[root@hanfeng ~]# iptables-save > /tmp/ipt.txt
[root@hanfeng ~]# cat /tmp/ipt.txt //会看到保存的规则——>这里的和视频的不同,感觉nat表应用哪里挂掉了
# Generated by iptables-save v1.4.21 on Fri Dec 1 23:01:03 2017
*nat
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
COMMIT
# Completed on Fri Dec 1 23:01:03 2017
打开firewalld
[root@hf-01 ~]# systemctl disable iptables
[root@hf-01 ~]# systemctl stop iptables
[root@hf-01 ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@hf-01 ~]# systemctl start firewalld
[root@hf-01 ~]#
这时用iptables -nvL和iptables -t nat -nvL查看规则,会看到增加了很多的链
[root@hf-01 ~]# firewall-cmd --get-zones //查看所有zone
block dmz drop external home internal public trusted work
[root@hf-01 ~]#
[root@hf-01 ~]# firewall-cmd --get-default-zone //查看默认zone
public
[root@hf-01 ~]#
[root@hf-01 ~]# firewall-cmd --set-default-zone=work
success
[root@hf-01 ~]# firewall-cmd --get-default-zone
work
[root@hf-01 ~]#
[root@hf-01 ~]# firewall-cmd --get-zone-of-interface=eno16777736
work
[root@hf-01 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
[root@hf-01 ~]#
[root@hf-01 ~]# firewall-cmd --get-zone-of-interface=ens36
no zone
[root@hf-01 ~]# cd /etc/sysconfig/network-scripts/
[root@hf-01 network-scripts]# ls
ifcfg-eno16777736 ifdown-post ifup-bnep ifup-routes
ifcfg-eno16777736:0 ifdown-ppp ifup-eth ifup-sit
ifcfg-lo ifdown-routes ifup-ippp ifup-Team
ifdown ifdown-sit ifup-ipv6 ifup-TeamPort
ifdown-bnep ifdown-Team ifup-isdn ifup-tunnel
ifdown-eth ifdown-TeamPort ifup-plip ifup-wireless
ifdown-ippp ifdown-tunnel ifup-plusb init.ipv6-global
ifdown-ipv6 ifup ifup-post network-functions
ifdown-isdn ifup-aliases ifup-ppp network-functions-ipv6
[root@hf-01 network-scripts]# cp /etc/sysconfig/network-scripts/ifcfg-eno16777736 /etc/sysconfig/network-scripts/ens36
[root@hf-01 network-scripts]# vi !$ //编辑配置文件
vi /etc/sysconfig/network-scripts/ens36
[root@hf-01 network-scripts]# systemctl restart network.service //重启网络服务
[root@hf-01 network-scripts]# systemctl restart firewalld //重新加载firewalld服务
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens36 //查看ens36网卡的zone
no zone
[root@hf-01 network-scripts]# firewall-cmd --zone=work --add-interface=ens36 //给ens36网卡设置zone
success
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens36 //查看ens36网卡的zone
work
[root@hf-01 network-scripts]#
[root@hf-01 network-scripts]# firewall-cmd --zone=public --add-interface=lo 给lo网卡设置zone
success
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
public
[root@hf-01 network-scripts]#
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
public
[root@hf-01 network-scripts]# firewall-cmd --zone=dmz --change-interface=lo //针对网卡更改zone
success
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
dmz
[root@hf-01 network-scripts]#
[root@hf-01 network-scripts]# firewall-cmd --zone=block --change-interface=ens36 给ens36网卡设置zone
success
[root@hf-01 network-scripts]# firewall-cmd --zone=block --remove-interface=ens36 //针对ens36网卡删除zone
success
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens36
no zone
[root@hf-01 network-scripts]#
[root@hf-01 network-scripts]# firewall-cmd --get-active-zones //查看系统所有网卡所在的zone
dmz
interfaces: lo
work
interfaces: eno16777736
[root@hf-01 network-scripts]#
[root@hf-01 ~]# firewall-cmd --get-services //列出系统中所有的services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openV** pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
[root@hf-01 ~]#
[root@hf-01 ~]# firewall-cmd --get-default-zone //查看当前的zone
work
[root@hf-01 ~]# firewall-cmd --list-services //查看当前zone下有哪些service
dhcpv6-client ipp-client ssh
[root@hf-01 ~]#
[root@hf-01 ~]# firewall-cmd --zone=public --list-services
dhcpv6-client ssh
[root@hf-01 ~]#
[root@hanfeng ~]# firewall-cmd --zone=public --add-service=http
success
[root@hanfeng ~]# firewall-cmd --zone=public --list-service
dhcpv6-client http ssh
[root@hanfeng ~]# firewall-cmd --zone=public --add-service=ftp
success
[root@hanfeng ~]# firewall-cmd --zone=public --list-service
dhcpv6-client ftp http ssh
[root@hanfeng ~]#
[root@hanfeng ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@hanfeng ~]# ls /etc/firewalld/zones/ //每次改完配置文件,就会生成一个旧的作为备份,后缀名为.old
public.xml public.xml.old
[root@hanfeng ~]# cat /etc/firewalld/zones/public.xml //查看更改后的配置文件
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="http"/>
<service name="ssh"/>
</zone>
[root@hanfeng ~]#
[root@hanfeng ~]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
[root@hanfeng ~]# ls /usr/lib/firewalld/services/
amanda-client.xml ipp-client.xml mysql.xml rpc-bind.xml
bacula-client.xml ipp.xml nfs.xml samba-client.xml
bacula.xml ipsec.xml ntp.xml samba.xml
dhcpv6-client.xml kerberos.xml openV**.xml smtp.xml
dhcpv6.xml kpasswd.xml pmcd.xml ssh.xml
dhcp.xml ldaps.xml pmproxy.xml telnet.xml
dns.xml ldap.xml pmwebapis.xml tftp-client.xml
ftp.xml libvirt-tls.xml pmwebapi.xml tftp.xml
high-availability.xml libvirt.xml pop3s.xml transmission-client.xml
https.xml mdns.xml postgresql.xml vnc-server.xml
http.xml mountd.xml proxy-dhcp.xml wbem-https.xml
imaps.xml ms-wbt.xml radius.xml
[root@hanfeng ~]#
[root@hanfeng ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services
[root@hanfeng ~]# vi /etc/firewalld/services/ftp.xml
将内容中的21端口改为1121端口
[root@hanfeng ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@hanfeng ~]# vi /etc/firewalld/zones/work.xml
增加一行,内容为 <service name="ftp"/>
[root@hanfeng ~]# firewall-cmd --reload //重新加载
success
[root@hanfeng ~]# firewall-cmd --zone=work --list-services
dhcpv6-client ftp ipp-client ssh
[root@hanfeng ~]#