iptables规则备份和恢复:
iptables-save命令用来批量导出Linux防火墙规则。
firewalld的9个zone:
打开firewalld:
systemctl disable iptables
systemctl stop iptables
systemctl enable firewalld
systemctl start firewalld
firewalld默认有9个zone
默认zone为public
firewall-cmd --get-zones //查看所有zone
[root@gavin-123 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
• firewall-cmd --get-default-zone//查看默认zone
[root@learnlinux ~]# firewall-cmd --get-default-zone
public
firewalld关于zone的操作:
firewall-cmd --set-default-zone=work //设定默认zone
[root@learnlinux ~]# firewall-cmd --set-default-zone=work
success
firewall-cmd --get-zone-of-interface=ens33 //查指定网卡
[root@learnlinux ~]# firewall-cmd --get-zone-of-interface=eth0
no zone
firewall-cmd --zone=public --add-interface=lo //给指定网卡设置zone
[root@gavin-123 ~]# firewall-cmd --zone=public --add-interface=lo
success
firewall-cmd --zone=dmz --change-interface=lo //针对网卡更改zone
[root@gavin-123 ~]# firewall-cmd --zone=work --change-interface=enp0s3
success
firewall-cmd --zone=dmz --remove-interface=lo //针对网卡删除zone
[root@gavin-123 ~]# firewall-cmd --zone=public --remove-interface=lo
success
[root@gavin-123 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
firewall-cmd --get-active-zones //查看系统所有网卡所在的zone
[root@gavin-123 ~]# firewall-cmd --get-active-zones
work
interfaces: enp0s3
public
interfaces: lo
firewalld关于service的操作:
firewall-cmd --get-services 查看所有的servies
[root@gavin-123 ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
firewall-cmd --list-services //查看当前zone下有哪些service
[root@gavin-123 ~]# firewall-cmd --list-services
dhcpv6-client http ssh
firewall-cmd --zone=work --list-services //查看指定zone下有哪些service
[root@gavin-123 ~]# firewall-cmd --zone=work --list-services
dhcpv6-client ftp ipp-client ssh
firewall-cmd --zone=public --add-service=http //把http增加到public zone下面
[root@gavin-123 ~]# firewall-cmd --zone=public --add-service=ftp
success
firewall-cmd --zone=public --remove-service=http
[root@gavin-123 ~]# firewall-cmd --zone=public --remove-service=http
success
ls /usr/lib/firewalld/zones/ //zone的配置文件模板
[root@gavin-123 ~]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
firewall-cmd --zone=public --add-service=http --permanent //更改配置文件,之后会在/etc/firewalld/zones目录下面生成配置文件
[root@gavin-123 ~]# firewall-cmd --zone=public --add-service=ftp --permanent
success
[root@gavin-123 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ftp"/>
<service name="dhcpv6-client"/>
<service name="http"/>
<service name="ssh"/>
</zone>
需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
vi /etc/firewalld/services/ftp.xml //把21改为1121
cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
vi /etc/firewalld/zones/work.xml //增加一行
<service name="ftp"/>
firewall-cmd --reload //重新加载
firewall-cmd --zone=work --list-services