iptables 防火墙规则 的备份恢复
2010-07-10 13:05
281 查看
在维护服务器时,通过iptables命令配置好的iptables规则是保存在内存中的,当服务器重启之后,这些规则将丢失,如何确保重启之后,原先配置的iptables规则能自动生效。
方案1:
重启之前,备份当前的iptables规则,然后在服务器启动时,将规则导入iptables。
相关脚本:
备份iptables规则,将规则文件保存到当前用户目录下。
iptables-save > ~/iptables.bak
还原iptables规则:
iptables-restore < ~/iptables.bak
将还原规则写入自启动脚本中,脚本文件是 /etc/rc.local
方案2:
直接将iptables规则保存到iptables的配置文件/etc/sysconfig/iptables。
[zhangzq@realweb netcert]$ cat iptables.bak
# Generated by iptables-save v1.2.11 on Tue Dec 14 13:49:16 2010
*nat
:PREROUTING ACCEPT [1513:84880]
:POSTROUTING ACCEPT [2181:130860]
:OUTPUT ACCEPT [2181:130860]
COMMIT
# Completed on Tue Dec 14 13:49:16 2010
# Generated by iptables-save v1.2.11 on Tue Dec 14 13:49:16 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3517770272:2320868460003]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 81 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.201 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 221.223.80.195 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.250 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 221.223.85.185 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 221.223.80.128 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 122.70.220.136 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 123.115.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 123.117.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.198 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.199 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p tcp -m state --state NEW -m tcp --dport 873 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p udp -m state --state NEW -m udp --dport 873 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.242 -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT
-A RH-Firewall-1-INPUT -s 111.193.206.253 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.209 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.244 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.17.106 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.206 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Dec 14 13:49:16 2010
本文出自 “过客” 博客,请务必保留此出处http://zhangziqiang.blog.51cto.com/698396/347299
方案1:
重启之前,备份当前的iptables规则,然后在服务器启动时,将规则导入iptables。
相关脚本:
备份iptables规则,将规则文件保存到当前用户目录下。
iptables-save > ~/iptables.bak
还原iptables规则:
iptables-restore < ~/iptables.bak
将还原规则写入自启动脚本中,脚本文件是 /etc/rc.local
方案2:
直接将iptables规则保存到iptables的配置文件/etc/sysconfig/iptables。
[zhangzq@realweb netcert]$ cat iptables.bak
# Generated by iptables-save v1.2.11 on Tue Dec 14 13:49:16 2010
*nat
:PREROUTING ACCEPT [1513:84880]
:POSTROUTING ACCEPT [2181:130860]
:OUTPUT ACCEPT [2181:130860]
COMMIT
# Completed on Tue Dec 14 13:49:16 2010
# Generated by iptables-save v1.2.11 on Tue Dec 14 13:49:16 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3517770272:2320868460003]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 81 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.201 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 221.223.80.195 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.250 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 221.223.85.185 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 221.223.80.128 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 122.70.220.136 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 123.115.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 123.117.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.198 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.199 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p tcp -m state --state NEW -m tcp --dport 873 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p udp -m state --state NEW -m udp --dport 873 -j ACCEPT
-A RH-Firewall-1-INPUT -s 219.232.42.228 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.242 -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT
-A RH-Firewall-1-INPUT -s 111.193.206.253 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.209 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.244 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.17.106 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 59.151.24.206 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Dec 14 13:49:16 2010
本文出自 “过客” 博客,请务必保留此出处http://zhangziqiang.blog.51cto.com/698396/347299
相关文章推荐
- iptables防火墙规则的添加、删除、修改、保存
- linux下防火墙iptables用法规则详解
- Linux 防火墙 iptables 规则
- 添加防火墙(Firewall/Iptables)规则
- 【iptables】编写iptables防火墙规则-1
- linux防火墙iptables常用规则
- iptables防火墙规则整理
- Linux服务器防火墙规则iptables修改后无法保存
- 使用IPtables搭建防火墙的规则
- linux iptables 端口 防火墙 规则
- 王高利:Linux针对Red Hat Enterprise Linux 6.5 的防火墙详细讲解,iptables(netfilter)规则的
- Centos下iptables规则的备份恢复
- iptables防火墙详解(三)规则的导出、导入以及编写防火墙脚本
- Iptables防火墙规则使用梳理
- Iptables防火墙使用及规则配置
- 保存iptables的防火墙规则的方法【转载】
- iptables 防火墙规则详解
- 规则 防火墙 iptables input accept
- iptables查看防火墙当前开放端口和规则设定
- linux增加iptables防火墙规则的示例