iptables 规则备份和恢复
- 保存和备份iptables 的规则
- service iptables save 会把规则保存到 /etc/sysconfig/iptables
- 把iptables规则备份到my.ipt 文件中
- iptables-save > my.ipt
```
[root@aminglinux-001 ~]# iptables-save > /tmp/my.ipt
[root@aminglinux-001 ~]# cat /tmp/my.ipt
# Generated by iptables-save v1.4.21 on Wed Sep 6 22:48:23 2017
*nat
:PREROUTING ACCEPT [9:1447]
:INPUT ACCEPT [9:1447]
:OUTPUT ACCEPT [41:3080]
:POSTROUTING ACCEPT [42:3132]
-A PREROUTING -d 192.168.202.130/32 -p tcp -m tcp --dport 1122 -j DNAT --to-destination 192.168.100.100:22
-A POSTROUTING -s 192.168.100.100/32 -j SNAT --to-source 192.168.202.130
COMMIT
# Completed on Wed Sep 6 22:48:23 2017
# Generated by iptables-save v1.4.21 on Wed Sep 6 22:48:23 2017
*filter
:INPUT ACCEPT [747:66297]
:FORWARD ACCEPT [136:15004]
:OUTPUT ACCEPT [571:71022]
COMMIT
# Completed on Wed Sep 6 22:48:23 2017
```
-目前只有一个nat表规则,,,,默认的filter表里 是没有规则的
```
[root@aminglinux-001 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 808 packets, 70609 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 136 packets, 15004 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 609 packets, 75302 bytes)
pkts bytes target prot opt in out source destination
[root@aminglinux-001 ~]#
```
- 恢复刚才的备份规则
- iptables-restore > my.ipt
```
[root@aminglinux-001 ~]# iptables-restore < /tmp/my.ipt
[root@aminglinux-001 ~]# iptables-save > /tmp/my.ipt
[root@aminglinux-001 ~]#
```
- 保存之后先给它清空掉,没有规则了
```
[root@aminglinux-001 ~]# iptables -t nat -F
[root@aminglinux-001 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@aminglinux-001 ~]#
```
- 现在把它恢复回来
```
[root@aminglinux-001 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.202.130 tcp dpt:1122 to:192.168.100.100:22
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.202.130
[root@aminglinux-001 ~]#
```
-可以cat 看下
```
[root@aminglinux-001 ~]# cat /tmp/my.ipt
# Generated by iptables-save v1.4.21 on Wed Sep 6 22:52:31 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 192.168.202.130/32 -p tcp -m tcp --dport 1122 -j DNAT --to-destination 192.168.100.100:22
-A POSTROUTING -s 192.168.100.100/32 -j SNAT --to-source 192.168.202.130
COMMIT
# Completed on Wed Sep 6 22:52:31 2017
# Generated by iptables-save v1.4.21 on Wed Sep 6 22:52:31 2017
*filter
:INPUT ACCEPT [79:5812]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52:5024]
COMMIT
# Completed on Wed Sep 6 22:52:31 2017
[root@aminglinux-001 ~]#
```
# 10.20 firewalld的9个zone
- [x] - Linux 防火墙-firewalld
- 之前把firewalld禁地了,打开了iptables ,现在反着操作,把iptables禁掉,把firewalld 打开
- 打开firewalld
- systemctl disable iptables
- systemctl stop iptables
- systemctl enable firewalld
- systmctl start firewalld
```
[root@aminglinux-001 ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@aminglinux-001 ~]# systemctl stop iptables
[root@aminglinux-001 ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@aminglinux-001 ~]# systemctl start firewalld
[root@aminglinux-001 ~]#
```
- 现在打开默认规则,看看是否发生了改变,竟然出现了这么多,
- 这个是firewalld自带的规则,不仅仅是filter,nat 表也同样有些规则,链 也比较多
```
[root@aminglinux-001 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
19 1472 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 92 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
1 92 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
1 92 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1364 bytes)
pkts bytes target prot opt in out source destination
15 1364 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
1 92 IN_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
1 92 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
1 92 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
1 92 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
1 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
[root@aminglinux-001 ~]#
```
-这个怎么用?
