iptables与firewalld配置详解
七周五次课(1月26日)
10.19 iptables规则备份和恢复
10.20 firewalld的9个zone
10.21 firewalld关于zone的操作
10.22 firewalld关于service的操作
10.19 iptables规则备份和恢复
- 保存和备份iptables规则
- service iptables save //会把规则保存到/etc/sysconfig/iptables
- 把iptables规则备份到my.ipt文件中
- iptables-save > my.ipt
- 恢复刚才备份的规则
- iptables-restore < my.ipt
将iptables规则保存到其他文件中
- service iptables save 这个命令会把规则保存到配置文件中/etc/sysconfig/iptables
- 需求:
- 若不想保存到这个配置文件中,把规则保存保存到另一个文件中
- 使用命令iptables-save将文件重定向到 /tmp/ipt.txt 文件中——>文件名称随便起
[root@tianqi-01 ~]# iptables-save > /tmp/ipt.txt
[root@tianqi-01 ~]# cat /tmp/ipt.txt
# Generated by iptables-save v1.4.21 on Fri Jan 26 22:43:05 2018
*filter
:INPUT ACCEPT [322:26883]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [267:28796]
COMMIT
# Completed on Fri Jan 26 22:43:05 2018
# Generated by iptables-save v1.4.21 on Fri Jan 26 22:43:05 2018
*nat
:PREROUTING ACCEPT [2:458]
:INPUT ACCEPT [2:458]
:OUTPUT ACCEPT [2:656]
:POSTROUTING ACCEPT [2:656]
-A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
COMMIT
# Completed on Fri Jan 26 22:43:05 2018
只有nat表里面有规则
[root@tianqi-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 379 packets, 30811 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 302 packets, 32472 bytes)
pkts bytes target prot opt in out source destination
[root@tianqi-01 ~]#
将iptables恢复刚备份的规则
- 先将之前备份的规则清空下iptables -t nat -F
- 再用iptables -t nat -nvL查看到规则都被清空了
- 再恢复之前备份的规则,命令iptables-restore < /tmp/ipt.txt
- 在使用命令iptables -t nat -nvL 会查看到清空的规则又回来了
- 备份的规则,只有恢复的时候会用到,若是服务器一重启,就想要加载一些规则,那最好将规则放到/etc/sysconfig/iptables文件中去
[root@tianqi-01 ~]# iptables -t nat -F
[root@tianqi-01 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 328 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 328 bytes)
pkts bytes target prot opt in out source destination
[root@tianqi-01 ~]# iptables-restore < /tmp/ipt.txt
[root@tianqi-01 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
[root@tianqi-01 ~]#
10.20 firewalld的9个zone
- 打开firewalld
- systemctl disable iptables
- systemctl stop iptables
- systemctl enable firewalld
- systemctl start firewalld
- firewalld默认有9个zone
- 默认zone为public
- firewall-cmd --get-zones //查看所有zone
- firewall-cmd --get-default-zone//查看默认zone
firewalld防火墙机制
- 因为之前禁掉了firewalld,打开了iptables,所以现在需要 打开firewalld,禁掉iptables
打开firewalld
[root@tianqi-01 ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@tianqi-01 ~]# systemctl stop iptables
[root@tianqi-01 ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@tianqi-01 ~]# systemctl start firewalld
这时用iptables -nvL和iptables -t nat -nvL查看规则,会看到增加了很多的链
- firewalld默认有9个zone,zone是firewalld的一个单位,默认使用public zone——>每个zone就好比一个规则集
- 规则集就是zone里面自带一些规则,比如:这个zone放行了80端口,放行了22端口,关闭了某某端口,这就是一个规则集
firewalld中查看所有zone
- firewall-cmd --get-zones //查看所有zone
[root@tianqi-01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
firewalld中查询默认的zone
- firewall-cmd --get-default-zone //查看默认zone
[root@tianqi-01 ~]# firewall-cmd --get-default-zone
public
10.21 firewalld关于zone的操作
