2019独角兽企业重金招聘Python工程师标准>>>
10.19 iptables规则备份和恢复
service iptables save //保存规则
保存路径 /etc/sysconfig/iptables/
备份规则
i[root@aminglinux-02 ~]# iptables-save > /tmp/ipt.txt
[root@aminglinux-02 ~]# cat !$
cat /tmp/ipt.txt
# Generated by iptables-save v1.4.21 on Mon Aug 14 00:29:03 2017
*filter //表的名字
:INPUT ACCEPT [1022:93300]
:FORWARD ACCEPT [162:21653]
:OUTPUT ACCEPT [483:49451]
COMMIT
# Completed on Mon Aug 14 00:29:03 2017
# Generated by iptables-save v1.4.21 on Mon Aug 14 00:29:03 2017
*nat //表的名字
:PREROUTING ACCEPT [57:10688]
:INPUT ACCEPT [40:8784]
:OUTPUT ACCEPT [140:10652]
:POSTROUTING ACCEPT [142:10756]
-A PREROUTING -d 192.168.133.131/32 -p tcp -m tcp --dport 1122 -j DNAT --to-destination 192.168.100.100:22
-A POSTROUTING -s 192.168.100.100/32 -j SNAT --to-source 192.168.133.131
COMMIT
# Completed on Mon Aug 14 00:29:03 2017
恢复规则
为了方便对比,先清除所有规则
[root@aminglinux-02 ~]# iptables -t nat -F
[root@aminglinux-02 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
恢复规则
[root@aminglinux-02 ~]# iptables-restore < /tmp/ipt.txt
[root@aminglinux-02 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.133.131 tcp dpt:1122 to:192.168.100.100:22
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.133.131
==备份的规则,仅用于恢复备份,如果想重启或者开机直接生效,还是 service iptables save 比较好==
10.20 firewalld的9个zone
因为之前学习netfilter 的机制,所以关掉了firewalld开启了netfilter ,现在需要重新开启
systemctl disable iptables //关闭 iptables
systemctl stop iptables //停止开机启动 iptables
systemctl enable firewalld //开启 firewalld 服务
systemctl start firewalld // 启动 firewalld 服务
[root@aminglinux-02 ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@aminglinux-02 ~]# systemctl stop iptables
[root@aminglinux-02 ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@aminglinux-02 ~]# systemctl start firewalld
查看 firewalld 机制下 iptables 表
[root@aminglinux-02 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36 2704 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 27 packets, 2360 bytes)
pkts bytes target prot opt in out source destination
27 2360 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens34 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- ens32 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * ens34 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * ens32 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (3 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (3 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 IN_public all -- ens34 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 IN_public all -- ens32 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (3 references)
pkts bytes target prot opt in out source destination
0 0 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
firewalld 默认有9个zone ,zone 是firewalld的一个单位(区) 默认zone为public;每个zone就等同于一个规则集,规则集里会自带一些规则 查看所有zone
[root@aminglinux-02 ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block
可以查看到9个zone:work、drop、internal、external、trusted、home、dmz、public、block
- drop (丢弃):任何流入网络的包都被丢弃,不作出任何响应。只允许流出的网络连接。 //最安全的,只允许出去不允许进来
- block (限制):任何进入的网络连接都被拒绝,并返回 IPv4 的 icmp-host-prohibited 报文或者 IPv6 的 icmp6-adm-prohibited 报文。只允许由该系统初始化的网络连接。 //比drop略微宽松
- public (公开):用以可以公开的部分。你认为网络中其他的计算机不可信并且可能伤害你的计算机。只允许选中的连接接入。 //在public里,我们只会有一些数据包是放行的,一些数据包是被禁掉的
- external (外部):用在路由器等启用伪装的外部网络。你认为网络中其他的计算机不可信并且可能伤害你的计算机。只允许选中的连接接入。 //适用于路由器
- dmz (隔离区):用以允许隔离区(dmz)中的电脑有限地被外界网络访问。只接受被选中的连接。
- work (工作):用在工作网络。你信任网络中的大多数计算机不会影响你的计算机。只接受被选中的连接。
- home (家庭):用在家庭网络。你信任网络中的大多数计算机不会影响你的计算机。只接受被选中的连接。
- internal (内部):用在内部网络。你信任网络中的大多数计算机不会影响你的计算机。只接受被选中的连接。
- trusted (受信任的):允许所有网络连接。
查看默认zone
[root@aminglinux-02 ~]# firewall-cmd --get-default-zone
public
10.21 firewalld关于zone的操作
设定默认zone
[root@aminglinux-02 ~]# firewall-cmd --set-default-zone=work
success
查看当前的默认zone
[root@aminglinux-02 ~]# firewall-cmd --get-default-zone
work
查指定网卡的默认zone
[root@aminglinux-02 ~]# firewall-cmd --get-zone-of-interface=ens32
work
[root@aminglinux-02 ~]# firewall-cmd --get-zone-of-interface=ens34
work
[root@aminglinux-02 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
如果新增的网卡没有zone,只需要为对应的网卡,新增一个对应的网卡配置,且重启网络服务,重新加载一下firewalld服务,即可;如果还是没有就对网卡增加指定的zone
给指定网卡设置zone
[root@aminglinux-02 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
[root@aminglinux-02 ~]# firewall-cmd --zone=public --add-interface=lo
success
[root@aminglinux-02 ~]# firewall-cmd --get-zone-of-interface=lo
