1、iptables的备份恢复: iptables-save(备份) iptables-restore(恢复)
当运行services iptables save会提示把防火墙规则保存在/etc/sysconfig/iptables文件里:则为iptables的配置文件:
[root@localhost ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]
1:方法一:规则在/etc/sysconfig/iptables文件里,我们可以直接负责此文件来备份iptables规则:如下:
[root@localhost sysconfig]# cp iptables iptables.backup #复制保存规则 [root@localhost sysconfig]# diff iptables iptables.backup #对比两个文件内容是否相同 [root@localhost sysconfig]# comm -123 iptables iptables.backup #对比啷个文件内容是否相同 注意:diff和comm命令使用来对比两个文件内容是否相同的:
如上图例:使用diff和comm命令,这了两个命令是用来对比两个文件内容的是否相同,如上是基础用法:
2:方法二:使用系统自带的命令 iptables-save(备份) iptables-restore(恢复)
[root@localhost sysconfig]# iptables-save > /tmp/ipt.txt #把规则备份到/tmp/ipt.txt文本里: [root@localhost sysconfig]# cat !$ #查看文件内容:!$表示上一个命令的结尾: cat /tmp/ipt.txt # Generated by iptables-save v1.4.21 on Fri Aug 10 10:32:15 2018 -A INPUT -s 192.168.149.0/24 -p tcp -m tcp --dport 56888 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT [root@localhost sysconfig]# iptables -F #清楚规则: [root@localhost sysconfig]# iptables -nvL Chain INPUT (policy ACCEPT 25 packets, 2104 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17 packets, 1852 bytes) pkts bytes target prot opt in out source destination [root@localhost sysconfig]# iptables-restore < /tmp/ipt.txt #恢复规则: [root@localhost sysconfig]# iptables -nvL #再次查看规则: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 18 1664 ACCEPT tcp -- * * 192.168.149.0/24 0.0.0.0/0 tcp dpt:56888 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
2、firewalld,也是netfiter防火墙的一种实现工具:在Centos 7中已在使用firewalld防火墙了,也可兼容使用iptables,下面具体介绍一下:
准备工作,首先,需要关闭iptables并开启firewalld:如:
[root@localhost sysconfig]# systemctl disable iptables #关闭iptables开机自启动: Removed symlink /etc/systemd/system/basic.target.wants/iptables.service. [root@localhost sysconfig]# systemctl stop iptables #关闭iptables服务: [root@localhost sysconfig]# systemctl enable firewalld #开启firewalld开机启动: Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service. Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service. [root@localhost sysconfig]# systemctl start firewalld #开启firewalld服务:
1:可以用iptables -nvL查看一下firewalld的规则,发现有许多规则存在:
[root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 44 6501 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1 60 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 1 60 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 1 60 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
再此需要引入两个概念:zone和service:
zone:在系统里默认有9个zone,每个zone都是一个规则集,里面集合了service,系统默认的zone是public:
service:即服务,也就是端口,如22(ssh)、ftp(21)、http(80)、 dns(53)等:
2:查看当前系统中默认的zone:
[root@localhost ~]# firewall-cmd --get-default-zone public
3:查看系统中所有的zone:
[root@localhost ~]# firewall-cmd --get-zones block dmz drop external home internal public trusted work
如上图例,系统默认有九个zone,下面详细介绍每个zone的信息:
block(限制):任何接收的网络连接都被ipv4的icmp-host-prohibited信息和ipv6的icmp-host-prohibited信息所拒绝:
dmz(非军事区域):用于你的非军事区域的计算机,此区域可公开访问,可以有限的进入你的内部网络,仅接受经过选择的数据包:
drop(丢弃):任何接收的网络数据包都被丢弃,没有任何回复,仅能有发送出去的网络连接:
external(外部):为路由器启用了伪装功能的外部网,你不能信任来自网络的其他计算机,只接收经过选择的连接:
home(家庭):家庭网络,你可以基本信任网络内的其他计算机不会危害你的电脑,仅接收经过选择的连接:
internal(内部):用于内部连接,你可以基本上信任网络内其他计算机不会危害你的电脑,仅接收经过选择的连接:
public(公共):在公共区域内使用,不相信其他的计算机,只能接收经过选择的连接:
trusted(信任):可接收所有网络连接:
work(工作):用于工作区,你可以基本相信其他计算机不会危害你的电脑,仅接收经过选择的连接:
注意:dmz external home internal public work 这六个zone默认都拒绝,需要放行选择才可以:
关于zone的一些常用的命令: 设置是firewall-cmd --set ...... 查看是firewall-cmd --get ......