-firewalld 默认有9个zone,zone是firewalld 一个单位,默认是puliczone 每个zone 是好比是一个规则集,它这个zone里面自带一些规则,比如说 放行了 某某端口,关闭了某某端口,这就是一个规则集
-默认zone为public
-firewalld-cmd --get-zones 查看所有的zone,一共有9个zone
```
[root@aminglinux-001 ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block
[root@aminglinux-001 ~]#
```
-firewalld-cmd --get-default-zone 查看默认zone
```
[root@aminglinux-001 ~]# firewall-cmd --get-default-zone
public
[root@aminglinux-001 ~]#
```
- [x] 来看下这9个zone 有什么区别
- drop (丢弃)任何接收的网络数据包都被丢弃,没有任何回复。仅能有发送出去的网络连接
- block (限制)任何接收的网络连接都被 IPv4 的 icmp-host-prohibited 信息和IPv6 的 icmp6-adm-prohibited 信息所拒绝。
- public (公共)在公共区域内使用,不能相信网络内的其他计算机不会对你的计算机造成危害,只能接收经过选取的连接
- external (外部)特别是为路由器启用了伪装功能的外部网。你不能信任来自网络的其他计算机,不能相信它们不会对你的计算机造成危害,只能接收经过选择的连接
- dmz (非军事区)用于你的非军事区内的电脑,此区域内可公开访问,可以有限的进入你的内部网络,仅仅接收经过选择的连接
- work (工作)用于工作区,你可以基本相信网络内的其他电脑不会危害你的电脑。仅仅接收经过选择的连接
- home (家庭)用于家庭网络,你可以基本信任网络内的其他计算机不会危害你的计算机,仅仅接收经过选择的连接
- internal (内部)用于内部网络 你可以基本信任网络内的其他计算机不会危害你的计算机,仅仅接收经过选择的连接
- trusted (信任)可以接收所有的网络连接
# 10.21 firewalld关于zone的操作
- firewall-cmd --get-default-zone 查看默认的zone
- firewall-cmd --set-default-zone=work 设定默认的zone为work
```
[root@aminglinux-001 ~]# firewall-cmd --get-default-zone
public
[root@aminglinux-001 ~]# firewall-cmd --set-default-zone=work
success
[root@aminglinux-001 ~]# firewall-cmd --get-default-zone
work
[root@aminglinux-001 ~]#
```
- 查看指定网卡的zone ,firewall-cmd --get-zone-of-interface=ens33 后面跟网卡名称
```
[root@aminglinux-001 ~]# firewall-cmd --get-zone-of-interface=ens33
work
[root@aminglinux-001 ~]# firewall-cmd --get-zone-of-interface=ens37
no zone
[root@aminglinux-001 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
[root@aminglinux-001 ~]#
```
- 如果后面显示是no zone 那就需要重新配置网络配置文件,把ens33的配置文件 复制一份并且改名为ens37,最后重启下网络服务,
- 重启网络服务之后,再重新加载下firewalld 服务 systemctl restart firewalld
```
[root@aminglinux-001 ~]# cd /etc/sysconfig/network-scripts/
[root@aminglinux-001 network-scripts]# ls
ifcfg-ens33 ifdown-ipv6 ifdown-tunnel ifup-isdn ifup-TeamPort
ifcfg-ens33:0 ifdown-isdn ifup ifup-plip ifup-tunnel
ifcfg-lo ifdown-post ifup-aliases ifup-plusb ifup-wireless
ifdown ifdown-ppp ifup-bnep ifup-post init.ipv6-global
ifdown-bnep ifdown-routes ifup-eth ifup-ppp network-functions
ifdown-eth ifdown-sit ifup-ib ifup-routes network-functions-ipv6
ifdown-ib ifdown-Team ifup-ippp ifup-sit
ifdown-ippp ifdown-TeamPort ifup-ipv6 ifup-Team
[root@aminglinux-001 network-scripts]#
```
-给指定的网卡设置zone,
-给网卡ens37 设置zone为dmz ,命令firewall-cmd --zone=dmz --add-interface=ens37
```
[root@aminglinux-001 ~]# firewall-cmd --zone=dmz --add-interface=ens37
success
[root@aminglinux-001 ~]# firewall-cmd --get-zone-of-interface=ens37
dmz
```
-给网卡lo 设置zone为publlic
```
[root@aminglinux-001 ~]# firewall-cmd --zone=public --add-interface=lo
success
[root@aminglinux-001 ~]# firewall-cmd --get-zone-of-interface=lo
public
```
-针对网卡更改zone,把ens37的zone 改为block ,firewall-cmd --zone=block --change-interface=ens37
```
[root@aminglinux-001 ~]# firewall-cmd --zone=block --change-interface=ens37
