firewalld/zones目錄下面生成配置檔案
zone配置檔案的模闆:/usr/lib/firewalld/zones
[[email protected] ~]# ls /usr/lib/firewalld/zones
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
service配置檔案模闆:/usr/lib/firewalld/service
[[email protected] ~]# ls /usr/lib/firewalld/services
amanda-client.xml kpasswd.xml rpc-bind.xml
amanda-k5-client.xml ldaps.xml rsyncd.xml
bacula-client.xml ldap.xml samba-client.xml
bacula.xml libvirt-tls.xml samba.xml
ceph-mon.xml libvirt.xml sane.xml
ceph.xml mdns.xml smtps.xml
dhcpv6-client.xml mosh.xml smtp.xml
dhcpv6.xml mountd.xml snmptrap.xml
dhcp.xml ms-wbt.xml snmp.xml
dns.xml mysql.xml squid.xml
docker-registry.xml nfs.xml ssh.xml
dropbox-lansync.xml ntp.xml synergy.xml
freeipa-ldaps.xml openvpn.xml syslog-tls.xml
freeipa-ldap.xml pmcd.xml syslog.xml
freeipa-replication.xml pmproxy.xml telnet.xml
ftp.xml pmwebapis.xml tftp-client.xml
high-availability.xml pmwebapi.xml tftp.xml
https.xml pop3s.xml tinc.xml
http.xml pop3.xml tor-socks.xml
imaps.xml postgresql.xml transmission-client.xml
imap.xml privoxy.xml vdsm.xml
ipp-client.xml proxy-dhcp.xml vnc-server.xml
ipp.xml ptp.xml wbem-https.xml
ipsec.xml pulseaudio.xml xmpp-bosh.xml
iscsi-target.xml puppetmaster.xml xmpp-client.xml
kadmin.xml radius.xml xmpp-local.xml
kerberos.xml RH-Satellite-6.xml xmpp-server.xml
1.案例:把ftp預設的端口改成1121,然後在work zone 下放行ftp
- 把ftp檔案拷貝到/etc/firewalld/services下面去
[[email protected] ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
- 然後編輯。把端口改成1121(service的自定義端口)
[[email protected] ~]# vi /etc/firewalld/services/ftp.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>FTP</short> <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description> <port protocol="tcp" port="1121"/> <module name="nf_conntrack_ftp"/> </service>
- 把/usr/lib/firewalld/zone/work.xml 考備到/etc/firewalld/zones下
[[email protected] ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
- 編輯/etc/firewalld/zones/work.xml
[[email protected] ~]# vim /etc/firewalld/zones/work.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Work</short> <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="ftp"/> </zone>
- 重新加載服務
-檢視work下的service[[email protected] ~]# firewall-cmd --reload success
[[email protected] ~]# firewall-cmd --zone=work --list-service ssh dhcpv6-client ftp