2019独角兽企业重金招聘Python工程师标准>>>

iptables规则备份和恢复

• iptables 备份

[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  确定  ][root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 44 packets, 3152 bytes)pkts bytes target     prot opt in     out     source               destination         Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 26 packets, 2584 bytes)pkts bytes target     prot opt in     out     source               destination

• iptables 恢复

[root@localhost ~]# iptables-restore /etc/sysconfig/iptables
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         10   692 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:220     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 6 packets, 744 bytes)pkts bytes target     prot opt in     out     source               destination

• 将规则保存到指定文件

[root@localhost ~]# iptables-save > /tmp/iptables.txt
[root@localhost ~]# cat /tmp/iptables.txt
# Generated by iptables-save v1.4.21 on Fri ... 19:54:19 ...
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [249:23866]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri ... 19:54:19 ...
[root@localhost ~]#
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 28 packets, 1900 bytes)pkts bytes target     prot opt in     out     source               destination         Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 17 packets, 1508 bytes)pkts bytes target     prot opt in     out     source               destination

• 从指定文件加载iptables规则

[root@localhost ~]# iptables-restore < /tmp/iptables.txt
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         28  1848 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:220     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)pkts bytes target     prot opt in     out     source               destination

如果想开机加载iptables规则表，最好将规则保存在默认的文件即/etc/sysconfig/iptables，使用service iptables save即可

firewalld服务

默认centos7启动的是firewalld，如果你没修改过，直接使用就可以了；

如果你将firewalld关闭了，开启了iptables，那么需要执行下面的命令来修改：

# 先关闭iptables
[root@localhost ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@localhost ~]# systemctl stop iptables# 启动firewalld（同时设置开机启动）
[root@localhost ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@localhost ~]# systemctl start firewalld

firewalld的9个zone

zone是firewalld的一个单位，是一个规则集，其自带某些规则。

firewalld下有9个zone，如下所示：

• 查看系统所有的zone

[root@localhost ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block

• 查看系统的默认zone

[root@localhost ~]# firewall-cmd --get-default-zone
public

使用firewall-cmd命令查看配置firewalld服务(注意不是firewalld-cmd)

zone的简单介绍

对于这9个zone，主要了解即可，并不是都会用的上；上述的zone安全性依次递增

firewalld关于zone的操作

• 设置默认的zone

[root@localhost ~]# firewall-cmd --set-default-zone=work
success
[root@localhost ~]# firewall-cmd --get-default-zone
work

针对指定网卡的zone设置

• 查看指定网卡的zone

[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
work

• 添加指定网卡至某个zone内

# 将网卡lo添加到zone public中
[root@localhost ~]# firewall-cmd --zone=public --add-interface=lo
success# 查看网卡所属的zone用以验证
[root@localhost ~]# firewall-cmd --get-active-zones
workinterfaces: ens33
publicinterfaces: lo

• 修改网络的所属zone

[root@localhost ~]# firewall-cmd --zone=dmz --change-interface=lo
success
[root@localhost ~]# firewall-cmd --get-active-zones
dmzinterfaces: lo
workinterfaces: ens33

• 移除zone内的网卡

[root@localhost ~]# firewall-cmd --zone=dmz --remove-interface=lo
success
[root@localhost ~]# firewall-cmd --get-active-zones
workinterfaces: ens33

firewalld关于service的操作

基本使用

列出当前系统内所有的service

[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication
ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd
pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy
syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server[root@localhost ~]# firewall-cmd --get-services | sed -r 's/ /\n/g' | wc -l
81
统计后当前系统共81个服务

