iptables规则备份和恢复、firewalld相关

时间 2019-11-19

标签 iptables 规则备份恢复 firewalld 相关栏目系统网络繁體版

原文原文链接

iptables规则备份和恢复

介绍：以前说道，咱们设定的防火墙规则只保存在内存中，重启失效。那么怎么保存规则呢以下
保存规则命令：
- 这里能看到出现了一个路径，这就是咱们的规则所保存的路径。
- 之后要是遇到须要备份防火墙规则，只要复制这个文件的副本就好了

[root@centos001 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  肯定  ]

保存、恢复规则至指定的地方

[root@centos001 ~]#  iptables-save > /tmp/ipt.txt  //保存
[root@centos001 ~]# iptables-restore < /tmp/ipt.txt //恢复

firewalld的9个zone

准备：
以前咱们关闭了firewalld，如今要开启，因此要把iptables先禁用掉

[root@centos001 ~]# systemctl disable iptables
[root@centos001 ~]# systemctl stop iptables
[root@centos001 ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@centos001 ~]# systemctl start firewalld

介绍：
- 咱们能够先查看一下firewalld的规则，用iptables -nvL（注意最后一个L是大写）查看其默认规则
- firewalld的规则有两个基础概念，分别是zone（能够看成是个单位）和service，每一个zone里面有不一样的iptables规则，默认一共9个zone，
  而centos7默认的zone为public
  - 每一个zone都是至关于一个规则集（就是里面有属于它本身的规则）
命令：查看全部zone

[root@centos001 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

命令：查询系统默认的zone

[root@centos001 ~]# firewall-cmd --get-default-zone
public                     //这里能看到默认的zone是public

zone的解释

firewalld关于zone的操做

设定默认的zone是什么

[root@centos001 ~]# firewall-cmd --set-default-zone=work//设定默认zone是，并查看
success
[root@centos001 ~]# firewall-cmd --get-default-zone
work

查看网卡的zone

[root@centos001 ~]# firewall-cmd --get-zone-of-interface=lo
no zone

当zone没有的时候

[root@centos001 ~]# cd /etc/sysconfig/network-scripts/      //1.复制配置文件到网卡
[root@centos001 network-scripts]# ls
ifcfg-e        ifdown-ib      ifdown-Team      ifup-ippp    ifup-sit
ifcfg-ens      ifdown-ippp    ifdown-TeamPort  ifup-ipv6    ifup-Team
ifcfg-ens33    ifdown-ipv6    ifdown-tunnel    ifup-isdn    ifup-TeamPort
ifcfg-ens33:0  ifdown-isdn    ifup             ifup-plip    ifup-tunnel
ifcfg-lo       ifdown-post    ifup-aliases     ifup-plusb   ifup-wireless
ifdown         ifdown-ppp     ifup-bnep        ifup-post    init.ipv6-global
ifdown-bnep    ifdown-routes  ifup-eth         ifup-ppp     network-functions
ifdown-eth     ifdown-sit     ifup-ib          ifup-routes  network-functions-ipv6
[root@centos001 network-scripts]# cp ifcfg-ens33 ifcfg-ens37                 
[root@centos001 network-scripts]# vi /etc/sysconfig/network-scripts/ifcfg-ens37     //2.配置下这个文件
[root@centos001 network-scripts]# uuidgen ens37           //这里是查询uuid 
0868ef08-a957-44d8-9554-c4966a7f0bf5
[root@centos001 network-scripts]# vi /etc/sysconfig/network-scripts/ifcfg-ens37
[root@centos001 network-scripts]# systemctl restart network.service          //3.重启网络服务
Job for network.service failed because the control process exited with error code. See "systemctl status network.service" and "journalctl -xe" for details.
[root@centos001 network-scripts]# systemctl restart firewalld   //4.重启firewalld服务
[root@centos001 network-scripts]# firewall-cmd --get-zone-of-interface=ens37      //5.从新运行查看网卡的zone
no zone              //这里出错了 坑能是咱们网络环境的问题

给指定的网卡设置zone

[root@centos001 network-scripts]# firewall-cmd --zone=public --add-interface=lo //设定并查看
success
[root@centos001 network-scripts]# firewall-cmd --get-zone-of-interface=lo
public

针对指定网卡修改zone

[root@centos001 network-scripts]# firewall-cmd --zone=block --change-interface=lo //修改并查看
success
[root@centos001 network-scripts]# firewall-cmd --get-zone-of-interface=lo
block

针对指定网卡删除zone
- 这里最后显示no zone的缘由是：没有开启NetworkManager服务

[root@centos001 network-scripts]# firewall-cmd --zone=block  --remove-interface=lo  
success
[root@centos001 network-scripts]# firewall-cmd --get-zone-of-interface=lo
no zone

查看系统全部网卡所在的zone

firewall-cmd --get-active-zones  //查看系统全部网卡所在的zone

firewalld关于service的操做

介绍：什么是service 其实之因此有9中zone，其缘由是由于每个zone里面都是用了不一样的service，而service就是针对一个服务（端口）作的iptables规则。

service的用法：

列出当前系统里的全部service

firewall-cmd --get-services  查看全部的servies

-查看当前zone下有哪些servicecentos

[root@centos001 network-scripts]# firewall-cmd --get-default-zone //查看当前的zone是什么
work
[root@centos001 network-scripts]# firewall-cmd --list-services
ssh dhcpv6-client

查看指定zone下的service

[root@centos001 network-scripts]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http

把http增长到public zone下面
- 这里设定的只会保存在内存中，下个命令将介绍什么保存至配置文件

[root@centos001 network-scripts]# firewall-cmd --zone=public --add-service=http
success
[root@centos001 network-scripts]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http

将添加的service 保存至配置文件
firewall-cmd --zone=public --add-service=http --permanent
更改配置文件，以后会在/etc/firewalld/zones目录下面生成配置文件

[root@centos001 network-scripts]# firewall-cmd --zone=public --add-service=http --permanent 
success
[root@centos001 network-scripts]# ls /etc/firewalld/zones/public.xml  //保存的路径
/etc/firewalld/zones/public.xml
[root@centos001 network-scripts]# ls /etc/firewalld/zones/
public.xml  public.xml.old
[root@centos001 network-scripts]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <service name="http"/>      //能看到咱们添加的service
</zone>

zone的配置文件模板

ls /usr/lib/firewalld/zones/

需求：ftp服务自定义端口1121，须要在work zone下面放行ftp

首先要将ftp的服务作一下更改，而后吧ftp添加到work zone
复制模版一

cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services

修改配置文件
vi /etc/firewalld/services/ftp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>FTP</short>
  <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
  <port protocol="tcp" port="1121"/>         //这里修改成1121
  <module name="nf_conntrack_ftp"/>
</service>

复制模版二

cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/

修改配置文件 vi /etc/firewalld/zones/work.xml 增长一行<service name="ftp"/>

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Work</short>
  <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>

从新加载

[root@centos001 ~]# firewall-cmd --reload 
success

查看结果

[root@centos001 ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp   //新添加的ftp