10.19-10.22 iptables规则备份和恢10.20 firewalld的9个zone
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了10.19-10.22 iptables规则备份和恢10.20 firewalld的9个zone相关的知识,希望对你有一定的参考价值。
10.19 iptables规则备份和恢复 10.20 firewalld的9个zone 10.21 firewalld关于zone的操作 10.22 firewalld关于service的操作 # 10.19 iptables 规则备份和恢复 - 保存和备份iptables 的规则 - service iptables save 会把规则保存到 /etc/sysconfig/iptables - 把iptables规则备份到my.ipt 文件中 - iptables-save > my.ipt ``` [[email protected] ~]# iptables-save > /tmp/my.ipt [[email protected] ~]# cat /tmp/my.ipt # Generated by iptables-save v1.4.21 on Wed Sep 6 22:48:23 2017 *nat :PREROUTING ACCEPT [9:1447] :INPUT ACCEPT [9:1447] :OUTPUT ACCEPT [41:3080] :POSTROUTING ACCEPT [42:3132] -A PREROUTING -d 192.168.202.130/32 -p tcp -m tcp --dport 1122 -j DNAT --to-destination 192.168.100.100:22 -A POSTROUTING -s 192.168.100.100/32 -j SNAT --to-source 192.168.202.130 COMMIT # Completed on Wed Sep 6 22:48:23 2017 # Generated by iptables-save v1.4.21 on Wed Sep 6 22:48:23 2017 *filter :INPUT ACCEPT [747:66297] :FORWARD ACCEPT [136:15004] :OUTPUT ACCEPT [571:71022] COMMIT # Completed on Wed Sep 6 22:48:23 2017 ``` -目前只有一个nat表规则,,,,默认的filter表里 是没有规则的 ``` [[email protected] ~]# iptables -nvL Chain INPUT (policy ACCEPT 808 packets, 70609 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 136 packets, 15004 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 609 packets, 75302 bytes) pkts bytes target prot opt in out source destination [[email protected] ~]# ``` - 恢复刚才的备份规则 - iptables-restore > my.ipt ``` [[email protected] ~]# iptables-restore < /tmp/my.ipt [[email protected] ~]# iptables-save > /tmp/my.ipt [[email protected] ~]# ``` - 保存之后先给它清空掉,没有规则了 ``` [[email protected] ~]# iptables -t nat -F [[email protected] ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [[email protected] ~]# ``` - 现在把它恢复回来 ``` [[email protected] ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.202.130 tcp dpt:1122 to:192.168.100.100:22 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.202.130 [[email protected] ~]# ``` -可以cat 看下 ``` [[email protected] ~]# cat /tmp/my.ipt # Generated by iptables-save v1.4.21 on Wed Sep 6 22:52:31 2017 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -d 192.168.202.130/32 -p tcp -m tcp --dport 1122 -j DNAT --to-destination 192.168.100.100:22 -A POSTROUTING -s 192.168.100.100/32 -j SNAT --to-source 192.168.202.130 COMMIT # Completed on Wed Sep 6 22:52:31 2017 # Generated by iptables-save v1.4.21 on Wed Sep 6 22:52:31 2017 *filter :INPUT ACCEPT [79:5812] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [52:5024] COMMIT # Completed on Wed Sep 6 22:52:31 2017 [[email protected] ~]# ``` # 10.20 firewalld的9个zone - [x] - Linux 防火墙-firewalld - 之前把firewalld禁地了,打开了iptables ,现在反着操作,把iptables禁掉,把firewalld 打开 - 打开firewalld - systemctl disable iptables - systemctl stop iptables - systemctl enable firewalld - systmctl start firewalld ``` [[email protected] ~]# systemctl disable iptables Removed symlink /etc/systemd/system/basic.target.wants/iptables.service. [[email protected] ~]# systemctl stop iptables [[email protected] ~]# systemctl enable firewalld Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service. Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service. [[email protected] ~]# systemctl start firewalld [[email protected] ~]# ``` - 现在打开默认规则,看看是否发生了改变,竟然出现了这么多, - 这个是firewalld自带的规则,不仅仅是filter,nat 表也同样有些规则,链 也比较多 ``` [[email protected] ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 19 1472 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1 92 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 1 92 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 1 92 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 15 packets, 1364 bytes) pkts bytes target prot opt in out source destination 15 1364 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD_IN_ZONES (1 references) pkts bytes target