分类: LINUX
2011-10-08 17:08:56
1、RedHat/CentOS下保存iptables规则并开机自动加载的方法:
保存iptables的防火墙规则的方法如下:
iptables命令建立的规则临时保存在内存中。如果系统在永久保存这些规则之前重启,所有设置的规则都将丢失。如果要想使iptables设置的规则在下次重启系统之后仍然生效则需要永久保存这些规则,以root身份执行:
/sbin/service iptables save
该操作将执行iptables初始化脚本,该脚本会运行/sbin/iptables-save程序并更新当前的iptables配置文件/etc/sysconfig/iptables。
而原来的配置文件将保存为iptables.save。
下次系统系统启动时,iptables初始化脚本将使用/sbin/iptables-restore命令重新读取/etc/sysconfig/iptables文件的内容。
因此比较好的方法是在将一条新的iptables规则提交到/etc/sysconfig/iptables文件之前先检查该规则。并且也可以将其他版本系统中的iptables配置文件应用于这里。这样就有助于分发该配置文件到多台Linux主机上。
注意:如果把/etc/sysconfig/iptables文件进行分发之后,每台系统都要执行/sbin/service iptables restart命令来使规则生效。
2、Ubuntu下保存iptables规则并开机自动加载的方法:
Saving iptables 保存设置
If you were to reboot your machine right now, your iptables configurationwould disapear. Rather than type this each time you reboot, however, you cansave the configuration, and have it start up automatically. To save theconfiguration, you can use iptables-save and iptables-restore.
机器重启后,iptables中的配置信息会被清空。您可以将这些配置保存下来,让iptables在启动时自动加载,省得每次都得重新输入。iptables-save和iptables-restore 是用来保存和恢复设置的。
Configuration onstartup 开机自动加载配置
Save your firewall rules to a file
先将防火墙规则保存到/etc/iptables.up.rules文件中
# iptables-save > /etc/iptables.up.rules #需要sudo su - root切换用户后执行,直接sudo cmd是不行的
Then modify the/etc/network/interfacesscript to apply the rulesautomatically (the bottom line is added)
然后修改脚本/etc/network/interfaces,使系统能自动应用这些规则(最后一行是我们手工添加的)。
auto eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.up.rules
You can also prepare a set of down rules and apply it automatically
当网络接口关闭后,您可以让iptables使用一套不同的规则集。
auto eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.up.rules
post-down iptables-restore < /etc/iptables.down.rules
Tips 技巧
If youmanually edit iptables on a regular basis 如果你经常手动编辑iptables
The above steps go over how to setup your firewall rules and presume theywill be relatively static (and for most people they should be). But if you do alot of development work, you may want to have your iptables saved everytime youreboot. You could add a line like this one in /etc/network/interfaces:
大多数人并不需要经常改变他们的防火墙规则,因此只要根据前面的介绍,建立起防火墙规则就可以了。但是如果您要经常修改防火墙规则,以使其更加完善,那么您可能希望系统在每次重启前将防火墙的设置保存下来。为此您可以在/etc/network/interfaces文件中添加一行:
pre-up iptables-restore < /etc/iptables.up.rules
post-down iptables-save > /etc/iptables.up.rules
The line "post-down iptables-save > /etc/iptables.up.rules"will save the rules to be used on the next boot.
"post-down iptables-save > /etc/iptables.up.rules"会将设置保存下来,以便下次启动时使用。
Usingiptables-save/restore to test rules 使用iptables-save/restore测试规则
If you edit your iptables beyond this tutorial, you may want to use the iptables-saveand iptables-restore feature to edit and test your rules. To do this open therules file in your favorite text editor (in this example gedit).
使用iptables-save和iptables-restore可以很方便地修改和测试防火墙规则。首先运行iptables-save将规则保存到一个文件,然后用编辑器编辑该文件。
# iptables-save > /etc/iptables.test.rules
# gedit /etc/iptables.test.rules
You will have a file that appears similiar to (following the example above):
如果您根据前面的例子建立了防火墙规则,iptables-save将产生一个类似于如下内容的文件:
# Generated by iptables-save v1.3.1 on Sun Apr 2306:19:53 2006
*filter
:INPUT ACCEPT [368:102354]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [92952:20764374]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix"iptables denied: " --log-level 7
-A INPUT -j DROP
COMMIT
# Completed on Sun Apr 23 06:19:53 2006
Notice that these are iptables commands minus the iptable command. Feelfree to edit this to file and save when complete. Then to test simply:
文件内容其实就是各种iptables命令,只不过把命令名iptables省略了。您可以随意对这个文件进行编辑,然后保存。接着使用以下命令测试修改后的规则:
# iptables-restore < /etc/iptables.test.rules
After testing, if you have not added the iptables-save command above to your /etc/network/interfaces remember not to lose your changes:
之前您如果没有在/etc/network/interfaces文件中添加iptables-save命令,那么测试之后,别忘了把您所作的修改保存起来。
# iptables-save > /etc/iptables.up.rules
More detailed Logging关于日志记录的更多细节
For further detail in your syslog you may want create an additional Chain.This will be a very brief example of my /etc/iptables.up.rules showing how Isetup my iptables to log to syslog:
您可以创建额外的规则链,以便在syslog中作更加详细的记录。以下是我/etc/iptables.up.rules文件中的一个简单例子:
# Generated by iptables-save v1.3.1 on Sun Apr 2305:32:09 2006
*filter
:INPUT ACCEPT [273:55355]
:FORWARD ACCEPT [0:0]
:LOGNDROP - [0:0]
:OUTPUT ACCEPT [92376:20668252]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j LOGNDROP
-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG--log-prefix "Denied TCP: " --log-level 7
-A LOGNDROP -p udp -m limit --limit 5/min -j LOG--log-prefix "Denied UDP: " --log-level 7
-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG--log-prefix "Denied ICMP: " --log-level 7
-A LOGNDROP -j DROP
COMMIT
# Completed on Sun Apr 23 05:32:09 2006
Note a new CHAIN called LOGNDROP at the top of the file. Also, thestandard DROP at the bottom of the INPUT chain is replaceed with LOGNDROP andadd protocol descriptions so it makes sense looking at the log. Lastly we dropthe traffic at the end of the LOGNDROP chain. The following gives some idea ofwhat is happening:
--limit sets the number of times to log the same rule to syslog --log-prefix "Denied..." adds a prefix to make finding in the syslog easier --log-level 7 sets the syslog level to informational (see man syslog for more detail, but you can probably leave this)可以看到,文件前面多了一条名为LOGNDROP的规则链。此外,INPUT链最后一条规则中的DROP被LONGDROP替代。并且在后面我添加了一些内容来描述报文所使用的协议,这可以让记录更容易理解。最后,在LOGNDROP链的末尾,报文被丢弃。
--limit 对由此规则引发的记录事件的频率进行限制。--log-prefix "Denied..." 在每条记录前加上一个前缀,以便查找。--log-level 7 将记录的详细程度设为“informational”等级(详情请见man syslog,您也可以直接使用此处的设置)。Disabling the firewall 禁用防火墙
If you need to disable the firewall temporarily, you can flush all therules using
可以通过清除所有规则来暂时停止防火墙:(警告:这只适合在没有配置防火墙的环境中,如果已经配置过默认规则为deny的环境,此步骤将使系统的所有网络访问中断)
# sudo iptables -F