10.19 iptables规则备份和恢复 10.20 firewalld的9个zone 10.21 firewalld关于zone的操作 10.22 firewalld关于service的操作
[root@lizhipenglinux01 ~]# cat /tmp/ipt.txt
# Generated by iptables-save v1.4.21 on Fri Jan 26 05:40:28 2018
*nat
:PREROUTING ACCEPT [3:984]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Fri Jan 26 05:40:28 2018
# Generated by iptables-save v1.4.21 on Fri Jan 26 05:40:28 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [161:19201]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Jan 26 05:40:28 2018
[root@lizhipenglinux01 ~]# iptables < /tmp/ipt.txt
iptables v1.4.21: no command specified
Try `iptables -h' or 'iptables --help' for more information.
[root@lizhipenglinux01 ~]# iptables-restore < /tmp/ipt.txt
[root@lizhipenglinux01 ~]# iptables-save > /tmp/ipt.txt
[root@lizhipenglinux01 ~]# iptables -t nat -F
[root@lizhipenglinux01 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@lizhipenglinux01 ~]# iptables-restore < /tmp/ipt.txt
[root@lizhipenglinux01 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@lizhipenglinux01 ~]# systemctl disable iptables
[root@lizhipenglinux01 ~]# systemctl stop iptables
[root@lizhipenglinux01 ~]# systemctl enable firewalld
[root@lizhipenglinux01 ~]# systemctl start firewalld
[root@lizhipenglinux01 ~]# iptables -nvL
drop(丢弃):任何接收的网络数据包都被丢弃,没有任何回复。仅能有发送出去的网络连接。
block(限制):任何接收的网络连接都被IPv4的icmp-host-prohibited信息和IPv6的icmp-adm-prohibited信息所拒绝。
public (公共):在公共区域内使用,不能相信网络内的其他计算机不会对你的计算机造成危害,只能接收经过选取的连接。
external(外部):特别是为路由器启用了伪装功能的外部网。你不能信任来自网络的其他计算,不能相信它们不会对你的计算机造成危害,只能接收经过选择的连接。
dmz(非军事区):用于你的非军事区内的计算机,此区域内可公开访问,可以有限的进入你的内部网络,仅仅接收经过选择的连接。
work(工作):用于家庭网络。你可以基本相信网络内的其他计算机不会危害你的计算机。仅仅接收经过选择的连接。
home(家庭):用于家庭网络。你可以基本信任网络内的其他计算机不会危害你的计算机。仅仅接收经过选择的连接。
internal(内部):用于内部网络。你可以基本上信任网络内的其他计算机不会威胁你的计算机。仅仅接受经过选择的连接。
trust(信任):可接受所有的网络连接。
[root@lizhipenglinux01 ~]# firewall-cmd --get-zones 9个zone
block dmz drop external home internal public trusted work
[root@lizhipenglinux01 ~]# firewall-cmd --get-default-zones
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments: --get-default-zones 查看系统默认的zone
[root@lizhipenglinux01 ~]# firewall-cmd --get-default-zone
public
[root@lizhipenglinux01 ~]# firewall-cmd --set-default-zone=work
success
[root@lizhipenglinux01 ~]# firewall-cmd --get-default-zone
work
[root@lizhipenglinux01 ~]# firewall-cmd --get-zone-of-interface=eno16777736
work
[root@lizhipenglinux01 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
[root@lizhipenglinux01 ~]# firewall-cmd --get-zone-of-interface=eno33554984
no zone
[root@lizhipenglinux01 ~]# cd /etc/sysconfig/network-scripts/
[root@lizhipenglinux01 network-scripts]# ls
ifcfg-eno16777736 ifdown-bnep ifdown-ipv6 ifdown-routes ifdown-tunnel ifup-eth ifup-isdn ifup-ppp ifup-TeamPort network-functions
ifcfg-eno16777736:0 ifdown-eth ifdown-isdn ifdown-sit ifup ifup-ib ifup-plip ifup-routes ifup-tunnel network-functions-ipv6
ifcfg-lo ifdown-ib ifdown-post ifdown-Team ifup-aliases ifup-ippp ifup-plusb ifup-sit ifup-wireless
ifdown ifdown-ippp ifdown-ppp ifdown-TeamPort ifup-bnep ifup-ipv6 ifup-post ifup-Team init.ipv6-global
[root@lizhipenglinux01 network-scripts]# cp ifcfg-eno16777736 ifcfg-eno33554984 拷贝配置
[root@lizhipenglinux01 network-scripts]# ls
ifcfg-eno16777736 ifdown ifdown-ippp ifdown-ppp ifdown-TeamPort ifup-bnep ifup-ipv6 ifup-post ifup-Team init.ipv6-global
ifcfg-eno16777736:0 ifdown-bnep ifdown-ipv6 ifdown-routes ifdown-tunnel ifup-eth ifup-isdn ifup-ppp ifup-TeamPort network-functions
ifcfg-eno33554984 ifdown-eth ifdown-isdn ifdown-sit ifup ifup-ib ifup-plip ifup-routes ifup-tunnel network-functions-ipv6
