10.19 iptables规则备份和恢复
[root@hyc-01-01 ~]# service iptables save 保存iptables规则
该命令会将规则保存在/etc/sysconfig/iptables
将iptables规则备份到一个文件中
[root@hyc-01-01 ~]# iptables-save>/tmp/ipt.txt
将iptables规则备份到ipt.txt文件中
从备份规则的文件恢复iptables规则
[root@hyc-01-01 ~]# iptables-restore</tmp/ipt.txt
写入/etc/sysconfig/iptables的规则会在开机时自动加载,其他备份文件的规则需要手动加载
10.20 firewalld的9个zone
[root@hyc-01-01 ~]# systemctl disable iptables 使netfilter残废
[root@hyc-01-01 ~]# systemctl stop iptables 停用netfilter
[root@hyc-01-01 ~]# systemctl enable firewalld 使能firewalld
[root@hyc-01-01 ~]# systemctl start firewalld 启用firewalld
firewalld默认有9个ZONE,默认使用的ZONE是public;
每个ZONE都是一个规则集,包含多个规则;
查看所有的ZONE:
[root@hyc-01-01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
查看默认的ZONE:
[root@hyc-01-01 ~]# firewall-cmd --get-default-zone
Public
ZONE的区别:
drop(丢弃):任何接收的网络数据包都将被丢弃,无任何回复,仅能有发送出去的网络连接
数据包无法进入,但可以出去,安全性最佳
block(限制)任何接收的网络连接都被ipv4的icmp-host-prohibited信息和ipv6的icmp6-adm-prohibited信息拒绝
主要针对icmp数据包做限制
public(公共):在公共区域内使用,不相信网络内其他计算机不会对本机造成危害,只接收经过选取的连接
部分数据包放行,部分数据包限制
external:(外部):适合为路由器启用了伪装功能的外部网,不相信来自网络的其他计算机,只接收经过筛选的连接
dmz(非军事区):用于非军事区内的电脑,此区域可公开访问,可以有限的进入内部网络,仅接收经过筛选的连接
work(工作):用于工作区,可以基本相信网络内的电脑不会对本机造成危害,接收经过筛选的连接
通常为公司内网
home(家庭):与work类似
internal(内部):用于内部网络,可以基本相信网络内的计算机不会对本机造成危害,接收经过筛选的连接
通常不连外网
trusted(信任):可接收所有网络连接
无任何限制
10.21 firewalld关于zone的操作
指定默认的ZONE:
[root@hyc-01-01 ~]# firewall-cmd --set-default-zone=work
Error: COMMAND_FAILED
[root@hyc-01-01 ~]# firewall-cmd --set-default-zone=work
Warning: ZONE_ALREADY_SET: work
success
[root@hyc-01-01 ~]# firewall-cmd --get-default-zone
Work
ZONE可以针对网卡操作
查看指定网卡使用的ZONE
[root@hyc-01-01 ~]# firewall-cmd --get-zone-of-interface=ens33
public
[root@hyc-01-01 ~]# firewall-cmd --get-zone-of-interface=ens37
no zone
[root@hyc-01-01 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
后来添加的ens37为no zone:
1 复制ens33为ens37并改写配置文件,重启网络服务
[root@hyc-01-01 ~]# cd /etc/sysconfig/network-scripts
[root@hyc-01-01 network-scripts]# cp ifcfg-ens33 ifcfg-ens37
[root@hyc-01-01 network-scripts]# vim ifcfg-ens37
[root@hyc-01-01 network-scripts]# systemctl restart network.service
2 重启firewalld服务
[root@hyc-01-01 network-scripts]# systemctl restart firewalld
ens37使用work的ZONE
[root@hyc-01-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens37
work
这样使某个没有ZONE的网卡有了ZONE
修改某个网卡的ZONE:
[root@hyc-01-01 network-scripts]# firewall-cmd --zone=dmz --add-interface=ens37
The interface is under control of NetworkManager, setting zone to 'dmz'.
success
[root@hyc-01-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens37
Dmz
修改网卡ens37的ZONE为dmz
[root@hyc-01-01 network-scripts]# firewall-cmd --zone=public --add-interface=lo
success
[root@hyc-01-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
Public
将本来no zone的网卡增加ZONE为public
修改网卡的ZONE:
[root@hyc-01-01 network-scripts]# firewall-cmd --zone=block --change-interface=lo
success
[root@hyc-01-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
Block
删除某个网卡的ZONE:
[root@hyc-01-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
block
[root@hyc-01-01 network-scripts]# firewall-cmd --zone=block --remove-interface=lo
success
[root@hyc-01-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
no zone
lo网卡的ZONE被删除,变成no zone
[root@hyc-01-01 network-scripts]# firewall-cmd --zone=dmz --remove-interface=ens37
The interface is under control of NetworkManager, setting zone to default.
success
[root@hyc-01-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens37
work
[root@hyc-01-01 network-scripts]# firewall-cmd --get-default-zone
Work
ens37的ZONE被删除,变成默认的ZONE
查看系统所有网卡所在的ZONE:
[root@hyc-01-01 network-scripts]# firewall-cmd --get-active-zones
work
interfaces: ens33 ens37
block
interfaces: l9
10.22 firewalld关于service的操作
Service是ZONE下面的一个子单元,可以理解为一个指定的端口(http操作80,https操作8080,ssh操作22…)
列出系统所有的service
[root@hyc-01-01 ~]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp open*** ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
查看当前default ZONE中包含的service
[root@hyc-01-01 ~]# firewall-cmd --list-services
ssh dhcpv6-client
[root@hyc-01-01 ~]# firewall-cmd --get-default-zone
Work
查看指定ZONE包含的service
[root@hyc-01-01 ~]# firewall-cmd --zone=public --list-service
ssh dhcpv6-client
添加某个服务到某个ZONE下
[root@hyc-01-01 ~]# firewall-cmd --zone=public --add-service=http
success
[root@hyc-01-01 ~]# firewall-cmd --zone=public --list-service
ssh dhcpv6-client http
将ZONE添加的服务写入配置文件
[root@hyc-01-01 ~]# firewall-cmd --zone=public --add-service=ftp --permanent
success
[root@hyc-01-01 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>
public.xml每修改一次都会将修改前的文件备份,备份文件名为public.xml.old
ZONE和service都有自己的模板
[root@hyc-01-01 ~]# ls /usr/lib/firewalld/zones
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
[root@hyc-01-01 ~]# ls /usr/lib/firewalld/services
…
需求:将ftp服务端口改为1121,并在work zone下放行ftp
1 将ftp的service模板拷贝到/etc/firewalld/services/
[root@hyc-01-01 ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
2 将配置文件中21端口改为1121
[root@hyc-01-01 ~]# vim /etc/firewalld/services/ftp.xml
3 将模板文件work.xml复制到/etc/firewalld/zones下
[root@hyc-01-01 ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones
4 在/etc/firewalld/zones/work.xml中增加关于service ftp的一行
[root@hyc-01-01 ~]# vim /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>
5 重加载firewall-cmd服务
[root@hyc-01-01 ~]# firewall-cmd --reload
Success
6 检查
[root@hyc-01-01 ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp
ZONE是防火墙的规则集合,每个zone下会有多个iptables规则;
每个ZONE下有service,这些service会被作为白名单被ZONE放行;
转载于:https://blog.51cto.com/12216458/2145078
![洛谷 P2951 [USACO09OPEN]捉迷藏Hide and Seek](http://pic.xiahunao.cn/洛谷 P2951 [USACO09OPEN]捉迷藏Hide and Seek)
_asp实例)
)
)