[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination         
  138 16695 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0           
    1 80 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0           
    1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
  304 22837 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination         
    0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 177 packets, 15647 bytes)
 pkts bytes target prot opt in out source destination  
 

使用iptables-save 對iptables規則進行保存，保存的規則輸出到一個文件當中，並查看該文件保存的規則

[root@localhost ~]# iptables-save > /usr/local/src/tmp/siyan.ipt
[root@localhost ~]# cat !$
cat /usr/local/src/tmp/siyan.ipt
# Generated by iptables-save v1.4.21 on Mon Jul 16 14:09:02 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [275:24999]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jul 16 14:09:02 2018
 

清空當前所有的iptables規則，並查看當前是否還存在iptables規則

[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 27 packets, 1860 bytes)
 pkts bytes target prot opt in out source destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination         

Chain OUTPUT (policy ACCEPT 16 packets, 1568 bytes)
 pkts bytes target prot opt in out source destination 
 

使用iptables-restore 反向重定向把存儲規則的文件內的規則重新寫入iptables當中

[root@localhost ~]# iptables-restore < /usr/local/src/tmp/siyan.ipt 
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   25  1728 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    2   107 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
 pkts bytes target     prot opt in     out     source               destination

如果要想開機啟動就加載這些規則的話，需要把規則寫入到/etc/sysconfig/iptables文件當中，這樣就會開機時加載我們需要的規則了，將備份文件的規則按照格式粘貼到iptables配置文件當中

[root@localhost ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

firewalld防火墻zone了解

fiewalld有九個zone，zone是保存規則的規則集
暫停掉iptables防火墻，啟用firewalld

[root@localhost ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@localhost ~]# systemctl stop iptables 
[root@localhost ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@localhost ~]# systemctl start firewalld

查看firewalld的九個zone規則集名稱，查看firewalld默認的規則集(和iptables一樣，如：iptables默認為filter表)

[root@localhost ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block            查看九個zone
[root@localhost ~]# firewall-cmd --get-default-zone
public                                                               默認的zone

drop (丟棄),任何接收的網絡數據包都被丟棄,沒有任何回復。僅能有發送出去的網絡連接。
block (限制)任何接收的網絡連接都被IPv4 的icmp-host-prohibited 信息和IPv6 的icmp6-adm-prohibited信息所拒絕。public (公共)在公共區域內使用,不能相信網絡內的其他計算機不會對你的計算機造成危害，只能接收經過選取的連接。
external (外部)特別是為路由器啟用了偽裝功能的外部網。你不能信任來自網絡的其他計算,不能相信它們不會對你的計算機造成危害,只能接收經過選擇的連接。
dmz (非軍事區)用於你的非軍事區內的電腦,此區域內可公開訪問,可以有限地進入你的內部網絡,僅僅接收經過選擇的連接。
work(工作)用於工作區。你可以基本相信網絡內的其他電腦不會危害你的電腦。僅僅接收經過選擇的連接。
home (家庭)用於家庭網絡。你可以基本信任網絡內的其他計算機不會危害你的計算機。僅僅接收經過選擇的連接。
internal (內部)用於內部網絡。你可以基本上信任網絡內的其他計算機不會威脅你的計算機。僅僅接受經過選擇的連接。
trusted (信任)可接受所有的網絡連接。

firewall修改zone規則集

firewall-cmd --set-default-zone=work //設定默認zone規則集

[root@localhost ~]# firewall-cmd --set-default-zone=work
success

firewall-cmd --get-default-zone 查看默認規則集

[root@localhost ~]# firewall-cmd --get-default-zone
work

firewall-cmd --get-zone-of-interface=ens33 //查指定網卡的zone規則集

[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
work

如果查詢的網卡沒有zone規則集的話，那就需要我們指定一下規則集
firewall-cmd --zone=work --add-interface=lo //給指定網卡設置zone

[root@localhost ~]# firewall-cmd --zone=public --add-interface=lo
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=lo
public

firewall-cmd --zone =dmz --change- interface=ens33 //對網卡更改zone規則集

[root@localhost ~]# firewall-cmd --zone=dmz --change-interface=ens33
The interface is under control of NetworkManager, setting zone to ‘dmz‘.
success
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
dmz

firewall-cmd -- zone=dmz --remove-interface=ens33 //針對網卡刪除zone，刪除zone後，會變回默認的zone，使用firewall-cmd --get-active-zones查看所有網卡所在的zone

[root@localhost ~]# firewall-cmd --zone=dmz --remove-interface=ens33
The interface is under control of NetworkManager, setting zone to default.
success

firewall-cmd --get-active-zones //查看系統所有網卡所在的zone

[root@localhost ~]# firewall-cmd --get-active-zones
work
  interfaces: ens33
public
  interfaces: lo

firewall的server操作

service是對所有服務開放的一個規則，services可以放行指定的服務端口，以服務名來指定
firewall-cmd --get-service //列出系統當前所有的service

[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp open*** pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

添加一個服務器的services，相同與iptables內添加一個放行的端口號

[root@localhost ~]# firewall-cmd --zone=public --add-service=http
success

查看增加的services

[root@localhost ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ssh http

永久增加一個services放行端口，--permannet表示為永久保存該配置，如http沒有使用，則不會保存到該配置文件當中

[root@localhost ~]# firewall-cmd --zone=public --add-service=ftp --permanent
success
[root@localhost ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ftp"/>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
</zone>
~

firewall的zone規則都有模板，firewall用模板來創建這些zones規則，模板存放在/usr/lib/firewall/zones下，zone存儲位置

[root@localhost ~]# ls /etc/firewalld/zones/
public.xml public.xml.old
[root@localhost ~]# ls /usr/lib/firewalld/zones/
block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml

需求，在work zone下放行自定義的ftp1121端口，拷貝ftp的模板文件到/etc/firewalld/services/目錄下，修改port="1121"

[root@localhost ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
[root@localhost ~]# vim /etc/firewalld/services/ftp.xml 

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>FTP</short>
  <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
  <port protocol="tcp" port="1121"/>
  <module name="nf_conntrack_ftp"/>
</service>

在work的zone中增加ftp放行的services，拷貝模板work的zone到/etc/firewalld/zones/目錄下，新增一行ftp的配置

[root@localhost ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@localhost ~]# vim /etc/firewalld/zones/work.xml 

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Work</short>
  <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="ftp"/>
  <service name="dhcpv6-client"/>
</zone>
~      

重新加載zone的配置，並查看新增的ftp的services放行

 [root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --zone=work --list-services
ssh ftp dhcpv6-client

firewalld的簡單用法及了解