@[TOC](第二十九章 Linux防火墙 模块 小节2)
限制端口
CentOS7
#安装服务
[root@centos7 ~]# yum install -y mariadb-server httpd
#启动服务
[root@centos7 ~]# systemctl start mariadb httpd
#编辑网页
[root@centos7 ~]# echo badu.com > /var/www/html/index.html
#查看网页信息
[root@centos7 ~]# cat /var/www/html/index.html
badu.com
#添加mysql用户
[root@centos7 ~]# mysql -e "grant all on *.* to test@'192.168.37.%' identified by 'centos'"
#清空策略
[root@centos7 ~]# iptables -F
#添加策略、允许windows和本机访问
[root@centos7 ~]# iptables -A INPUT -s 192.168.37.1,127.0.0.1 -j ACCEPT
[root@centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
17 1180 ACCEPT all -- * * 192.168.37.1 0.0.0.0/0
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 10 packets, 1096 bytes)
pkts bytes target prot opt in out source destination
#其他的都拒绝
[root@centos7 ~]# iptables -A INPUT -j REJECT
[root@centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
102 7504 ACCEPT all -- * * 192.168.37.1 0.0.0.0/0
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 432 bytes)
pkts bytes target prot opt in out source destination
CentOS6 测试是否被拒绝
#被拒绝
[root@centos6 ~]$ curl 192.168.37.7
curl: (7) couldn't connect to host
CentOS7 允许37.6访问的httpd访问
# 插入 源目标地址 协议 端口 同意
[root@centos7 ~]# iptables -I INPUT 3 -s 192.168.37.6 -p tcp --dport 80 -j ACCEPT
[root@centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
449 31101 ACCEPT all -- * * 192.168.37.1 0.0.0.0/0
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
6 485 ACCEPT tcp -- * * 192.168.37.6 0.0.0.0/0 tcp dpt:80 <--
1 60 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19 packets, 2998 bytes)
pkts bytes target prot opt in out source destination
CentOS6 可以访问37.7的httpd服务
[root@centos6 ~]$ curl 192.168.37.7
badu.com
CentOS7
#插入到INPUT中第3条、37.6主机可以访问本机tcp协议3306端口
[root@centos7 ~]# iptables -I INPUT 3 -s 192.168.37.6 -p tcp --dport 3306 -j ACCEPT
[root@centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
998 71520 ACCEPT all -- * * 192.168.37.1 0.0.0.0/0
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.37.6 0.0.0.0/0 tcp dpt:3306 <--
6 485 ACCEPT tcp -- * * 192.168.37.6 0.0.0.0/0 tcp dpt:80
3 180 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12 packets, 1816 bytes)
pkts bytes target prot opt in out source destination
CentOS6 可以访问37.7的mysql服务
[root@centos6 ~]$ mysql -h 192.168.37.7 -utest -pcentos
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
判断是不是第一次握手
CentOS7
[root@centos7 ~]# iptables -I INPUT 5 -s 192.168.37.18 -j ACCEPT
[root@centos7 ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1281 91234 ACCEPT all -- * * 192.168.37.1 0.0.0.0/0
2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
3 6 419 ACCEPT tcp -- * * 192.168.37.6 0.0.0.0/0 tcp dpt:3306
4 6 485 ACCEPT tcp -- * * 192.168.37.6 0.0.0.0/0 tcp dpt:80
5 0 0 ACCEPT all -- * * 192.168.37.18 0.0.0.0/0 <--
6 5 378 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 544 bytes)
num pkts bytes target prot opt in out source destination
CentOS7(ip:18)
[root@18 ~]# curl 192.168.37.7
badu.com
[root@18 ~]# ping 192.168.37.7 -c 2
PING 192.168.37.7 (192.168.37.7) 56(84) bytes of data.