- firewall-cmd --set-default-zone=work //设定默认zone
- firewall-cmd --get-zone-of-interface=ens33 //查指定网卡
- firewall-cmd --zone=public --add-interface=lo //给指定网卡设置zone
- firewall-cmd --zone=dmz --change-interface=lo //针对网卡更改zone
- firewall-cmd --zone=dmz --remove-interface=lo //针对网卡删除zone
- firewall-cmd --get-active-zones //查看系统所有网卡所在的zone
firewall-cmd设定默认zone
- firewall-cmd --set-default-zone=work //设定默认的zone
[root@tianqi-01 ~]# firewall-cmd --set-default-zone=work
success
[root@tianqi-01 ~]# firewall-cmd --get-default-zone
work
firewall-cmd查看指定网卡
- firewall-cmd --get-zone-of-interface=ens16777736 //查指定网卡
[root@tianqi-01 ~]# firewall-cmd --get-zone-of-interface=ens33
work
[root@tianqi-01 ~]# firewall-cmd --get-zone-of-interface=ens37
work
[root@tianqi-01 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
若是后续添加的网卡ens37,显示no zone,就需要把ens33的网卡配置环境复制一份,命令为ens37,并修改配置文件,最后重启网络服务,再重新加载firewalld服务(systemctl restart firewalld),再来查看ens37的zone
- 若还是没有zone,我们就去增加给ens37增加一个zone
- firewall-cmd --zone=public --add-interface=ens37 //给指定网卡设置zone
[root@tianqi-01 ~]# firewall-cmd --get-zone-of-interface=ens33:0
no zone
[root@tianqi-01 ~]# cd /etc/sysconfig/network-scripts/
[root@tianqi-01 network-scripts]# ls
ifcfg-ens33 ifdown ifdown-isdn ifdown-Team ifup-bnep ifup-plip ifup-sit init.ipv6-global
ifcfg-ens33:0 ifdown-bnep ifdown-post ifdown-TeamPort ifup-eth ifup-plusb ifup-Team network-functions
ifcfg-ens37 ifdown-eth ifdown-ppp ifdown-tunnel ifup-ippp ifup-post ifup-TeamPort network-functions-ipv6
ifcfg-lo ifdown-ippp ifdown-routes ifup ifup-ipv6 ifup-ppp ifup-tunnel
ifcfg-Wired_connection_1 ifdown-ipv6 ifdown-sit ifup-aliases ifup-isdn ifup-routes ifup-wireless
[root@tianqi-01 network-scripts]# vim ifcfg-ens33:0
[root@tianqi-01 network-scripts]# systemctl restart network.service #重启网络服务
[root@tianqi-01 network-scripts]# systemctl restart firewalld #重新加载firewalld服务
[root@tianqi-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens33:0
no zone # 查看ens33:0网卡的zone
[root@tianqi-01 network-scripts]# firewall-cmd --zone=work --add-interface=ens33:0
success #给ens33::0网卡设置zone
[root@tianqi-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens33:0
work # 查看ens33:0网卡的zone
firewall-cmd给指定网卡设置zone
- firewall-cmd --zone=public --add-interface=lo //给指定网卡设置zone
[root@tianqi-01 network-scripts]# firewall-cmd --zone=public --add-interface=lo
success
[root@tianqi-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
public
firewall-cmd给指定网卡设置zone
- firewall-cmd --zone=dmz --change-interface=lo //针对网卡更改zone
[root@tianqi-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
public
[root@tianqi-01 network-scripts]# firewall-cmd --zone=dmz --change-interface=lo
success
[root@tianqi-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
dmz
firewall-cmd针对网卡删除zone
- firewall-cmd --zone=block --remove-interface=ens37 //针对网卡删除zone
给ens33网卡设置zone
[root@tianqi-01 network-scripts]# firewall-cmd --zone=block --change-interface=ens33
The interface is under control of NetworkManager, setting zone to 'block'.
