linux学习lesson35

最新推荐文章于 2024-12-13 22:40:58 发布

InfiniteIdea_Go

最新推荐文章于 2024-12-13 22:40:58 发布

阅读量448

点赞数

CC 4.0 BY-SA版权

分类专栏： linux 文章标签： centos7

本文链接：https://blog.youkuaiyun.com/InfiniteIdea_Go/article/details/83500632

linux 专栏收录该内容

79 篇文章

订阅专栏

1 iptables规则备份和恢复

2 firewalld的9个zone

3 firewalld关于zone的操作

4 firewalld源于service的操作

1 iptables规则备份和恢复

保存和备份iptables规则

service iptables save //会把规则保存到/etc/sysconfig/iptables

[root@worker1 ~]# iptables -A INPUT -s 1.1.1.1 -j DROP
[root@worker1 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@worker1 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@worker1 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Mon Oct 22 17:17:46 2018
*filter
:INPUT ACCEPT [11:764]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:1284]
-A INPUT -s 1.1.1.1/32 -j DROP
-A INPUT -s 192.168.188.1/32 -d 192.168.188.128/32 -p tcp -m tcp --sport 1234 --dport 80 -j DROP
COMMIT
# Completed on Mon Oct 22 17:17:46 2018

把iptables规则备份到my.ipt文件中 iptables-save > my.ipt

[root@worker1 ~]# iptables-save > my.ipt
[root@worker1 ~]# ls
anaconda-ks.cfg  dir1  dir6  dir8  dir9  my.ipt  shell

恢复刚才备份的规则 iptables-restore < my.ipt

[root@worker1 ~]# iptables -F
[root@worker1 ~]# iptables -Z
[root@worker1 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 5 packets, 388 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 448 bytes)
pkts bytes target     prot opt in     out     source               destination  
[root@worker1 ~]# iptables-restore < my.ipt
[root@worker1 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 13 packets, 958 bytes)
pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       1.1.1.1              0.0.0.0/0           
    0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 6 packets, 696 bytes)
pkts bytes target     prot opt in     out     source               destination

2 firewalld的9个zone

firewalld有两个基础概念，分别是zone和service，每一个zone里面有不同的iptables规则，默认一共有9个zone，而CentOS 7默认的zone为public

打开firewalld，停止iptables开机启动

[root@worker1 ~]# systemctl disable iptables

停止iptables服务

[root@worker1 ~]# systemctl stop iptables

开启firewalld开机启动

[root@worker1 ~]# systemctl enable firewalld

开启firewalld服务

[root@worker1 ~]# systemctl start firewalld

firewalld默认有9个zone，默认zone为public

firewall-cmd --get-zones //查看所有zone

[root@worker1 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

firewall-cmd --get-default-zone//查看默认zone

[root@worker1 ~]# firewall-cmd --get-default-zone
public

drop（丢弃）：任何接收的网络数据包都被丢弃，没有任何回复。仅能有发送出去的网络连接。

block（限制）：任何接收的网络连接都被 IPv4 的icmp-host-prohibited信息和 IPv6 的icmp6-adm-prohibited信息所拒绝。

public（公共）：在公共区域内使用，不能相信网络内的其他计算机不会对你的计算机造成危害，只能接收经过选取的连接。

external（外部）：特别是为路由器启用了伪装功能的外部网。你不能信任来自网络的其他计算，不能相信它们不会对你的计算机造成危害，只能接收经过选择的连接。

dmz（非军事区）：用于你的非军事区内的计算机，此区域内可公开访问，可以有限地进入你的内部网络，仅仅接收经过选择的连接。

work（工作）：用于工作区。你可以基本相信网络内的其他计算机不会危害你的计算机。仅仅接收经过选择的连接。

home（家庭）：用于家庭网络。你可以基本信任网络内的其他计算机不会危害你的计算机。仅仅接收经过选择的连接。

internal（内部）：用于内部网络。你可以基本上信任网络内的其他计算机不会威胁你的计算机。仅仅接受经过选择的连接。

trusted（信任）：可接受所有的网络连接。

3 firewalld关于zone的操作

[root@worker1 network-scripts]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.139.100  netmask 255.255.255.0  broadcast 192.168.139.255
        inet6 fe80::20c:29ff:fee5:56b1  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:e5:56:b1  txqueuelen 1000  (Ethernet)
        RX packets 737525  bytes 891189534 (849.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 237747  bytes 14741386 (14.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno16777736:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.139.150  netmask 255.255.255.0  broadcast 192.168.139.255
        ether 00:0c:29:e5:56:b1  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

