七周五次课(1月26日) 10.19 iptables规则备份和恢复 10.20 firewalld的9个zone 10.21 firewalld关于zone的操作 10.22 firewalld关于service的操作
七周五次课(1月26日)
10.19 iptables规则备份和恢复
10.20 firewalld的9个zone
10.21 firewalld关于zone的操作
10.22 firewalld关于service的操作
===========================================================================================================================================================================================================================
[root@localhost ~]# ls
1.txt 234 aa.txt anaconda-ks.cfg.1 awk grep sed 新建文本文档_(2).txt
[root@localhost ~]# iptables-save > /tmp/ipt.txt
[root@localhost ~]# cat /tmp/ipt.txt
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables-t nat -nvL
-bash: iptables-t: 未找到命令
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# systemctl disable iptables
[root@localhost ~]# systemctl stop iptables
[root@localhost ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@localhost ~]# system
systemctl systemd-detect-virt systemd-nspawn
systemd-analyze systemd-escape systemd-path
systemd-ask-password systemd-firstboot systemd-run
systemd-cat systemd-hwdb systemd-stdio-bridge
systemd-cgls systemd-inhibit systemd-sysv-convert
systemd-cgtop systemd-loginctl systemd-tmpfiles
systemd-coredumpctl systemd-machine-id-setup systemd-tty-ask-password-agent
systemd-delta systemd-notify
[root@localhost ~]# systemctl start firewalld
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15 1128 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 8 packets, 1104 bytes)
pkts bytes target prot opt in out source destination
8 1104 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 IN_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
0 0 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5 365 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5 365 POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
5 365 POSTROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 365 POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 POST_public all -- * ens37 0.0.0.0/0 0.0.0.0/0 [goto]
5 365 POST_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 POST_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public (3 references)
pkts bytes target prot opt in out source destination
5 365 POST_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
5 365 POST_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
5 365 POST_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POST_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 PRE_public all -- ens37 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 PRE_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public (3 references)
pkts bytes target prot opt in out source destination
0 0 PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PRE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_log (1 references)
pkts bytes target prot opt in out source destination
[root@localhost ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block
[root@localhost ~]# firewall-cmd --get-default-zone
public
[root@localhost ~]# firewall-cmd --set-default-zone=work
success
[root@localhost ~]# firewall-cmd --get-default-zone
work
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
work
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37
work
[root@localhost ~]# firewall-cmd --get-zone-of-interface=lo
no zone
[root@localhost ~]# firewall-cmd --get-active-zones
work
interfaces: ens33
[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@localhost ~]# firewall-cmd --list-services
ssh dhcpv6-client
[root@localhost ~]# firewall-cmd --zone=public --add-service=http
success
[root@localhost ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http
[root@localhost ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@localhost ~]# ls /etc/firewalld/zones/public.xml
/etc/firewalld/zones/public.xml
[root@localhost ~]# cat !$
cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="http"/>
<service name="ssh"/>
</zone>
[root@localhost ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http
[root@localhost ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
[root@localhost ~]# vim /etc/firewalld/services/ftp.xml
[root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@localhost ~]# vim /etc/firewalld/zones/work.xml
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --zone=work --list-services
================================================================================================================================================================================================================
Linux防火墙-firewalled
打开firewalld
。
systemctl disable iptables。
systemctl stop iptables。
systemctl enable firewalld
。
systemctl start firewalld
。
firewalld默认有9个zone。
默认zone为public
。
firewall-cmd --get-zones //查看所有zone。
firewall-cmd --get-default-zone//查看默认zone。
firewall-cmd --set-default-zone=work //设定默认zone
。
firewall-cmd --get-zone-of-interface=ens33 //查指定网卡
。
firewall-cmd --zone=public--add-interface=lo//给指定网卡设置zone 。
firewall-cmd --zone=dmz --change-interface=lo //针对网卡更改zone
。
firewall-cmd --zone=dmz --remove-interface=lo //针对网卡删除zone 。
firewall-cmd --get-active-zones //查看系统所有网卡所在的zone
firewall-cmd --get-services 查看所有的servies
。
firewall-cmd --list-services //查看当前zone下有哪些service
。
firewall-cmd --zone=public --add-service=http //把http增加到public zone下面
。
firewall-cmd --zone=public --remove-service=http
ls /usr/lib/firewalld/zones/ //zone的配置文件模板
f
irewall-cmd --zone=public --add-service=http --permanent //更改配置文件,
之后会在/etc/firewalld/zones目录下面生成配置文件
需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
vi /etc/firewalld/services/ftp.xml //把21改为1121
cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
vi /etc/firewalld/zones/work.xml //增加一行
<service name="ftp"/>
firewall-cmd --reload //重新加载。
