10月25日任务
10.11 Linux网络相关
10.12 firewalld和netfilter
10.13 netfilter5表5链介绍
10.14 iptables语法
10.11、Linux网络相关
-
ifconfig查看网卡IP (yum install -y net-tools)
-
ifup eth0/ifdown eth0
-
设定虚拟网卡eth0:1
-
mii-tool eth0 查看网卡是否连接
-
ethtool ens33 也可以查看网卡是否连接
-
更改主机名 hostname set-hostname aminglinux
-
DNS配置文件/etc/resolv.conf
-
/etc/hosts文件
#,因为是远程连接 ,所致只能演示同时运行关闭网卡和开启网卡。(当修改指定网卡配置信息后可以运行这条命令重启网卡)
[root@centos6 ~]# ifdown eth0 && ifup eth0 Determining if ip address 172.16.5.235 is already in use for device eth0...
#设置一个虚拟的网卡信息
[root@centos6 ~]# cd /etc/sysconfig/network-scripts/
[root@centos6 network-scripts]# ls
ifcfg-eth0 ifdown-isdn ifup-eth ifup-routes
ifcfg-eth0:1 ifdown-post ifup-ib ifup-sit
ifcfg-lo ifdown-ppp ifup-ippp ifup-tunnel
ifdown ifdown-routes ifup-ipv6 ifup-wireless
ifdown-bnep ifdown-sit ifup-isdn init.ipv6-global
ifdown-eth ifdown-tunnel ifup-plip net.hotplug
ifdown-ib ifup ifup-plusb network-functions
ifdown-ippp ifup-aliases ifup-post network-functions-ipv6
ifdown-ipv6 ifup-bnep ifup-ppp
[root@centos6 network-scripts]# cp ifcfg-eth0 ifcfg-eth0\:1
[root@centos6 network-scripts]# vim !$
vim ifcfg-eth0\:1
[root@centos6 network-scripts]# ifdown eth0 && ifup eth0
Determining if ip address 172.16.5.235 is already in use for device eth0...
Determining if ip address 172.16.5.236 is already in use for device eth0...
[root@centos6 network-scripts]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:A4:3D:92
inet addr:172.16.5.235 Bcast:172.16.5.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fea4:3d92/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:492143 errors:0 dropped:0 overruns:0 frame:0
TX packets:92971 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:41370766 (39.4 MiB) TX bytes:29602942 (28.2 MiB)
eth0:1 Link encap:Ethernet HWaddr 00:50:56:A4:3D:92
inet addr:172.16.5.236 Bcast:172.16.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
# 远程查看网卡是否联网,提示link ok 说明连接了网线,link no说明没有连接网线
[root@centos6 network-scripts]# mii-tool eth0 eth0: negotiated 100baseTx-FD, link ok
#更改主机名
[root@zgxlinux-01 ~]# hostnamectl set-hostname zgxlinux-001 [root@zgxlinux-01 ~]# bash [root@zgxlinux-001 ~]# exit exit
#DNS配置文件,修改这个配置文件只能临时生效 ,重启后将恢复成eth0配置文件的DNS
[root@zgxlinux-01 ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 119.29.29.29
10.12、firewalld和netfilter
linux防火墙-netfilter
-
selinux 临时关闭setenforce 0
-
selinux 永久关闭 vi /etc/selinux/config
-
entos7之前使用netfilter防火墙
-
centos7开始使用firewalld防火墙
-
关闭firewalld开启netfilter方法
-
systemctl stop filewalld
-
systemctl disable firwalled
-
yum install -y iptables-services
-
systemctl enable iptables
-
systemctl start iptables
#临时关闭和永久关闭防火墙,永久关闭把SELINUX=enforing改为SELINUX=disabled,然后重启系统 。getenforce输出Permissive表示临时关闭,Enforcing 表示打开。
[root@zgxlinux-01 ~]# setenforce 0 [root@zgxlinux-01 ~]# vim /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root@zgxlinux-01 ~]# getenforce Permissive
#centos7开始防火墙是firewalld,centos7之前防火墙是netfilter,但是很多企业都还用的是centos6甚至更早的版本 ,所以我们不能不知道。那如何把centos7防火墙切换到centos6使用的netfilter呢 ,下边我们来操作。
[root@zgxlinux-01 ~]# systemctl disable firewalld #先把firewalld改为开机不自启动
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@zgxlinux-01 ~]# systemctl stop firewalld #然后再停掉firewelld防火墙
[root@zgxlinux-01 ~]# yum install -y iptables-services #在开启netfileter之前需要安装这个包
[root@zgxlinux-01 ~]# systemctl enable iptables #安装之后会产生一个iptables服务
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@zgxlinux-01 ~]# systemctl start iptables #开启iptables服务
[root@zgxlinux-01 ~]# iptables -nvL #运行iptables -nvL命令可以查看iptables的一些默认规则
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36 2432 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 23 packets, 2012 bytes)
pkts bytes target prot opt in out source destination
10.13、netfilter5表5链介绍
-
netfilter的5个表
-
fileter表示过滤包,最常用的表,有INPUT、FORWARD、OUTPUT三个链
-
nat表用于网络地址转换,有PREROUTING、OUTPUT、POSTROUTING三个链
-
managle表用于给数据包做标记,几乎用不到
-
raw表可以实现不追踪某些数据包,阿铭从来不用
-
security表在centos6中并没有,用于强制访问控制(MAC)的网络规则,阿铭没用过
-
参考文章 http://www.cnblogs.com/metoy/p/4320813.html
10.14 、iptables语法
-
数据包流向与netfilter的5个链
-
PREROUTING:数据包进入路由表之前
-
INPUT:通过路由表后目的地为本机
-
FORWARD:通过路由表后,目的地不为本机
-
OUTPUT:由本机产生,向外发送
-
POSTROUTING:发送到网卡接口之前
相关命令和用法
-
查看iptables规则:iptables -nvL
-
iptables -F 清空规则
-
service iptables save 保存规则
-
iptables -t nat //-t指定表
-
iptables -Z 可以把计数器清零
-
iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
-
iptables -I/-A/-D INPUT -s 1.1.1.1 -j DROP #-A新增 -I 插入 -D 删除
-
iptables -I INTPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
-
iptables -nvL --line-numbers
-
iptables -D INPUT 1
-
iptables -P INPUT DROP #-P 默认规则,这条一般不要轻易执行。
#默认规则保存位置在/etc/sysconfig/iptables下
[root@zgxlinux-01 ~]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
#iptables -F清空规则 ,但是配置文件里边还保存着。运行service iptables save 保存规则;修改完规则后需要重启服务。
[root@zgxlinux-01 ~]# iptables -F [root@zgxlinux-01 ~]# iptables -nvL Chain INPUT (policy ACCEPT 29 packets, 1940 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17 packets, 1508 bytes) pkts bytes target prot opt in out source destination [root@zgxlinux-01 ~]# service iptables save [root@zgxlinux-01 ~]# service iptables restart Redirecting to /bin/systemctl restart iptables.service
# -A表示增加规则 ,-I表示插入规则。
[root@zgxlinux-01 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@zgxlinux-01 ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@zgxlinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
67 4740 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
pkts bytes target prot opt in out source destination
#删除规则。
[root@zgxlinux-01 ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[root@zgxlinux-01 ~]# iptables -D INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@zgxlinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
309 24924 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
2 458 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 17 packets, 1628 bytes)
pkts bytes target prot opt in out source destination
#删除规则的时候必须要把规则写的完全相同,但是时间久了我们记不住具体规则了怎么删除呢?这时候我们可以把规则编号;
[root@zgxlinux-01 ~]# iptables -nvL --line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 2 604 48564 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 6 2 458 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 7 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 61 packets, 10052 bytes) num pkts bytes target prot opt in out source destination [root@zgxlinux-01 ~]# iptables -D INPUT 7 [root@zgxlinux-01 ~]# iptables -D INPUT 1 [root@zgxlinux-01 ~]# iptables -nvL --line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 677 53536 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 2 458 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 6 packets, 696 bytes) num pkts bytes target prot opt in out source destination
来源:oschina
链接:https://my.oschina.net/u/3959708/blog/2252716