firewall-cmd --set-default-zone=work //设定默认zone

[root@worker1 network-scripts]# firewall-cmd --set-default-zone=work
success

firewall-cmd --get-zone-of-interface=ens33 //查指定网卡

[root@worker1 network-scripts]# firewall-cmd --get-zone-of-interface=eno16777736
work

firewall-cmd --zone=public --add-interface=lo //给指定网卡设置zone

[root@worker1 network-scripts]# firewall-cmd --zone=public --add-interface=lo
success
[root@worker1 network-scripts]# firewall-cmd --get-zone-of-interface=lo
public

firewall-cmd --zone=dmz --change-interface=lo //针对网卡更改zone

[root@worker1 network-scripts]# firewall-cmd --zone=dmz --change-interface=lo
success
[root@worker1 network-scripts]# firewall-cmd --get-zone-of-interface=lo
dmz

firewall-cmd --zone=dmz --remove-interface=lo //针对网卡删除zone

[root@worker1 network-scripts]# firewall-cmd --zone=dmz --remove-interface=lo
success
[root@worker1 network-scripts]# firewall-cmd --get-zone-of-interface=lo
no zone

firewall-cmd --get-active-zones //查看系统所有网卡所在的zone

[root@worker1 network-scripts]# firewall-cmd --get-active-zones
work
  interfaces: eno16777736 eno16777736:0

4 firewalld源于service的操作

firewall-cmd --get-services 查看所有的servies

[root@worker1 network-scripts]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https

firewall-cmd --list-services //查看当前zone下有哪些service

[root@worker1 network-scripts]# firewall-cmd --list-services
dhcpv6-client ipp-client ssh

firewall-cmd --zone=public --list-services //查看当前zone下public有哪些service

[root@worker1 network-scripts]# firewall-cmd --zone=public--list-services
success

firewall-cmd --zone=public --add-service=http //把http增加到public zone下面

[root@worker1 network-scripts]# firewall-cmd --zone=public --add-service=http
success
[root@worker1 network-scripts]# firewall-cmd --zone=public --list-services
dhcpv6-client http ssh

firewall-cmd --zone=public --remove-service=http //public zone移除http

[root@worker1 network-scripts]# firewall-cmd --zone=public --remove-service=http
success
[root@worker1 network-scripts]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh

ls /usr/lib/firewalld/zones/ //zone的配置文件模板

[root@worker1 network-scripts]# ls /usr/lib/firewalld/zones/
block.xml     drop.xml      home.xml      public.xml    work.xml      
dmz.xml       external.xml  internal.xml  trusted.xml

firewall-cmd --zone=public --add-service=http --permanent //更改配置文件，之后会在/etc/firewalld/zones目录下面生成配置文件

[root@worker1 network-scripts]# firewall-cmd --zone=public --add-service=http --permanent success

[root@worker1 network-scripts]# cat /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>

<zone>

  <short>Public</short>

  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

  <service name="dhcpv6-client"/>

  <service name="http"/>

  <service name="ssh"/>

</zone>

需求：ftp服务自定义端口1121，需要在work zone下面放行ftp

cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services

[root@worker1 network-scripts]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/

vi /etc/firewalld/services/ftp.xml //把21改为1121

[root@worker1 network-scripts]# vim /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>FTP</short>
  <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
  #<port protocol="tcp" port="21"/>  //原来
  <port protocol="tcp" port="1121"/> //修改
  <module name="nf_conntrack_ftp"/>
</service>

cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/

[root@worker1 network-scripts]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/

vi /etc/firewalld/zones/work.xml //增加一行<service name="ftp"/>

[root@worker1 network-scripts]# vim /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Work</short>
  <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="ipp-client"/>
  <service name="dhcpv6-client"/>
</zone>

firewall-cmd --reload //重新加载

[root@worker1 network-scripts]# firewall-cmd --reload
success

firewall-cmd --zone=work --list-services

[root@worker1 network-scripts]# firewall-cmd --zone=work --list-services
dhcpv6-client ftp ipp-client ssh