64 bytes from 192.168.37.7: icmp_seq=1 ttl=64 time=0.982 ms
64 bytes from 192.168.37.7: icmp_seq=2 ttl=64 time=0.467 ms
--- 192.168.37.7 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.467/0.724/0.982/0.258 ms
CentOS7 只要握手我就给你拒绝
[root@centos7 ~]# iptables -I INPUT 5 -s 192.168.37.18 -p tcp --syn -j DROP
CentOS7(ip:18)
#ping不走tcp协议、走icmp协议所以能ping通
[root@18 ~]# ping 192.168.37.7 -c 2
PING 192.168.37.7 (192.168.37.7) 56(84) bytes of data.
64 bytes from 192.168.37.7: icmp_seq=1 ttl=64 time=1.15 ms
64 bytes from 192.168.37.7: icmp_seq=2 ttl=64 time=0.419 ms
--- 192.168.37.7 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.419/0.786/1.154/0.368 ms
#被拒绝
[root@18 ~]# curl 192.168.37.7
curl: (7) Failed connect to 192.168.37.7:80; Connection refused
我能ping你、你不能ping我
CentOS7
[root@centos7 ~]# iptables -I INPUT 5 -p icmp --icmp-type 0 -j ACCEPT
[root@centos7 ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2338 171K ACCEPT all -- * * 192.168.37.1 0.0.0.0/0
2 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
3 6 419 ACCEPT tcp -- * * 192.168.37.6 0.0.0.0/0 tcp dpt:3306
4 6 485 ACCEPT tcp -- * * 192.168.37.6 0.0.0.0/0 tcp dpt:80
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
6 5 378 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 748 bytes)
num pkts bytes target prot opt in out source destination
[root@centos7 ~]# ping 192.168.37.18 -c 2
PING 192.168.37.18 (192.168.37.18) 56(84) bytes of data.
64 bytes from 192.168.37.18: icmp_seq=1 ttl=64 time=0.655 ms
64 bytes from 192.168.37.18: icmp_seq=2 ttl=64 time=0.471 ms
--- 192.168.37.18 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.471/0.563/0.655/0.092 ms
CentOS7(ip:18) 不通
[root@18 ~]# ping 192.168.37.7 -c 2
PING 192.168.37.7 (192.168.37.7) 56(84) bytes of data.
From 192.168.37.7 icmp_seq=1 Destination Port Unreachable
From 192.168.37.7 icmp_seq=2 Destination Port Unreachable
--- 192.168.37.7 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1000ms
multiport
以离散方式定义多端口匹配,最多指定15个端口
- [!] --source-ports,--sports port[,port|,port:port]...
指定多个源端口
- [!] --destination-ports,--dports port[,port|,port:port]...
指定多个目标端口
- [!] --ports port[,port|,port:port]...多个源或目标端口
一下加多个端口(不连贯端口)
[root@centos7 ~]# iptables -A INPUT -p tcp -m multiport --dports 139,445 -j ACCEPT
#而且两条合成一条
[root@centos7 ~]# iptables -vnL
...
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 139,445
#连续的两个端口、可以忽略'multiport'模块
[root@centos7 ~]# iptables -A INPUT -p udp --dport 137:138 -j ACCEPT
...
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:138
iprange扩展
- 指明连续的(但一般不是整个网络)ip地址范围
- [!] --src-range from[-to] 源IP地址范围
- [!] --dst-range from[-to] 目标IP地址范围
mac扩展
指明源MAC地址
适用于:PREROUTING, FORWARD,INPUT chains
[!] --mac-source XX:XX:XX:XX:XX:XX
#定义mac地址、如果是这个mac地址、可以访问
[root@centos7 ~]# iptables -A INPUT -m mac --mac-source 00:0c:29:27:de:e1 -j ACCEPT
string扩展
对报文中的应用层数据做字符串模式匹配检测
--algo {bm|kmp} 字符串匹配检测算法
bm:Boyer-Moore kmp:Knuth-Pratt-Morris
--from offset 开始偏移
--to offset 结束偏移
[!] --string pattern 要检测的字符串模式
[!] --hex-string pattern 要检测字符串模式,16进制格式
拒绝访问goole网站
# 端口号 字符串匹配检测算法 拒绝
[root@centos7 ~]# iptables -A OUTPUT -p tcp --sport 80 -m string --algo bm --string "google" -j REJECT
协议 调用string模块 要检测的字符串
time扩展
根据将报文到达的时间与指定的时间范围进行匹配
--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]] 开始日期;年-月-日-时-分-秒
--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]] 结束日期;年-月-日-时-分-秒
--timestart hh:mm[:ss] 每天开始时间
--timestop hh:mm[:ss] 每天结束时间
[!] --monthdays day[,day...] 每个月的几号
[!] --weekdays day[,day...] 星期几,1 – 7 分别表示星期一到星期日
--kerneltz:内核时区,不建议使用,CentOS7系统默认为UTC(需要-8小时)
注意: centos6 不支持kerneltz ,--localtz指定本地时区(默认)
#早9晚6允许访问
[root@centos7 ~]# iptables -A INPUT -m time --timestart 1:00 --timestop 10:00 -j ACCEPT
connlimit扩展
根据每客户端IP做并发连接数数量匹配
可防止Dos(Denial of Service,拒绝服务)攻击
--connlimit-upto #:连接的数量小于等于#时匹配
--connlimit-above #:连接的数量大于#时匹配
通常分别与默认的拒绝或允许策略配合使用
#连接数超过100次、就拒绝访问 tcp协议 80端口
[root@centos7 ~]# iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 100 -j REJECT
limit扩展
基于收发报文的速率做匹配
令牌桶过滤器
--limit #[/second|/minute|/hour|/day]
--limit-burst number
#限速[此处两条命令都需要、才能限速] 前10个不影响、每分钟通过20个
[root@centos7 ~]# iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 20/minute --limit-burst 10 -j ACCEPT
#剩下的都拒绝
[root@centos7 ~]# iptables -A INPUT -j REJECT
state扩展
根据”连接追踪机制“去检查连接的状态,较耗资源
conntrack机制:追踪本机上的请求和响应之间的关系
状态有如下几种
- NEW:新发出请求;连接追踪信息库中不存在此连接的相关信息条目,因此,将其识别为第一次发出的请求
- ESTABLISHED:NEW状态之后,连接追踪信息库中为其建立的条目失效之前期间内所进行的通信状态
- RELATED:新发起的但与已有连接相关联的连接,如:ftp协议中的数据连接与命令连接之间的关系
- INVALID:无效的连接,如flag标记不正确
- UNTRACKED:未进行追踪的连接,如raw表中关闭追踪
#允许老用户、和正在连接的用户
[root@centos7 ~]# iptables -A INPUT -p tcp --dport 22 -m state --state ESTABLISHED,RELATED
-j ACCEPT
[!] --state state 示例:
- iptables -A INPUT -d 172.16.1.10 -p tcp -m multiport --dports 22,80 -m state --state NEW,ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -s 172.16.1.10 -p tcp -m multiport --sports 22,80 -m state --state ESTABLISHED -j ACCEPT 已经追踪到的并记录下来的连接信息库
- /proc/net/nf_conntrack 调整连接追踪功能所能够容纳的最大连接数量
- /proc/sys/net/nf_conntrack_max 不同的协议的连接追踪时长
- /proc/sys/net/netfilter/ 注意:CentOS7 需要加载模块:modprobe nf_conntrack_ipv4
iptables的链接跟踪表最大容量为/proc/sys/ne/nf_conntrack_max,各种状态的超时链接会从表中删除;当模板满载时,后续连接可能会超时
解决方法两个:
- (1) 加大nf_conntrack_max 值
vi /etc/sysctl.conf
net.nf_conntrack_max = 393216
net.netfilter.nf_conntrack_max = 393216
- (2) 降低 nf_conntrack timeout时间
vi /etc/sysctl.conf
net.netfilter.nf_conntrack_tcp_timeout_established = 300
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
iptables -t nat -L -n