public
针对网卡更改zone
[root@aminglinux-02 ~]# firewall-cmd --get-zone-of-interface=lo
public
[root@aminglinux-02 ~]# firewall-cmd --zone=dmz --change-interface=lo
success
[root@aminglinux-02 ~]# firewall-cmd --get-zone-of-interface=lo
dmz
针对网卡删除zone
[root@aminglinux-02 ~]# firewall-cmd --get-zone-of-interface=lo
dmz
[root@aminglinux-02 ~]# firewall-cmd --zone=dmz --remove-interface=lo
success
[root@aminglinux-02 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
查看系统所有网卡所在的zone
[root@aminglinux-02 ~]# firewall-cmd --get-active-zones
work
interfaces: ens32 ens34
[root@aminglinux-02 ~]# firewall-cmd --zone=dmz --change-interface=lo
success
[root@aminglinux-02 ~]# firewall-cmd --get-zone-of-interface=lo
dmz
[root@aminglinux-02 ~]# firewall-cmd --get-active-zones
dmz
interfaces: lo
work
interfaces: ens32 ens34
10.22 firewalld关于service的操作
service 就是zone 下面的一个子单元,可以理解为一个指定的端口,因为防火墙,无外乎就是针对一个端口进行操作
firewall-cmd --get-services 查看所有的servies
[root@aminglinux-02 ~]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
查看当前默认的zone
[root@aminglinux-02 ~]# firewall-cmd --get-default-zone
public
查看当前zone下有哪些service
[root@aminglinux-02 ~]# firewall-cmd --list-service
dhcpv6-client ssh
查看指定的zone的service
[root@aminglinux-02 ~]# firewall-cmd --zone=work --list-service
ssh dhcpv6-client
把http增加到public zone下面
[root@aminglinux-02 ~]# firewall-cmd --zone=public --add-service=http
success
[root@aminglinux-02 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http
==以上的操作,仅仅保存在内存里面而已,重启之后将不会生效==
需要加多一段 “--permanent ”,才会对当前这条配置进行保存
[root@aminglinux-02 ~]# firewall-cmd --zone=public --add-service=https --permanent
success
配置保存路径
/etc/firewalld/zones/
[root@aminglinux-02 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="https"/>
</zone>
/etc/firewalld/zones/ 这个路径下,是服务用到的配置文件,每当做了一个保存之后,都会在路径下生成一oldjiewei后缀结尾的文件,这个文件的用途就是对旧的配置进行一个备份
[root@aminglinux-02 ~]# ls /etc/firewalld/zones/
public.xml public.xml.old
firewalld的service,zone都会有相关的配置模板,配置模板存放/usr/lib/firewalld/这个路径下,对应的目录内,是service还是zone又或者其他的
[root@aminglinux-02 ~]# ls /usr/lib/firewalld/
icmptypes ipsets services xmlschema zones
zone的模板
[root@aminglinux-02 ~]# ls /usr/lib/firewalld/zones
block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml
service的模板
[root@aminglinux-02 ~]# ls /usr/lib/firewalld/services
amanda-client.xml freeipa-ldaps.xml iscsi-target.xml mysql.xml proxy-dhcp.xml smtp.xml tor-socks.xml
amanda-k5-client.xml freeipa-ldap.xml kadmin.xml nfs.xml ptp.xml snmptrap.xml transmission-client.xml
bacula-client.xml freeipa-replication.xml kerberos.xml ntp.xml pulseaudio.xml snmp.xml vdsm.xml
bacula.xml ftp.xml kpasswd.xml openvpn.xml puppetmaster.xml squid.xml vnc-server.xml
ceph-mon.xml high-availability.xml ldaps.xml pmcd.xml radius.xml ssh.xml wbem-https.xml
ceph.xml https.xml ldap.xml pmproxy.xml RH-Satellite-6.xml synergy.xml xmpp-bosh.xml
dhcpv6-client.xml http.xml libvirt-tls.xml pmwebapis.xml rpc-bind.xml syslog-tls.xml xmpp-client.xml
dhcpv6.xml imaps.xml libvirt.xml pmwebapi.xml rsyncd.xml syslog.xml xmpp-local.xml
dhcp.xml imap.xml mdns.xml pop3s.xml samba-client.xml telnet.xml xmpp-server.xml
dns.xml ipp-client.xml mosh.xml pop3.xml samba.xml tftp-client.xml
docker-registry.xml ipp.xml mountd.xml postgresql.xml sane.xml tftp.xml
dropbox-lansync.xml ipsec.xml ms-wbt.xml privoxy.xml smtps.xml tinc.xml
需求:
将ftp的端口自定义为1121,在work 区下放行ftp的数据包
解决办法:
拷贝ftp配置文件模板
[root@aminglinux-02 ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
编辑配置文件内容
[root@aminglinux-02 ~]# vim /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need thevsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/> //port=21更改为port=1121
<module name="nf_conntrack_ftp"/>
</service>
拷贝work区的模板
[root@aminglinux-02 ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones
编辑配置文件内容
[root@aminglinux-02 ~]# vim /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections areaccepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/> //新增一行
</zone>
重新加载服务
[root@aminglinux-02 ~]# firewall-cmd --reload
success
查看work区的服务,是否有新增
[root@aminglinux-02 ~]# firewall-cmd --zone=work --list-service
ssh dhcpv6-client ftp
总结:
- firewalld服务,有两个角色,zone(区),service( 服务)
- zone,是一个规则集合,每个zone下面都会有一些对应的iptables规则,每个zone下面又有一些service;
- 如果有这个service,就是把这个service作为他的白名单,放行这个service
- 如果有新的需求,需要放行某个服务,我们就可以直接把这个服务增加到他的配置文件里面在重新加载即可
- service 也是可以自定义的,自定端口号