success
针对ens33网卡删除zone
[root@tianqi-01 network-scripts]# firewall-cmd --zone=block --remove-interface=ens33
The interface is under control of NetworkManager, setting zone to default.
success
[root@tianqi-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens33
work
- 在remove删除zone后,恢复默认的zone——>自己再删除后,就显示no zone,而并不是恢复默认的zone!!!
firewall-cmd查看系统所有网卡所在的zone
- firewall-cmd --get-active-zones //查看系统所有网卡所在的zone
[root@tianqi-01 network-scripts]# firewall-cmd --get-active-zones
dmz
interfaces: lo
work
interfaces: ens37 ens33:0 ens33
10.22 firewalld关于service的操作
-
firewall-cmd --get-services 查看所有的servies
-
firewall-cmd --list-services //查看当前zone下有哪些service
-
firewall-cmd --zone=public --add-service=http //把http增加到public zone下面
-
firewall-cmd --zone=public --remove-service=http
-
ls /usr/lib/firewalld/zones/ //zone的配置文件模板
-
firewall-cmd --zone=public --add-service=http --permanent //更改配置文件,之后会在/etc/firewalld/zones目录下面生成配置文件
-
需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
-
cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
-
vi /etc/firewalld/services/ftp.xml //把21改为1121
-
cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
-
vi /etc/firewalld/zones/work.xml //增加一行
-
<service name="ftp"/>
-
firewall-cmd --reload //重新加载
-
firewall-cmd --zone=work --list-services
firewall-cmd查看所有的servies
- firewall-cmd --get-services 查看所有的servies(这里的 s 可省略)
- servies,就是zone下面的一个子单元,可理解为它是一个指定的端口
- 防火墙就是针对一些端口做出一些限制,比如:http操作的是80端口,https操作的是43端口,ssh操作的是22端口
- servies,就是zone下面的一个子单元,可理解为它是一个指定的端口
列出系统中所有的services
[root@tianqi-01 network-scripts]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@tianqi-01 network-scripts]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
firewall-cmd查看当前zone下有哪些service(service可加 s,也可不加 s)
- firewall-cmd --list-services //查看当前zone下有哪些service
查看当前的zone
[root@tianqi-01 network-scripts]# firewall-cmd --get-default-zone
work
查看当前zone下有哪些service
[root@tianqi-01 network-scripts]# firewall-cmd --list-service
ssh dhcpv6-client
[root@tianqi-01 network-scripts]# firewall-cmd --list-services #(service可加 s,也可不加 s)
ssh dhcpv6-client
- 指定对应的zone,有哪些services
[root@tianqi-01 network-scripts]# firewall-cmd --zone=public --list-services
ssh dhcpv6-client
firewall-cmd将http服务增加到public zone下面
- firewall-cmd --zone=public --add-service=http #把http增加到public zone下面
[root@tianqi-01 network-scripts]# firewall-cmd --zone=public --add-service=http
success
[root@tianqi-01 network-scripts]# firewall-cmd --zone=public --list-service
ssh dhcpv6-client http
[root@tianqi-01 network-scripts]# firewall-cmd --zone=public --add-service=ftp
success
[root@tianqi-01 network-scripts]# firewall-cmd --zone=public --list-service
ssh dhcpv6-client http ftp
现在仅仅是内存里面zone增加了一些service,若想将这些配置保存到配置文件中去,只需在后面在增加--permanent,来更改配置文件
- firewall-cmd --zone=public --add-service=http --permanent //更改配置文件,之后会在/etc/firewalld/zones目录下面生成配置文件
[root@tianqi-01 network-scripts]# firewall-cmd --zone=public --add-service=ftp --permanent
success
[root@tianqi-01 network-scripts]# ls /etc/firewalld/zones/
public.xml public.xml.old #每次改完配置文件,就会生成一个旧的作为备份,后缀名为.old