success
```
-针对网卡删除zone , firewall-cmd --zone=block --remove-interface=ens37 删除了 就变成了默认的zone,之前因为ens37 是no zone ,现在也恢复默认 no zone了
```
[root@aminglinux-001 ~]# firewall-cmd --zone=block --remove-interface=ens37
success
[root@aminglinux-001 ~]# firewall-cmd --get-zone-of-interface=ens37
no zone
```
-查看系统所有网卡所在的zone
```
[root@aminglinux-001 ~]# firewall-cmd --get-active-zones
work
interfaces: ens33 ens37
public
interfaces: lo
[root@aminglinux-001 ~]#
```
# 10.22 firewalld 关于service的操作
-查看所有的service,把系统里的所有service 全部列出来
-firewall-cmd --get-service 可加s 可不加s
```
[root@aminglinux-001 ~]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@aminglinux-001 ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
```
-想查看当前的zone
```
[root@aminglinux-001 ~]# firewall-cmd --get-default-zone
work
[root@aminglinux-001 ~]#
```
-查看当前zone下的service
-firewall-cmd --list-service 可以加s 可以不加 和上面一样
```
[root@aminglinux-001 ~]# firewall-cmd --list-service
ssh dhcpv6-client
[root@aminglinux-001 ~]# firewall-cmd --list-services
ssh dhcpv6-client
[root@aminglinux-001 ~]#
```
-指定对应的zone ,想要查看public 都有哪些service
-查看public 下的service
```
[root@aminglinux-001 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh
[root@aminglinux-001 ~]#
```
- 想看下block里面的service ,public里面没有任何的service
- trusted 里面也是没有任何的service
```
[root@aminglinux-001 ~]# firewall-cmd --zone=block --list-service
[root@aminglinux-001 ~]#
[root@aminglinux-001 ~]# firewall-cmd --zone=trusted --list-service
[root@aminglinux-001 ~]#
```
-下面有这样的需求,需要把http加到public zone 下面
-命令 firewall-cmd --zone=public --add-service=http
```
[root@aminglinux-001 ~]# firewall-cmd --zone=public --add-service=http
success
[root@aminglinux-001 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http
[root@aminglinux-001 ~]#
```
-把ftp也加到public zone 下面
```
[root@aminglinux-001 ~]# firewall-cmd --zone=public --add-service=ftp
success
[root@aminglinux-001 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http ftp
[root@aminglinux-001 ~]#
```
-下面想办法把这个配置保存到配置文件里面去 ,写入配置文件
```
[root@aminglinux-001 ~]# firewall-cmd --zone=public --add-service=ftp --permanent
success
[root@aminglinux-001 ~]#
[root@aminglinux-001 ~]# ls /etc/firewalld/zones/
public.xml public.xml.old
[root@aminglinux-001 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ftp"/>
<service name="dhcpv6-client"/>
<service name="ssh"/>
</zone>
[root@aminglinux-001 ~]#
```
-再增加一个http,保存到配置文件中
```
[root@aminglinux-001 ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@aminglinux-001 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ftp"/>
<service name="dhcpv6-client"/>
<service name="http"/>
<service name="ssh"/>
</zone>
[root@aminglinux-001 ~]#
[root@aminglinux-001 ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http ftp
[root@aminglinux-001 ~]#
```
-ls /usr/lib/firewalld/zones/ zone配置文件的模板
-/etc/目录下面系统firewalld服务所用的配置文件,每当改完之后 把它永久保存之后,它都会把旧的作为一个备份,文件名后面加上后缀名.old
```
[root@aminglinux-001 ~]# ls /etc/firewalld/zones/
public.xml public.xml.old