#临时调整数值、连接追踪功能所能够容纳的最大连接数量
[root@centos7 ~]# cat /proc/sys/net/nf_conntrack_max
65536
#调整数值
[root@centos7 ~]# echo 111111 > /proc/sys/net/nf_conntrack_max
#发现数量已经改变
[root@centos7 ~]# cat /proc/sys/net/nf_conntrack_max
111111
#永久调整数值
[root@centos7 ~]# vim /etc/sysctl.conf
net.nf_conntrack_max=88888 <--添加此行
#生效
[root@centos7 ~]# sysctl -p
net.nf_conntrack_max = 88888
[root@centos7 ~]# cat /proc/sys/net/nf_conntrack_max
88888
开放被动模式的ftp服务
(1) 装载ftp连接追踪的专用模块:
- 跟踪模块路径:/lib/modules/kernelversion/kernel/net/netfilter
- vim /etc/sysconfig/iptables-config 配置文件
- IPTABLES_MODULES=“nf_conntrack_ftp
- modproble nf_conntrack_ftp
(2) 放行请求报文:
- 命令连接:NEW, ESTABLISHED
- 数据连接:RELATED, ESTABLISHED
- iptables –I INPUT -d LocalIP -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -d LocalIP -p tcp --dport 21 -m state --state NEW -j ACCEPT
(3) 放行响应报文:
- iptables -I OUTPUT -s LocalIP -p tcp -m state --state ESTABLISHED -j ACCEPT
开放被动模式的ftp服务示例
CentOS7
[root@centos7 ~]# yum install -y vsftpd
[root@centos7 ~]# systemctl start vsftpd
#加载连接跟踪FTP模块
[root@centos7 ~]# modprobe nf_conntrack_ftp
[root@centos7 ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@centos7 ~]# iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
CentOS6
[root@centos6 ~]$ ftp 192.168.37.7
Connected to 192.168.37.7 (192.168.37.7).
220 (vsFTPd 3.0.2)
Name (192.168.37.7:root): ftp
331 Please specify the password.
Password: <--回车
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,37,7,73,197).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Oct 30 2018 pub
226 Directory send OK.
Target:
ACCEPT,DROP,REJECT,RETURN
LOG,SNAT,DNAT,REDIRECT,MASQUERADE,...
LOG:非中断target,本身不拒绝和允许,放在拒绝和允许规则前
- 并将日志记录在/var/log/messages系统日志中
- --log-level level 级别:debug,info,notice, warning, error, crit,alert,emerg
- --log-prefix prefix 日志前缀,用于区别不同的日志,最多29个字符
示例:
- iptables -I INPUT -s 10.0.1.0/24 -p tcp -m multiport --dports 80,21,22,23 -m state --state NEW -j LOG --log-prefix "new connections: "
CentOS7
#只要37.6访问我、就记录日志
[root@centos7 ~]# iptables -A INPUT -s 192.168.37.6 -j LOG --log-prefix "from 37.6 access"
CentOS6
[root@centos6 ~]$ ping 192.168.37.7
PING 192.168.37.7 (192.168.37.7) 56(84) bytes of data.
64 bytes from 192.168.37.7: icmp_seq=1 ttl=64 time=0.456 ms
64 bytes from 192.168.37.7: icmp_seq=2 ttl=64 time=0.462 ms
64 bytes from 192.168.37.7: icmp_seq=3 ttl=64 time=1.13 ms
CentOS7
#监控日志
[root@centos7 ~]# tail -f /var/log/messages
...
Jul 25 01:46:01 centos7 kernel: from 37.6 accessIN=eth0 OUT= MAC=00:0c:29:07:f7:8f:00:0c:29:92:97:b4:08:00 SRC=192.168.37.6 DST=192.168.37.7 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=9738 SEQ=1
Jul 25 01:46:02 centos7 kernel: from 37.6 accessIN=eth0 OUT= MAC=00:0c:29:07:f7:8f:00:0c:29:92:97:b4:08:00 SRC=192.168.37.6 DST=192.168.37.7 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=9738 SEQ=2
Jul 25 01:46:03 centos7 kernel: from 37.6 accessIN=eth0 OUT= MAC=00:0c:29:07:f7:8f:00:0c:29:92:97:b4:08:00 SRC=192.168.37.6 DST=192.168.37.7 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=9738 SEQ=3
...