ifcfg-lo ifdown-ib ifdown-post ifdown-Team ifup-aliases ifup-ippp ifup-plusb ifup-sit ifup-wireless
[root@lizhipenglinux01 network-scripts]# vi ifcfg-eno33554984 编辑配置文件
[root@lizhipenglinux01 network-scripts]# systemctl restart firewalld 重启服务
[root@lizhipenglinux01 network-scripts]# firewall-cmd --get-zone-of-interface=eno33554984
no zone
[root@lizhipenglinux01 network-scripts]# firewall-cmd --zone=dmz --add-interface=eno33554984 增加zone
success
[root@lizhipenglinux01 network-scripts]# firewall-cmd --get-zone-of-interface=eno33554984
dmz
[root@lizhipenglinux01 network-scripts]# firewall-cmd --zone=public --add-interface=lo 增加zone
success
[root@lizhipenglinux01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
public
[root@lizhipenglinux01 network-scripts]# firewall-cmd --zone=block --change-interface=eno33554984
success
[root@lizhipenglinux01 network-scripts]# firewall-cmd --get-zone-of-interface=eno33554984
block
[root@lizhipenglinux01 network-scripts]# firewall-cmd --zone=block --remove-interface=eno33554984
success
[root@lizhipenglinux01 network-scripts]# firewall-cmd --get-zone-of-interface=eno33554984
no zone
[root@lizhipenglinux01 network-scripts]# firewall-cmd --get-active-zones
work
interfaces: eno16777736 eno33554984
public
interfaces: lo
[root@lizhipenglinux01 network-scripts]# firewall-cmd --get-service
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
[root@lizhipenglinux01 network-scripts]# firewall-cmd --get-default-zone
work
[root@lizhipenglinux01 network-scripts]# firewall-cmd --list-service
dhcpv6-client ipp-client ssh
[root@lizhipenglinux01 network-scripts]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh
[root@lizhipenglinux01 network-scripts]# firewall-cmd --zone=block --list-service
[root@lizhipenglinux01 network-scripts]# firewall-cmd --zone=trusted --list-service
[root@lizhipenglinux01 network-scripts]# firewall-cmd --zone=public --add-service=http 增加http
success
[root@lizhipenglinux01 network-scripts]# firewall-cmd --zone=public --list-service
dhcpv6-client http ssh
[root@lizhipenglinux01 network-scripts]# firewall-cmd --zone=public --add-service=ftp
success
[root@lizhipenglinux01 network-scripts]# firewall-cmd --zone=public --list-service
dhcpv6-client ftp http ssh
[root@lizhipenglinux01 network-scripts]# firewall-cmd --zone=public --add-service=ftp --permanent 写进了配置文件
success
[root@lizhipenglinux01 network-scripts]# ls /etc/firewalld/zones/ 配置文件在的地方
public.xml public.xml.old
[root@lizhipenglinux01 network-scripts]# cat /etc/firewalld/zones/public.xml 没有http,因为http没有permanent
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ftp"/>
<service name="dhcpv6-client"/>
<service name="ssh"/>
</zone>
[root@lizhipenglinux01 network-scripts]# firewall-cmd --zone=public --add-service=http --permanent 增加http
success
[root@lizhipenglinux01 network-scripts]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ftp"/>
<service name="dhcpv6-client"/>
<service name="http"/>
<service name="ssh"/>
</zone>
[root@lizhipenglinux01 ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
[root@lizhipenglinux01 ~]# vi /etc/firewalld/services/ftp.xml 21端口改成1121端口
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/>
<module name="nf_conntrack_ftp"/>
</service>
[root@lizhipenglinux01 ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@lizhipenglinux01 ~]# vim /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="ipp-client"/>
<service name="ftp"/>
</zone>
[root@lizhipenglinux01 ~]# firewall-cmd --reload 重新加载
success
[root@lizhipenglinux01 ~]# firewall-cmd --zone=work --list-service
ftp ipp-client ssh