• 列出指定zone内的所有服务

[root@localhost ~]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh

• 给指定的zone添加新服务

[root@localhost ~]# firewall-cmd --zone=public --add-service=http
success
[root@localhost ~]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh http# 在末尾添加--permanent参数可以将修改写入系统，而不是暂存在内存中
[root@localhost ~]# firewall-cmd --zone=public --add-service=http --permanent
success# /etc/firewalld/zones/目录下存放了zone的配置文件
# 执行了--add-services参数命令后会将原配置文件备份为.old文件
[root@localhost ~]# ls /etc/firewalld/zones/
public.xml  public.xml.old
[root@localhost ~]# cat /etc/firewalld/zones/public.xml.old
<?xml version="1.0" encoding="utf-8"?>
<zone><short>Public</short><description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description><service name="dhcpv6-client"/><service name="ssh"/>
</zone>
[root@localhost ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone><short>Public</short><description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description><service name="dhcpv6-client"/><service name="http"/><service name="ssh"/>
</zone>

• 删除指定的zone内的范围（必须存在）

[root@localhost ~]# firewall-cmd --zone=public --remove-service=http
success
[root@localhost ~]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh

firwalld的zone和services的模板配置文件

# zone的模板配置文件目录/usr/lib/firewalld/zones/
[root@localhost ~]# ls /usr/lib/firewalld/zones/
block.xml  drop.xml      home.xml      public.xml   work.xml
dmz.xml    external.xml  internal.xml  trusted.xml# services的模板配置文件目录/usr/lib/firewalld/services/
[root@localhost ~]# ls /usr/lib/firewalld/services/
amanda-client.xml        kpasswd.xml         rpc-bind.xml
amanda-k5-client.xml     ldaps.xml           rsyncd.xml
bacula-client.xml        ldap.xml            samba-client.xml
bacula.xml               libvirt-tls.xml     samba.xml
ceph-mon.xml             libvirt.xml         sane.xml
ceph.xml                 mdns.xml            smtps.xml
dhcpv6-client.xml        mosh.xml            smtp.xml
dhcpv6.xml               mountd.xml          snmptrap.xml
dhcp.xml                 ms-wbt.xml          snmp.xml
dns.xml                  mysql.xml           squid.xml
docker-registry.xml      nfs.xml             ssh.xml
dropbox-lansync.xml      ntp.xml             synergy.xml
freeipa-ldaps.xml        openvpn.xml         syslog-tls.xml
freeipa-ldap.xml         pmcd.xml            syslog.xml
freeipa-replication.xml  pmproxy.xml         telnet.xml
ftp.xml                  pmwebapis.xml       tftp-client.xml
high-availability.xml    pmwebapi.xml        tftp.xml
https.xml                pop3s.xml           tinc.xml
http.xml                 pop3.xml            tor-socks.xml
imaps.xml                postgresql.xml      transmission-client.xml
imap.xml                 privoxy.xml         vdsm.xml
ipp-client.xml           proxy-dhcp.xml      vnc-server.xml
ipp.xml                  ptp.xml             wbem-https.xml
ipsec.xml                pulseaudio.xml      xmpp-bosh.xml
iscsi-target.xml         puppetmaster.xml    xmpp-client.xml
kadmin.xml               radius.xml          xmpp-local.xml
kerberos.xml             RH-Satellite-6.xml  xmpp-server.xml

配置实例

将ftp服务添加至work zone，修改ftp默认端口为1121

• 拷贝ftp服务的模板配置文件

[root@localhost ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/

• 修改默认端口

[root@localhost ~]# vi /etc/firewalld/services/ftp.xml <?xml version="1.0" encoding="utf-8"?>
<service><short>FTP</short><description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description><port protocol="tcp" port="1121"/>  # 修改port为1121<module name="nf_conntrack_ftp"/>
</service>

• 拷贝work zone的模板文件

[root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@localhost ~]# vi /etc/firewalld/zones/work.xml<?xml version="1.0" encoding="utf-8"?>
<zone><short>Work</short><description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description><service name="ssh"/><service name="dhcpv6-client"/># 新增下面的service行<service name="ftp"/>
</zone>

• 重新加载firewalld服务

[root@localhost ~]# firewall-cmd --reload
success

• 验证是否正确添加

[root@localhost ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp