iptables规则备份恢复，firewalld的9个zone

10月29日任务

10.19 iptables规则备份和恢复

10.20 firewalld的9个zone

10.21 firewalld关于zone的操作

10.22 firewalld关于service的操作

linux防火墙-netfilter

保存和备份iptables规则
service iptables save //会把规则保存到/etc/sysconfig/iptables
把iptables规则备份到my.ipt文件中
iptables-save > my.ipt
恢复刚才备份的规则
iptables-restore < my.ipt

linux防火墙-firewalled

打开firewalld
systemctl disable iptables
systemctl stop iptables
systemctl enable firewalld
systemctl start firewalld
firewalld默认有9个zone
默认zone为public
firewall-cmd --get-zones //查看所有zone
firewall-cmd --get-default-zone //查看默认zone

#关闭netfilter防火墙，开启firewalld防火墙。

[root@zgxlinux-01 ~]# systemctl disable iptables
[root@zgxlinux-01 ~]# systemctl stop iptables
[root@zgxlinux-01 ~]# system enable fierwalld
-bash: system: 未找到命令
[root@zgxlinux-01 ~]# systemctl enable fierwalld
Failed to execute operation: No such file or directory
[root@zgxlinux-01 ~]# systemctl enable firewalld
[root@zgxlinux-01 ~]# systemctl start firewalld
[root@zgxlinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1041 77178 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   83  7467 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   83  7467 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   83  7467 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
   81  7323 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 4482  376K FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 4482  376K FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 4482  376K FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   81  5892 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   81  5892 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
   81  5892 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 321 packets, 37610 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  766 81456 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public  all  --  ens33  *       0.0.0.0/0            0.0.0.0/0           [goto] 
 4482  376K FWDI_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public  all  --  *      ens33   0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDO_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 4482  376K FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 4482  376K FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 4482  376K FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 4401  370K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   81  5892 FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   81  5892 FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   81  5892 FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   76  6001 IN_public  all  --  ens33  *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   83  7467 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   83  7467 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   83  7467 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   144 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination

#查看firewalld的全部zone ,和查看默认的zone。

[root@zgxlinux-01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@zgxlinux-01 ~]# firewall-cmd --get-default-zone
public

10.21 firewalld关于zone的操作

firewall-cmd --set-default-zone=work //设定默认zone
firewall-cmd --get-zone-of-interface=ens33 //查指定网卡
firewall-cmd --zone=public --add-interface=lo //给指定网卡设置zone
firewall-cmd --zone=dmz --change-interface=lo //针对网卡更改zone
firewall-cmd --zone=dmz --remove-interface=lo //针对网卡删除zone
firewall-cmd --get-active-zones //查看系统所有网卡所在的zone

10.22 firewalld关于service的操作

firewall-cmd --get-services 查看所有的services
firewall-cmd --list-services //查看当前zone有哪些service
firewall-cmd --zone=public --add-service=http //把http增加到public zone下面
firewall-cmd --zone=public --remove-service=http
ls /usr/lib/firewall/zones/ //zone的配置文件模板
firewall-cmd --zone=public --add-service=http --permanent //更改配置文件，之后会在/etc/firewalld/zones目录下面生成配置文件
需求：ftp服务自定义端口1121 ，需要在work zone下面放行ftp
cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services

vi /etc/firewalld/services/ftp.xml //把21改为1121
cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
vi /etc/firewalld/zones/work.xml //增加一行
<service name="ftp"/>
firewall-cmd --reload //重新加载
firewall-cmd --zone=work --list-services

来源：oschina

链接：https://my.oschina.net/u/3959708/blog/2253925

标签

FirewallD

iptables