1、设置默认的zone:
[root@localhost ~]# firewall-cmd --set-default-zone=work #设置默认的zone为work: success [root@localhost ~]# [root@localhost ~]# firewall-cmd --get-default-zone #查看默认的zone: work
2、查看所有网卡及指定网卡的zone:
[root@localhost ~]# firewall-cmd --get-active-zone #查看当前网卡的所有的zone: work interfaces: eth0 [root@localhost ~]# firewall-cmd --get-zone-of-interface lo #查看lo的zone: no zone
3、给网卡设置zone、更改zone、删除zone:
[root@localhost ~]# firewall-cmd --zone=public --add-interface=lo #给lo设置zone: success [root@localhost ~]# firewall-cmd --get-zone-of-interface lo #查看lo的zone: public [root@localhost ~]# firewall-cmd --zone=public --change-interface=eth0 #给eth0更改zone: success [root@localhost ~]# firewall-cmd --get-zone-of-interface eth0 #查看eth0的zone: public [root@localhost ~]# firewall-cmd --zone=public --remove-interface=lo #移除lo的zone: success [root@localhost ~]# firewall-cmd --get-zone-of-interface lo #查看lo的zone: no zone
zone的配置文件目录: . /etc/firewall/zone/
service的配置文件目录: /etc/firewall/service/
[root@localhost ~]# ls /etc/firewalld/zones/ public.xml public.xml.old [root@localhost ~]# ls /etc/firewalld/services/ ssh.xml
2、关于service的一些操作: 查看service:--get-service --list-service --zone=zone --list/--add
1:查看所有的service:
[root@localhost ~]# firewall-cmd --get-services RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
2:查看当前默认zone下的service及针对莫个zone的service:
[root@localhost ~]# firewall-cmd --list-service #查看当前默认的zone下的服务: ssh dhcpv6-client [root@localhost ~]# firewall-cmd --zone=dmz --list-service #针对dmz,查看其服务: ssh
3:增加和移除某个服务到zone里面:如下:
[root@localhost ~]# firewall-cmd --zone=public --add-service=http #增加http到public里面: success [root@localhost ~]# firewall-cmd --zone=public --list-service #查看public: ssh dhcpv6-client http [root@localhost ~]# firewall-cmd --zone=public --remove-service=http #移除http在public里面: success [root@localhost ~]# firewall-cmd --zone=public --list-service 查看public: ssh dhcpv6-client
4:添加某个服务后会自动更新配置文件: --permanent 文件所在目录: /etc/firewall/zone/
[root@localhost ~]# firewall-cmd --zone=public --add-service=http --permanent #自动更新 success [root@localhost ~]# firewall-cmd --zone=public --list-service #查看public: ssh dhcpv6-client [root@localhost ~]# ls /etc/firewalld/zones/ #配置文件所在目录(会自动把旧文件备份为.old后缀的文件) public.xml public.xml.old [root@localhost ~]# cat /etc/firewalld/zones/public.xml #配置文件内容: <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="http"/> </zone> [root@localhost ~]# ls /etc/firewalld/services/ #服务所在配置文件: ssh.xml
5:配置文件所在目录及配置文件模板所在目录: /etc/firewall/zone/ /etc/firewall/service/
zone配置文件所在目录及配置内容:
[root@localhost ~]# ls /etc/firewalld/zones/ public.xml public.xml.old #此文件会把旧文件自动备份为后缀名是.old的文件: [root@localhost ~]# cat /etc/firewalld/zones/public.xml #查看文件内容: <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="http"/> </zone> #注释:有多个文件则咱后面添加多个<service name="service"/>就可以了:
service配置文件内容及所在目录:
[root@localhost ~]# cat /etc/firewalld/services/ssh.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>SSH</short> <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description> <port protocol="tcp" port="56888"/> </service> #注释:修改端口号,在这个配置文件里面了:
6:配置文件模板所在目录: /usr/lib/firewalld/zone /usr/lib/firewalld/service
zone模板所在目录:
[root@localhost ~]# ls /usr/lib/firewalld/zones/ #zone模板文件所在目录: block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml #注释:需要的时候可以直接在这个文件里负责,负责此文件到相关目录下即可:
service模板所在目录:
[root@localhost ~]# ls /usr/lib/firewalld/services/ #service模板所在目录: amanda-client.xml freeipa-replication.xml libvirt-tls.xml postgresql.xml spideroak-lansync.xml amanda-k5-client.xml freeipa-trust.xml libvirt.xml privoxy.xml squid.xml bacula-client.xml ftp.xml managesieve.xml proxy-dhcp.xml ssh.xml bacula.xml ganglia-client.xml mdns.xml ptp.xml synergy.xml bitcoin-rpc.xml ganglia-master.xml mosh.xml pulseaudio.xml syslog-tls.xml [root@localhost ~]# cat /usr/lib/firewalld/services/ftp.xml #查看ftp模板的service内容: <?xml version="1.0" encoding="utf-8"?> <service> <short>FTP</short> <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description> <port protocol="tcp" port="21"/> <module name="nf_conntrack_ftp"/> </service>
7、重新加载firewalld的zone: --reload
[root@localhost ~]# firewall-cmd --reload success
8、案列总结:在ftp中自定义端口1121,并且再public中放行:
[root@localhost ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/ #复制service [root@localhost ~]# vim /etc/firewalld/services/ftp.xml #并修改service为ftp的文件: <?xml version="1.0" encoding="utf-8"?> <service> <short>FTP</short> <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description> <port protocol="tcp" port="1121"/> #修改此处端口为1121: <module name="nf_conntrack_ftp"/> </service> [root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/ #负责zone: [root@localhost ~]# vim /etc/firewalld/zones/work.xml #并加入ftp服务到zone下面: <?xml version="1.0" encoding="utf-8"?> <zone> <short>Work</short> <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="ftp"/> #重新增加这一行: </zone> [root@localhost ~]# firewall-cmd --reload #重新加载firewalld服务: success [root@localhost ~]# firewall-cmd --zone=work --list-service #查看work的下的服务: ssh dhcpv6-client ftp