2019獨角獸企業重金招聘Python工程師標準>>>
10月29日任務 10.19 iptables規則備份和恢復 10.20 firewalld的9個zone 10.21 firewalld關于zone的操作 10.22 firewalld關于service的操作
iptables規則備份和恢復 [root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 確定 ][root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 44 packets, 3152 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 26 packets, 2584 bytes)pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables-restore /etc/sysconfig/iptables
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 10 692 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:220 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 6 packets, 744 bytes)pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables-save > /tmp/iptables.txt
[root@localhost ~]# cat /tmp/iptables.txt
# Generated by iptables-save v1.4.21 on Fri ... 19:54:19 ...
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [249:23866]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri ... 19:54:19 ...
[root@localhost ~]#
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 28 packets, 1900 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17 packets, 1508 bytes)pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables-restore < /tmp/iptables.txt
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:220 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)pkts bytes target prot opt in out source destination
如果想開機加載iptables規則表,最好將規則保存在默認的文件即/etc/sysconfig/iptables,使用service iptables save即可
firewalld服務 默認centos7啟動的是firewalld,如果你沒修改過,直接使用就可以了;
如果你將firewalld關閉了,開啟了iptables,那么需要執行下面的命令來修改:
# 先關閉iptables
[root@localhost ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@localhost ~]# systemctl stop iptables# 啟動firewalld(同時設置開機啟動)
[root@localhost ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@localhost ~]# systemctl start firewalld
firewalld的9個zone zone是firewalld的一個單位,是一個規則集,其自帶某些規則。
firewalld下有9個zone,如下所示:
[root@localhost ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block
[root@localhost ~]# firewall-cmd --get-default-zone
public
使用firewall-cmd命令查看配置firewalld服務(注意不是firewalld-cmd)
zone的簡單介紹 zone名說明 drop 丟棄任何接收到的數據包(最安全,只出不進) block 任何接收的數據包都被icmp-host-prohibited(ipv4)和icmp6-adm-prohibited(ipv6)信息拒絕。 public 在公共區域內使用,無法確保其他計算機對本區域的安全性,選擇性接收數據包。 external 外部網絡,可以基本信任該區域內的其他計算機不會對你產生危害,僅選擇的接收數據包。 dmz 用于你的非軍事區內的計算機,該區域可公開訪問,可以有限地進入你的內部網絡 work 工作區,可以基本信任該區域內的其他計算機不會對你產生危害,僅選擇的接收數據包。 home 家庭網絡,可以基本信任該區域內的其他計算機不會對你產生危害,僅選擇的接收數據包 internal 內部網絡,可以基本信任該區域內的其他計算機不會對你產生危害,僅選擇的接收數據包。 trusted 接收所有接收到的數據包
對于這9個zone,主要了解即可,并不是都會用的上;上述的zone安全性依次遞增
firewalld關于zone的操作 [root@localhost ~]# firewall-cmd --set-default-zone=work
success
[root@localhost ~]# firewall-cmd --get-default-zone
work
針對指定網卡的zone設置
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
work
# 將網卡lo添加到zone public中
[root@localhost ~]# firewall-cmd --zone=public --add-interface=lo
success# 查看網卡所屬的zone用以驗證
[root@localhost ~]# firewall-cmd --get-active-zones
workinterfaces: ens33
publicinterfaces: lo
[root@localhost ~]# firewall-cmd --zone=dmz --change-interface=lo
success
[root@localhost ~]# firewall-cmd --get-active-zones
dmzinterfaces: lo
workinterfaces: ens33
[root@localhost ~]# firewall-cmd --zone=dmz --remove-interface=lo
success
[root@localhost ~]# firewall-cmd --get-active-zones
workinterfaces: ens33
firewalld關于service的操作 基本使用
列出當前系統內所有的service
[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication
ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd
pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy
syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server[root@localhost ~]# firewall-cmd --get-services | sed -r 's/ /\n/g' | wc -l
81
統計后當前系統共81個服務
[root@localhost ~]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh
[root@localhost ~]# firewall-cmd --zone=public --add-service=http
success
[root@localhost ~]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh http# 在末尾添加--permanent參數可以將修改寫入系統,而不是暫存在內存中
[root@localhost ~]# firewall-cmd --zone=public --add-service=http --permanent
success# /etc/firewalld/zones/目錄下存放了zone的配置文件
# 執行了--add-services參數命令后會將原配置文件備份為.old文件
[root@localhost ~]# ls /etc/firewalld/zones/
public.xml public.xml.old
[root@localhost ~]# cat /etc/firewalld/zones/public.xml.old
<?xml version="1.0" encoding="utf-8"?>
<zone><short>Public</short><description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description><service name="dhcpv6-client"/><service name="ssh"/>
</zone>
[root@localhost ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone><short>Public</short><description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description><service name="dhcpv6-client"/><service name="http"/><service name="ssh"/>
</zone>
[root@localhost ~]# firewall-cmd --zone=public --remove-service=http
success
[root@localhost ~]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh
firwalld的zone和services的模板配置文件
# zone的模板配置文件目錄/usr/lib/firewalld/zones/
[root@localhost ~]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml# services的模板配置文件目錄/usr/lib/firewalld/services/
[root@localhost ~]# ls /usr/lib/firewalld/services/
amanda-client.xml kpasswd.xml rpc-bind.xml
amanda-k5-client.xml ldaps.xml rsyncd.xml
bacula-client.xml ldap.xml samba-client.xml
bacula.xml libvirt-tls.xml samba.xml
ceph-mon.xml libvirt.xml sane.xml
ceph.xml mdns.xml smtps.xml
dhcpv6-client.xml mosh.xml smtp.xml
dhcpv6.xml mountd.xml snmptrap.xml
dhcp.xml ms-wbt.xml snmp.xml
dns.xml mysql.xml squid.xml
docker-registry.xml nfs.xml ssh.xml
dropbox-lansync.xml ntp.xml synergy.xml
freeipa-ldaps.xml openvpn.xml syslog-tls.xml
freeipa-ldap.xml pmcd.xml syslog.xml
freeipa-replication.xml pmproxy.xml telnet.xml
ftp.xml pmwebapis.xml tftp-client.xml
high-availability.xml pmwebapi.xml tftp.xml
https.xml pop3s.xml tinc.xml
http.xml pop3.xml tor-socks.xml
imaps.xml postgresql.xml transmission-client.xml
imap.xml privoxy.xml vdsm.xml
ipp-client.xml proxy-dhcp.xml vnc-server.xml
ipp.xml ptp.xml wbem-https.xml
ipsec.xml pulseaudio.xml xmpp-bosh.xml
iscsi-target.xml puppetmaster.xml xmpp-client.xml
kadmin.xml radius.xml xmpp-local.xml
kerberos.xml RH-Satellite-6.xml xmpp-server.xml
配置實例
將ftp服務添加至work zone,修改ftp默認端口為1121
[root@localhost ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
[root@localhost ~]# vi /etc/firewalld/services/ftp.xml <?xml version="1.0" encoding="utf-8"?>
<service><short>FTP</short><description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description><port protocol="tcp" port="1121"/> # 修改port為1121<module name="nf_conntrack_ftp"/>
</service>
[root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@localhost ~]# vi /etc/firewalld/zones/work.xml<?xml version="1.0" encoding="utf-8"?>
<zone><short>Work</short><description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description><service name="ssh"/><service name="dhcpv6-client"/># 新增下面的service行<service name="ftp"/>
</zone>
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp
轉載于:https://my.oschina.net/u/3964535/blog/2253621
總結
以上是生活随笔 為你收集整理的iptables规则备份和恢复 firewalld服务 的全部內容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔 網站內容還不錯,歡迎將生活随笔 推薦給好友。