规则次序
任何不允许的访问,应该在请求到达时给予拒绝
规则在链接上的次序即为其检查时的生效次序
基于上述,规则优化
- 安全放行所有入站和出站的状态为ESTABLISHED状态连接
- 谨慎放行入站的新请求
- 有特殊目的限制访问设置默认策略,建议白名单(只放行特定连接)功能,要在放行规则之前加以拒绝
- 同类规则(访问同一应用),匹配范围小的放在前面,用于特殊处理
- 不同类的规则(访问不同应用),匹配范围大的放在前面
- 应该将那些可由一条规则能够描述的多个规则合并为一条
- 设置默认策略,建议白名单(只放行特定连接)
1 iptables -P,不建议
2 建议在规则的最后定义规则做为默认策略
iptables-save(保存规则)
规则有效期限:
- 使用iptables命令定义的规则,手动删除之前,其生效期限为kernel存活期限
保存规则:
- 保存规则至指定的文件
CentOS 7
iptables-save > /PATH/TO/SOME_RULES_FILE
CentOS 6
service iptables save
将规则覆盖保存至/etc/sysconfig/iptables文件中
[root@centos7 ~]# iptables-save
# Generated by iptables-save v1.4.21 on Mon Jul 25 13:46:50 2022
*filter
:INPUT ACCEPT [25:1608]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16:2600]
-A INPUT -s 192.168.37.6/32 -j LOG --log-prefix "from 37.6 access"
COMMIT
# Completed on Mon Jul 25 13:46:50 2022
#保存规则到指定文件
[root@centos7 ~]# iptables-save > /data/iptables.rules
#查看文件信息中是否定义了iptables规则
[root@centos7 ~]# cat /data/iptables.rules
# Generated by iptables-save v1.4.21 on Mon Jul 25 13:47:55 2022
*filter
:INPUT ACCEPT [109:7136]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [61:6972]
-A INPUT -s 192.168.37.6/32 -j LOG --log-prefix "from 37.6 access" <--
COMMIT
# Completed on Mon Jul 25 13:47:55 2022
iptables-restore(加载规则)
CentOS 7 重新载入预存规则文件中规则:
- iptables-restore < /PATH/FROM/SOME_RULES_FILE
- -n, --noflush:不清除原有规则
- -t, --test:仅分析生成规则集,但不提交
CentOS 6:
- service iptables restart
- 会自动从/etc/sysconfig/iptables 重新载入规则
#载入规则
[root@centos7 ~]# iptables-restore < /data/iptables.rules
开机自动重载规则
开机自动重载规则文件中的规则:
- 用脚本保存各iptables命令;让此脚本开机后自动运行
/etc/rc.d/rc.local文件中添加脚本路径(需要+x权限)
/PATH/TO/SOME_SCRIPT_FILE
- 用规则文件保存各规则,开机时自动载入此规则文件中的规则
/etc/rc.d/rc.local文件添加
iptables-restore < /PATH/FROM/IPTABLES_RULES_FILE
- 自定义Unit File,进行iptables-restore
方法1
#写到配置文件中
[root@centos7 ~]# vim /etc/rc.d/rc.local
iptables-restore < /data/iptables.rules <--
#添加执行权限、即可.重启后会自动加载
[root@centos7 ~]# chmod +x /etc/rc.d/rc.local
方法2
[root@centos7 ~]# yum install -y iptables-services
#需要关闭防火墙
[root@centos7 ~]# systemctl stop firewalld
#启动iptables后、添加了一些系统自带的规则、不是我们写的规则
[root@centos7 ~]# systemctl start iptables
#自带的规则路径
[root@centos7 ~]# cat /etc/sysconfig/iptables
#加载我们自己的规则
[root@centos7 ~]# iptables-restore < /data/iptables.rules
#保存规则
[root@centos7 ~]# iptables-save > /etc/sysconfig/iptables
#重启iptables
[root@centos7 ~]# systemctl restart iptables
#设置开机启动、自动加载设置好的规则
[root@centos7 ~]# systemctl enable iptables
