linux学习lesson35
程序员文章站
2022-05-31 16:22:26
...
目录
1 iptables规则备份和恢复
保存和备份iptables规则
- service iptables save //会把规则保存到/etc/sysconfig/iptables
[[email protected] ~]# iptables -A INPUT -s 1.1.1.1 -j DROP
[[email protected] ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[[email protected] ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[[email protected] ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Mon Oct 22 17:17:46 2018
*filter
:INPUT ACCEPT [11:764]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:1284]
-A INPUT -s 1.1.1.1/32 -j DROP
-A INPUT -s 192.168.188.1/32 -d 192.168.188.128/32 -p tcp -m tcp --sport 1234 --dport 80 -j DROP
COMMIT
# Completed on Mon Oct 22 17:17:46 2018- 把iptables规则备份到my.ipt文件中 iptables-save > my.ipt
[[email protected] ~]# iptables-save > my.ipt
[[email protected] ~]# ls
anaconda-ks.cfg dir1 dir6 dir8 dir9 my.ipt shell- 恢复刚才备份的规则 iptables-restore < my.ipt
[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -Z
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 5 packets, 388 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 448 bytes)
pkts bytes target prot opt in out source destination
[[email protected] ~]# iptables-restore < my.ipt
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 13 packets, 958 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 1.1.1.1 0.0.0.0/0
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6 packets, 696 bytes)
pkts bytes target prot opt in out source destination
2 firewalld的9个zone
firewalld有两个基础概念,分别是zone和service,每一个zone里面有不同的iptables规则,默认一共有9个zone,而CentOS 7默认的zone为public
- 打开firewalld,停止iptables开机启动
[[email protected] ~]# systemctl disable iptables- 停止iptables服务
[[email protected] ~]# systemctl stop iptables- 开启firewalld开机启动
[[email protected] ~]# systemctl enable firewalld- 开启firewalld服务
[[email protected] ~]# systemctl start firewalldfirewalld默认有9个zone,默认zone为public
- firewall-cmd --get-zones //查看所有zone
[[email protected] ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work- firewall-cmd --get-default-zone//查看默认zone
[[email protected] ~]# firewall-cmd --get-default-zone
publicdrop(丢弃):任何接收的网络数据包都被丢弃,没有任何回复。仅能有发送出去的网络连接。
block(限制):任何接收的网络连接都被 IPv4 的icmp-host-prohibited信息和 IPv6 的icmp6-adm-prohibited信息所拒绝。
public(公共):在公共区域内使用,不能相信网络内的其他计算机不会对你的计算机造成危害,只能接收经过选取的连接。
external(外部):特别是为路由器启用了伪装功能的外部网。你不能信任来自网络的其他计算,不能相信它们不会对你的计算机造成危害,只能接收经过选择的连接。
dmz(非军事区):用于你的非军事区内的计算机,此区域内可公开访问,可以有限地进入你的内部网络,仅仅接收经过选择的连接。
work(工作):用于工作区。你可以基本相信网络内的其他计算机不会危害你的计算机。仅仅接收经过选择的连接。
home(家庭):用于家庭网络。你可以基本信任网络内的其他计算机不会危害你的计算机。仅仅接收经过选择的连接。
internal(内部):用于内部网络。你可以基本上信任网络内的其他计算机不会威胁你的计算机。仅仅接受经过选择的连接。
trusted(信任):可接受所有的网络连接。
3 firewalld关于zone的操作
[[email protected] network-scripts]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.139.100 netmask 255.255.255.0 broadcast 192.168.139.255
inet6 fe80::20c:29ff:fee5:56b1 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:e5:56:b1 txqueuelen 1000 (Ethernet)
RX packets 737525 bytes 891189534 (849.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 237747 bytes 14741386 (14.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno16777736:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.139.150 netmask 255.255.255.0 broadcast 192.168.139.255
ether 00:0c:29:e5:56:b1 txqueuelen 1000 (Ethernet)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0- firewall-cmd --set-default-zone=work //设定默认zone
[[email protected] network-scripts]# firewall-cmd --set-default-zone=work
success- firewall-cmd --get-zone-of-interface=ens33 //查指定网卡
[[email protected] network-scripts]# firewall-cmd --get-zone-of-interface=eno16777736
work- firewall-cmd --zone=public --add-interface=lo //给指定网卡设置zone
[[email protected] network-scripts]# firewall-cmd --zone=public --add-interface=lo
success
[[email protected] network-scripts]# firewall-cmd --get-zone-of-interface=lo
public- firewall-cmd --zone=dmz --change-interface=lo //针对网卡更改zone
[[email protected] network-scripts]# firewall-cmd --zone=dmz --change-interface=lo
success
[[email protected] network-scripts]# firewall-cmd --get-zone-of-interface=lo
dmz- firewall-cmd --zone=dmz --remove-interface=lo //针对网卡删除zone
[[email protected] network-scripts]# firewall-cmd --zone=dmz --remove-interface=lo
success
[[email protected] network-scripts]# firewall-cmd --get-zone-of-interface=lo
no zone- firewall-cmd --get-active-zones //查看系统所有网卡所在的zone
[[email protected] network-scripts]# firewall-cmd --get-active-zones
work
interfaces: eno16777736 eno16777736:0
4 firewalld源于service的操作
- firewall-cmd --get-services 查看所有的servies
[[email protected] network-scripts]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https- firewall-cmd --list-services //查看当前zone下有哪些service
[[email protected] network-scripts]# firewall-cmd --list-services
dhcpv6-client ipp-client ssh- firewall-cmd --zone=public --list-services //查看当前zone下public有哪些service
[[email protected] network-scripts]# firewall-cmd --zone=public--list-services
success- firewall-cmd --zone=public --add-service=http //把http增加到public zone下面
[[email protected] network-scripts]# firewall-cmd --zone=public --add-service=http
success
[[email protected] network-scripts]# firewall-cmd --zone=public --list-services
dhcpv6-client http ssh- firewall-cmd --zone=public --remove-service=http //public zone移除http
[[email protected] network-scripts]# firewall-cmd --zone=public --remove-service=http
success
[[email protected] network-scripts]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh- ls /usr/lib/firewalld/zones/ //zone的配置文件模板
[[email protected] network-scripts]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml- firewall-cmd --zone=public --add-service=http --permanent //更改配置文件,之后会在/etc/firewalld/zones目录下面生成配置文件
[[email protected] network-scripts]# firewall-cmd --zone=public --add-service=http --permanent success
[[email protected] network-scripts]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="http"/>
<service name="ssh"/>
</zone>需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
- cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
[[email protected] network-scripts]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/- vi /etc/firewalld/services/ftp.xml //把21改为1121
[[email protected] network-scripts]# vim /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
#<port protocol="tcp" port="21"/> //原来
<port protocol="tcp" port="1121"/> //修改
<module name="nf_conntrack_ftp"/>
</service>- cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[[email protected] network-scripts]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/- vi /etc/firewalld/zones/work.xml //增加一行<service name="ftp"/>
[[email protected] network-scripts]# vim /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="ipp-client"/>
<service name="dhcpv6-client"/>
</zone>- firewall-cmd --reload //重新加载
[[email protected] network-scripts]# firewall-cmd --reload
success- firewall-cmd --zone=work --list-services
[[email protected] network-scripts]# firewall-cmd --zone=work --list-services
dhcpv6-client ftp ipp-client ssh
上一篇: 我今天没戴胸罩啊
下一篇: 备孕期间 男人应少吃这几种食物