prot opt in out source destination 0 0 FWDI_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] Chain FORWARD_IN_ZONES_SOURCE (1 references) pkts bytes target prot opt in out source destination Chain FORWARD_OUT_ZONES (1 references) pkts bytes target prot opt in out source destination 0 0 FWDO_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto] Chain FORWARD_OUT_ZONES_SOURCE (1 references) pkts bytes target prot opt in out source destination Chain FORWARD_direct (1 references) pkts bytes target prot opt in out source destination Chain FWDI_public (2 references) pkts bytes target prot opt in out source destination 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDI_public_allow (1 references) pkts bytes target prot opt in out source destination Chain FWDI_public_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDI_public_log (1 references) pkts bytes target prot opt in out source destination Chain FWDO_public (2 references) pkts bytes target prot opt in out source destination 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDO_public_allow (1 references) pkts bytes target prot opt in out source destination Chain FWDO_public_deny (1 references) pkts bytes target prot opt in out source destination Chain FWDO_public_log (1 references) pkts bytes target prot opt in out source destination Chain INPUT_ZONES (1 references) pkts bytes target prot opt in out source destination 1 92 IN_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] Chain INPUT_ZONES_SOURCE (1 references) pkts bytes target prot opt in out source destination Chain INPUT_direct (1 references) pkts bytes target prot opt in out source destination Chain IN_public (2 references) pkts bytes target prot opt in out source destination 1 92 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 1 92 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 1 92 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain IN_public_allow (1 references) pkts bytes target prot opt in out source destination 1 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW Chain IN_public_deny (1 references) pkts bytes target prot opt in out source destination Chain IN_public_log (1 references) pkts bytes target prot opt in out source destination Chain OUTPUT_direct (1 references) pkts bytes target prot opt in out source destination [[email protected] ~]# ``` -这个怎么用? -firewalld 默认有9个zone,zone是firewalld 一个单位,默认是puliczone 每个zone 是好比是一个规则集,它这个zone里面自带一些规则,比如说 放行了 某某端口,关闭了某某端口,这就是一个规则集 -默认zone为public -firewalld-cmd --get-zones 查看所有的zone,一共有9个zone ``` [[email protected] ~]# firewall-cmd --get-zones work drop internal external trusted home dmz public block [[email protected] ~]# ``` -firewalld-cmd --get-default-zone 查看默认zone ``` [[email protected] ~]# firewall-cmd --get-default-zone public [[email protected] ~]# ``` - [x] 来看下这9个zone 有什么区别 - drop (丢弃)任何接收的网络数据包都被丢弃,没有任何回复。仅能有发送出去的网络连接 - block (限制)任何接收的网络连接都被 IPv4 的 icmp-host-prohibited 信息和IPv6 的 icmp6-adm-prohibited 信息所拒绝。 - public (公共)在公共区域内使用,不能相信网络内的其他计算机不会对你的计算机造成危害,只能接收经过选取的连接 - external (外部)特别是为路由器启用了伪装功能的外部网。你不能信任来自网络的其他计算机,不能相信它们不会对你的计算机造成危害,只能接收经过选择的连接 - dmz (非军事区)用于你的非军事区内的电脑,此区域内可公开访问,可以有限的进入你的内部网络,仅仅接收经过选择的连接 - work (工作)用于工作区,你可以基本相信网络内的其他电脑不会危害你的电脑。仅仅接收经过选择的连接 - home (家庭)用于家庭网络,你可以基本信任网络内的其他计算机不会危害你的计算机,仅仅接收经过选择的连接 - internal (内部)用于内部网络 你可以基本信任网络内的其他计算机不会危害你的计算机,仅仅接收经过选择的连接 - trusted (信任)可以接收所有的网络连接 # 10.21 firewalld关于zone的操作 - firewall-cmd --get-default-zone 查看默认的zone - firewall-cmd --set-default-zone=work 设定默认的zone为work ``` [[email protected] ~]# firewall-cmd --get-default-zone public [[email protected] ~]# firewall-cmd --set-default-zone=work success [[email protected] ~]# firewall-cmd --get-default-zone work [[email protected] ~]# ``` - 查看指定网卡的zone ,firewall-cmd --get-zone-of-interface=ens33 后面跟网卡名称 ``` [[email protected] ~]# firewall-cmd --get-zone-of-interface=ens33 work [[email protected] ~]# firewall-cmd --get-zone-of-interface=ens37 no zone [[email protected] ~]# firewall-cmd --get-zone-of-interface=lo no zone [[email protected] ~]# ``` - 如果后面显示是no zone 那就需要重新配置网络配置文件,把ens33的配置文件 复制一份并且改名为ens37,最后重启下网络服务, - 重启网络服务之后,再重新加载下firewalld 服务 systemctl restart firewalld ``` [[email protected] ~]# cd /etc/sysconfig/network-scripts/ [[email protected] network-scripts]# ls ifcfg-ens33 ifdown-ipv6 ifdown-tunnel ifup-isdn ifup-TeamPort ifcfg-ens33:0 ifdown-isdn ifup ifup-plip ifup-tunnel ifcfg-lo ifdown-post ifup-aliases ifup-plusb ifup-wireless ifdown ifdown-ppp ifup-bnep ifup-post init.ipv6-global ifdown-bnep ifdown-routes ifup-eth ifup-ppp network-functions ifdown-eth ifdown-sit ifup-ib ifup-routes network-functions-ipv6 ifdown-ib ifdown-Team ifup-ippp ifup-sit ifdown-ippp ifdown-TeamPort ifup-ipv6 ifup-Team [[email protected] network-scripts]# ``` -给指定的网卡设置zone, -给网卡ens37 设置zone为dmz ,命令firewall-cmd --zone=dmz --add-interface=ens37 ``` [[email protected] ~]# firewall-cmd --zone=dmz --add-interface=ens37 success [[email protected] ~]# firewall-cmd --get-zone-of-interface=ens37 dmz ``` -给网卡lo 设置zone为publlic ``` [[email protected] ~]# firewall-cmd --zone=public --add-interface=lo success [[email protected] ~]# firewall-cmd --get-zone-of-interface=lo public ``` -针对网卡更改zone,把ens37的zone 改为block ,firewall-cmd --zone=block --change-interface=ens37 ``` [[email protected] ~]# firewall-cmd --zone=block --change-interface=ens37 success ``` -针对网卡删除zone , firewall-cmd --zone=block --remove-interface=ens37 删除了 就变成了默认的zone,之前因为ens37 是no zone ,现在也恢复默认 no zone了 ``` [[email protected] ~]# firewall-cmd --zone=block --remove-interface=ens37 success [[email protected] ~]# firewall-cmd --get-zone-of-interface=ens37 no zone ``` -查看系统所有网卡所在的zone ``` [[email protected] ~]# firewall-cmd --get-active-zones work interfaces: ens33 ens37 public interfaces: lo [[email protected] ~]# ``` # 10.22 firewalld 关于service的操作 -查看所有的service,把系统里的所有service 全部列出来 -firewall-cmd --get-service 可加s 可不加s ``` [[email protected] ~]# firewall-cmd --get-service RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server [[email protected] ~]# firewall-cmd --get-services RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server ``` -想查看当前的zone ``` [[email protected] ~]# firewall-cmd --get-default-zone work [[email protected] ~]# ``` -查看当前zone下的service -firewall-cmd --list-service 可以加s 可以不加 和上面一样 ``` [[email protected] ~]# firewall-cmd --list-service ssh dhcpv6-client [[email protected] ~]# firewall-cmd --list-services ssh dhcpv6-client [[email protected] ~]# ``` -指定对应的zone ,想要查看public 都有哪些service -查看public 下的service ``` [[email protected] ~]# firewall-cmd --zone=public --list-service dhcpv6-client ssh [[email protected] ~]# ``` - 想看下block里面的service ,public里面没有任何的service - trusted 里面也是没有任何的service ``` [[email protected] ~]# firewall-cmd --zone=block --list-service [[email protected] ~]# [[email protected] ~]# firewall-cmd --zone=trusted --list-service [[email protected] ~]# ``` -下面有这样的需求,需要把http加到public zone 下面 -命令 firewall-cmd --zone=public --add-service=http ``` [[email protected] ~]# firewall-cmd --zone=public --add-service=http success [[email protected] ~]# firewall-cmd --zone=public --list-service dhcpv6-client ssh http [[email protected] ~]# ``` -把ftp也加到public zone 下面 ``` [[email protected] ~]# firewall-cmd --zone=public --add-service=ftp success [[email protected] ~]# firewall-cmd --zone=public --list-service dhcpv6-client ssh http ftp [[email protected] ~]# ``` -下面想办法把这个配置保存到配置文件里面去 ,写入配置文件 ``` [[email protected] ~]# firewall-cmd --zone=public --add-service=ftp --permanent success [[email protected] ~]# [[email protected] ~]# ls /etc/firewalld/zones/ public.xml public.xml.old [[email protected] ~]# cat /etc/firewalld/zones/public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ftp"/> <service name="dhcpv6-client"/> <service name="ssh"/> </zone> [[email protected]glinux-001 ~]# ``` -再增加一个http,保存到配置文件中 ``` [[email protected] ~]# firewall-cmd --zone=public --add-service=http --permanent success [[email protected] ~]# cat /etc/firewalld/zones/public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ftp"/> <service name="dhcpv6-client"/> <service name="http"/> <service name="ssh"/> </zone> [[email protected] ~]# [[email protected] ~]# firewall-cmd --zone=public --list-service dhcpv6-client ssh http ftp [[email protected] ~]# ``` -ls /usr/lib/firewalld/zones/ zone配置文件的模板 -/etc/目录下面系统firewalld服务所用的配置文件,每当改完之后 把它永久保存之后,它都会把旧的作为一个备份,文件名后面加上后缀名.old ``` [[email protected] ~]# ls /etc/firewalld/zones/ public.xml public.xml.old [[email protected] ~]# ``` -同样除了zone 之外还有service,只是目前services 没有更改过配置文件,所以默认文件是空的 ``` [[email protected] ~]# ls /etc/firewalld/services/ ``` -zone也好,servicde也好其实都是有一个模板的 ,都是xml文件 -ls /usr/lib/firewalld/zones -ls /usr/lib/firewalld/services ``` [[email protected] ~]# ls /usr/lib/firewalld/zones/ block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml [[email protected] ~]# ls /usr/lib/firewalld/services amanda-client.xml freeipa-ldaps.xml iscsi-target.xml mysql.xml proxy-dhcp.xml smtp.xml tor-socks.xml amanda-k5-client.xml freeipa-ldap.xml kadmin.xml nfs.xml ptp.xml snmptrap.xml transmission-client.xml bacula-client.xml freeipa-replication.xml kerberos.xml ntp.xml pulseaudio.xml snmp.xml vdsm.xml bacula.xml ftp.xml kpasswd.xml openvpn.xml puppetmaster.xml squid.xml vnc-server.xml ceph-mon.xml high-availability.xml ldaps.xml pmcd.xml radius.xml ssh.xml wbem-https.xml ceph.xml https.xml ldap.xml pmproxy.xml RH-Satellite-6.xml synergy.xml xmpp-bosh.xml dhcpv6-client.xml http.xml libvirt-tls.xml pmwebapis.xml rpc-bind.xml syslog-tls.xml xmpp-client.xml dhcpv6.xml imaps.xml libvirt.xml pmwebapi.xml rsyncd.xml syslog.xml xmpp-local.xml dhcp.xml imap.xml mdns.xml pop3s.xml samba-client.xml telnet.xml xmpp-server.xml dns.xml ipp-client.xml mosh.xml pop3.xml samba.xml tftp-client.xml docker-registry.xml ipp.xml mountd.xml postgresql.xml sane.xml tftp.xml dropbox-lansync.xml ipsec.xml ms-wbt.xml privoxy.xml smtps.xml tinc.xml [[email protected] ~]# ``` -下面一个需求:ftp服务自定义端口1121,需要在work zone 下面放行 ftp -把ftp默认的端口改下,改成1121,并且在work zone 下面 放行ftp -把<port protocol="tcp" port="21"/> 改成 <port protocol="tcp" port="1121"/> ``` [[email protected] ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services [[email protected] ~]# vi /etc/firewalld/services/ftp.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>FTP</short> <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description> <port protocol="tcp" port="1121"/> <module name="nf_conntrack_ftp"/> </service> ~ ~ "/etc/firewalld/services/ftp.xml" 7L, 374C [[email protected] ~]# vi /etc/firewalld/services/ftp.xml ``` -再把/usr/lib/firewalld/zones/work.xml 复制到 /etc/firewalld/zones/ ,然后修改配置文件/etc/firewalld/zones/work.xml,增加一行 <service name="ftp"/> ``` [[email protected] ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/ [[email protected] ~]# vim /etc/firewalld/zones/work.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Work</short> <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="ftp"/> </zone> ~ ~ ~ ~ "/etc/firewalld/zones/work.xml" 8L, 335C ``` -下面还需要重新加载一下 firewalld-cmd --reload -再来检查下work 下面的service 就有了 ``` [[email protected] ~]# firewall-cmd --reload success [[email protected] ~]# firewall-cmd --zone=work --list-services ssh dhcpv6-client ftp [[email protected] ~]# ``` - [ ] 总结:firewalld 服务下面有来个角色 ,一个zone 一个services,zone是它的一个规则集合,每个zone下面有一个对应的iptables 规则,而每个zone下面又有一些service,如果有service ,把这个service作为一个白名单,放行这个service,如果遇到需求,想着,放行某个服务,就可以把这个服务增加到它的配置文件里去 reload ,重启下服务, - 至于service 也是可以自定义的,像ftp,也就是<port protocol="tcp" port="21"/> 主要还是更改这个端口
以上是关于10.19-10.22 iptables规则备份和恢10.20 firewalld的9个zone的主要内容,如果未能解决你的问题,请参考以下文章
iptables规则备份和恢复 firewalld的9个zone
iptables规则备份和恢复/firewalld的9个zone
iptables规则备份和恢复/firewalld的9个zone