[root@aminglinux-001 ~]#
```
-同样除了zone 之外还有service,只是目前services 没有更改过配置文件,所以默认文件是空的
```
[root@aminglinux-001 ~]# ls /etc/firewalld/services/
```
-zone也好,servicde也好其实都是有一个模板的 ,都是xml文件
-ls /usr/lib/firewalld/zones
-ls /usr/lib/firewalld/services
```
[root@aminglinux-001 ~]# ls /usr/lib/firewalld/zones/
block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml
[root@aminglinux-001 ~]# ls /usr/lib/firewalld/services
amanda-client.xml freeipa-ldaps.xml iscsi-target.xml mysql.xml proxy-dhcp.xml smtp.xml tor-socks.xml
amanda-k5-client.xml freeipa-ldap.xml kadmin.xml nfs.xml ptp.xml snmptrap.xml transmission-client.xml
bacula-client.xml freeipa-replication.xml kerberos.xml ntp.xml pulseaudio.xml snmp.xml vdsm.xml
bacula.xml ftp.xml kpasswd.xml openvpn.xml puppetmaster.xml squid.xml vnc-server.xml
ceph-mon.xml high-availability.xml ldaps.xml pmcd.xml radius.xml ssh.xml wbem-https.xml
ceph.xml https.xml ldap.xml pmproxy.xml RH-Satellite-6.xml synergy.xml xmpp-bosh.xml
dhcpv6-client.xml http.xml libvirt-tls.xml pmwebapis.xml rpc-bind.xml syslog-tls.xml xmpp-client.xml
dhcpv6.xml imaps.xml libvirt.xml pmwebapi.xml rsyncd.xml syslog.xml xmpp-local.xml
dhcp.xml imap.xml mdns.xml pop3s.xml samba-client.xml telnet.xml xmpp-server.xml
dns.xml ipp-client.xml mosh.xml pop3.xml samba.xml tftp-client.xml
docker-registry.xml ipp.xml mountd.xml postgresql.xml sane.xml tftp.xml
dropbox-lansync.xml ipsec.xml ms-wbt.xml privoxy.xml smtps.xml tinc.xml
[root@aminglinux-001 ~]#
```
-下面一个需求:ftp服务自定义端口1121,需要在work zone 下面放行 ftp
-把ftp默认的端口改下,改成1121,并且在work zone 下面 放行ftp
-把<port protocol="tcp" port="21"/> 改成 <port protocol="tcp" port="1121"/>
```
[root@aminglinux-001 ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
[root@aminglinux-001 ~]# vi /etc/firewalld/services/ftp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/>
<module name="nf_conntrack_ftp"/>
</service>
~
~
"/etc/firewalld/services/ftp.xml" 7L, 374C
[root@aminglinux-001 ~]# vi /etc/firewalld/services/ftp.xml
```
-再把/usr/lib/firewalld/zones/work.xml 复制到 /etc/firewalld/zones/ ,然后修改配置文件/etc/firewalld/zones/work.xml,增加一行 <service name="ftp"/>
```
[root@aminglinux-001 ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@aminglinux-001 ~]# vim /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/>
</zone>
~
~
~
~
"/etc/firewalld/zones/work.xml" 8L, 335C
```
-下面还需要重新加载一下 firewalld-cmd --reload
-再来检查下work 下面的service 就有了
```
[root@aminglinux-001 ~]# firewall-cmd --reload
success
[root@aminglinux-001 ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp
[root@aminglinux-001 ~]#
```
- [ ] 总结:firewalld 服务下面有来个角色 ,一个zone 一个services,zone是它的一个规则集合,每个zone下面有一个对应的iptables 规则,而每个zone下面又有一些service,如果有service ,把这个service作为一个白名单,放行这个service,如果遇到需求,想着,放行某个服务,就可以把这个服务增加到它的配置文件里去 reload ,重启下服务,
- 至于service 也是可以自定义的,像ftp,也就是<port protocol="tcp" port="21"/> 主要还是更改这个端口10.19 iptables规则备份和恢复 10.20 firewalld的9个zone 10.21 firewalld关于zone的操作 10.22 firewalld关于service的操作
猜你喜欢
转载自www.cnblogs.com/pta188/p/9019637.html
今日推荐
周排行