[root@tianqi-01 network-scripts]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?> #查看更改后的配置文件
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>
[root@tianqi-01 network-scripts]# firewall-cmd --zone=public --add-service=http
Warning: ALREADY_ENABLED: 'http' already in 'public' #提示已经存在,但是没有设置成永久的
success
[root@tianqi-01 network-scripts]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@tianqi-01 network-scripts]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
<service name="http"/>
</zone>
[root@tianqi-01 network-scripts]# firewall-cmd --zone=public --list-service
ssh dhcpv6-client http ftp
zone的配置文件模板
- ls /usr/lib/firewalld/zones/ //zone的配置文件模板
- 能查看到有9个模板
[root@tianqi-01 network-scripts]# ls /usr/lib/firewalld/zones
block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml
[root@tianqi-01 network-scripts]# ls /usr/lib/firewalld/services
amanda-client.xml dropbox-lansync.xml kadmin.xml nrpe.xml quassel.xml ssh.xml
amanda-k5-client.xml elasticsearch.xml kerberos.xml ntp.xml radius.xml synergy.xml
bacula-client.xml freeipa-ldaps.xml kibana.xml openvpn.xml RH-Satellite-6.xml syslog-tls.xml
bacula.xml freeipa-ldap.xml klogin.xml ovirt-imageio.xml rpc-bind.xml syslog.xml
bitcoin-rpc.xml freeipa-replication.xml kpasswd.xml ovirt-storageconsole.xml rsh.xml telnet.xml
bitcoin-testnet-rpc.xml freeipa-trust.xml kshell.xml ovirt-vmconsole.xml rsyncd.xml tftp-client.xml
bitcoin-testnet.xml ftp.xml ldaps.xml pmcd.xml samba-client.xml tftp.xml
bitcoin.xml ganglia-client.xml ldap.xml pmproxy.xml samba.xml tinc.xml
ceph-mon.xml ganglia-master.xml libvirt-tls.xml pmwebapis.xml sane.xml tor-socks.xml
ceph.xml high-availability.xml libvirt.xml pmwebapi.xml sips.xml transmission-client.xml
cfengine.xml https.xml managesieve.xml pop3s.xml sip.xml vdsm.xml
condor-collector.xml http.xml mdns.xml pop3.xml smtp-submission.xml vnc-server.xml
ctdb.xml imaps.xml mosh.xml postgresql.xml smtps.xml wbem-https.xml
dhcpv6-client.xml imap.xml mountd.xml privoxy.xml smtp.xml xmpp-bosh.xml
dhcpv6.xml ipp-client.xml mssql.xml proxy-dhcp.xml snmptrap.xml xmpp-client.xml
dhcp.xml ipp.xml ms-wbt.xml ptp.xml snmp.xml xmpp-local.xml
dns.xml ipsec.xml mysql.xml pulseaudio.xml spideroak-lansync.xml xmpp-server.xml
docker-registry.xml iscsi-target.xml nfs.xml puppetmaster.xml squid.xml
[root@tianqi-01 network-scripts]#
firewall-cmd将public zone下面的http服务删除
- firewall-cmd --zone=public --remove-service=http
firewalled案例
需求
- 将ftp服务自定义端口1121,需要在work zone下面放行ftp
实现
[root@tianqi-01 network-scripts]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
[root@tianqi-01 network-scripts]# vim /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/> #将内容中的21端口改为1121端口
<module name="nf_conntrack_ftp"/>
</service>
[root@tianqi-01 network-scripts]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones
[root@tianqi-01 network-scripts]# vim /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/> #增加一行,内容为 <service name="ftp"/>
</zone>
[root@tianqi-01 ~]# firewall-cmd --reload
success
[root@tianqi-01 ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp
友情链接:阿铭Linux
扫一扫
78
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
