iptables 规则的保存及备份

• 如果想让规则在启动netfilter的时候就生效，需要把规则保存到配置文件中/etc/sysconfig/iptables中，命令是service iptables save
• 如果想把规则保存到指定文件（备份）`iptables-save >/tmp/1.txt
• 将备份的规则恢复回来，`iptables restore < /tmp/1.txt

[root@localhost ~]# iptables-save >/tmp/1.txt [root@localhost ~]# cat /tmp/1.txt # Generated by iptables-save v1.4.21 on Thu Jul 19 23:07:28 2018*nat:PREROUTING ACCEPT [47:11121]:INPUT ACCEPT [46:11049]:OUTPUT ACCEPT [0:0]:POSTROUTING ACCEPT [1:52]-A PREROUTING -d 192.168.254.100/32 -p tcp -m tcp --dport 3000 -j DNAT --to-destination 192.168.100.100:22-A POSTROUTING -s 192.168.100.0/24 -o eno16777736 -j MASQUERADE-A POSTROUTING -s 192.168.100.100/32 -j SNAT --to-source 192.168.254.100COMMIT# Completed on Thu Jul 19 23:07:28 2018# Generated by iptables-save v1.4.21 on Thu Jul 19 23:07:28 2018*filter:INPUT ACCEPT [1760:157742]:FORWARD ACCEPT [329:29526]:OUTPUT ACCEPT [1218:129196]COMMIT# Completed on Thu Jul 19 23:07:28 2018

[root@localhost ~]# iptables -t nat -F[root@localhost ~]# iptables -t nat -nvLChain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination         Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination         Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination         [root@localhost ~]# iptables-restore 

firewalled 是centOS7 及以后的版本默认的防火墙

之前我们为了做netfilter的实验将firewalld关掉了，现在需要重新启动firewalld

1. 禁用netfiltersystemctl disable iptables
2. 关闭netfiltersystemctl stop iptables
3. 启用firewalldsystemctl enable firewalld
4. 启动firewalldsystemctl start firewalld

[root@localhost ~]# systemctl disable iptablesrm '/etc/systemd/system/basic.target.wants/iptables.service'[root@localhost ~]# systemctl stop iptables[root@localhost ~]# systemctl enable firewalldln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.service'[root@localhost ~]# systemctl start firewalld

firewalld zone

• 查看firewalld的zone firewall-cmd --get-zones

[root@localhost ~]# firewall-cmd --get-zonesblock dmz drop external home internal public trusted work

• 能看到firewalld有九个zone，默认的zone是pubic，查看默认zone的命令是firewall-cmd --get-default-zone

[root@localhost ~]# firewall-cmd --get-default-zonepublic

• 设置默认zone，可以把默认zone改为其他zone，firewall-cmd --set-default-zone=work

[root@localhost ~]# firewall-cmd --get-default-zonepublic[root@localhost ~]# firewall-cmd --set-default-zone=worksuccess[root@localhost ~]# firewall-cmd --get-default-zonework

• 查看指定网卡属于哪个zone firewall-cmd --get-zone-of-interface=eno16777736

[root@localhost ~]# firewall-cmd --get-zone-of-interface=eno16777736work

• 给指定网卡设置zone firewall-cmd --zone=public --add-interface=lo

[root@localhost ~]# firewall-cmd --zone=public --add-interface=losuccess[root@localhost ~]# firewall-cmd --get-zone-of-interface=lopublic

• 针对指定网卡更改zone firewall-cmd --zone=dmz --change-interface=lo

[root@localhost ~]# firewall-cmd --zone=dmz --change-interface=losuccess[root@localhost ~]# firewall-cmd --get-zone-of-interface=lodmz

• 针对网卡删除zone firewall-cmd --zone=dmz --remove-interface=lo

[root@localhost ~]#  firewall-cmd --zone=dmz --remove-interface=losuccess[root@localhost ~]# firewall-cmd --get-zone-of-interface=lono zone

• 查看系统所有网卡所在的zone firewall-cmd --get-active-zones

[root@localhost ~]# firewall-cmd --get-active-zonesdmz  interfaces: lowork  interfaces: eno16777736

firewalld service

• 查看所有的service firewall-cmd --get-services

[root@localhost ~]# firewall-cmd --get-servicesamanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

• 查看当前zone下有哪些service firewall-cmd --list-services

[root@localhost ~]# firewall-cmd --list-servicesdhcpv6-client ipp-client ssh

• 把一个服务（http）增加到public zone下 firewall-cmd --zone=public --add-service=http

[root@localhost ~]# firewall-cmd --list-services --zone=public 查看指定zone下有哪些服务dhcpv6-client ssh[root@localhost ~]# firewall-cmd --zone=public --add-service=httpsuccess        [root@localhost ~]# firewall-cmd --list-services --zone=publicdhcpv6-client http ssh

• 删除指定zone下的指定服务 firewall-cmd --zone=public --remove-service=http

[root@localhost ~]# firewall-cmd --list-services --zone=publicdhcpv6-client http ssh[root@localhost ~]# firewall-cmd --zone=public --remove-service=httpsuccess[root@localhost ~]# firewall-cmd --list-services --zone=publicdhcpv6-client ssh

• zone的配置文件模板在/usr/lib/firewalld/zones中，上面提到的增加删除服务并没有写入配置文件中，如果要写入，需要在命令末尾加 --permanent ,之后会在/etc/firewalld/zones里面生成配置文件。

案例：ftp服务自定义端口1122 ，需要在work zone 下面放行ftp

1. 将模板中目录/usr/lib/firewalld/services中的ftp.xml 复制到/etc/firewalld/services 中
2. 编辑/etc/firewalld/services/ftp.xml ,将端口改为1122
3. 将zone的模板目录/usr/lib/firewalld/zones/中的workzone模板文件 work.xml复制到 /etc/firewalld/zones下
4. 编辑/etc/firewalld/zones/work.xml文件，添加一行`<service name="ftp"/>
5. 重新加载 firewall-cmd --reload
6. 查看work zone下的服务，验证是否添加成功 firewall-cmd --zone=work --list-services

[root@localhost ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/[root@localhost ~]# vim /etc/firewalld/services/ftp.xml

• 编辑配置文件,更改端口

    
      
     
      FTP
       
     
      FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.
       
       
     
    

• 将zone的模板目录/usr/lib/firewalld/zones/中的workzone模板文件 work.xml复制到 /etc/firewalld/zones下，编辑/etc/firewalld/zones/work.xml文件，添加一行`<service name="ftp"/>

[root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/[root@localhost ~]# vim /etc/firewalld/zones/work.xml

• 重新加载 firewall-cmd --reload

[root@localhost ~]# firewall-cmd --reloadsuccess

• 查看work zone下的服务，验证是否添加成功 firewall-cmd --zone=work --list-services

[root@localhost ~]# firewall-cmd --zone=work --list-servicesdhcpv6-client ftp ipp-client ssh

实验成功。