網絡相關,netfilter,iptables
阿新 • • 發佈:2018-01-25
mirror log asi tro ble scripts minimum level seq 網絡相關
1.查看網卡信息:
[root@weix01 ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.188.130 netmask 255.255.255.0 broadcast 192.168.188.255 inet6 fe80::9835:40a7:677a:8a07 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:ed:fb:e6 txqueuelen 1000 (Ethernet) RX packets 67 bytes 7721 (7.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 108 bytes 12009 (11.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 72 bytes 5712 (5.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 72 bytes 5712 (5.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@weix01 ~]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:ed:fb:e6 brd ff:ff:ff:ff:ff:ff inet 192.168.188.130/24 brd 192.168.188.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::9835:40a7:677a:8a07/64 scope link valid_lft forever preferred_lft forever
2.斷開,連接網卡:ifdown,ifup
[root@weix01 ~]# ifdown ens33
成功斷開設備 ‘ens33‘。
3.為了避免遠程斷開,可以兩個命令一起執行:
[root@weix01 ~]# ifdown ens33 && ifup ens33
成功斷開設備 ‘ens33‘。
連接已成功激活(D-Bus 活動路徑:/org/freedesktop/NetworkManager/ActiveConnection/3)
4.增加虛擬網卡:
(1)復制配置文件 [root@weix01 ~]# cd /etc/sysconfig/network-scripts/ [root@weix01 network-scripts]# ls ifcfg-ens33 ifdown-ipv6 ifdown-Team ifup-eth ifup-post ifup-tunnel ifcfg-lo ifdown-isdn ifdown-TeamPort ifup-ippp ifup-ppp ifup-wireless ifdown ifdown-post ifdown-tunnel ifup-ipv6 ifup-routes init.ipv6-global ifdown-bnep ifdown-ppp ifup ifup-isdn ifup-sit network-functions ifdown-eth ifdown-routes ifup-aliases ifup-plip ifup-Team network-functions-ipv6 ifdown-ippp ifdown-sit ifup-bnep ifup-plusb ifup-TeamPort [root@weix01 network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0 (2)修改配置文件 TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens33:0 UUID=05229985-42cc-4e39-a815-d7a5365ff276 DEVICE=ens33:0 ONBOOT=yes IPADDR=192.168.188.150 NETMASK=255.255.255.0 (3)重啟服務 [root@weix01 network-scripts]# ifdown ens33 && ifup ens33 成功斷開設備 ‘ens33‘。 連接已成功激活(D-Bus 活動路徑:/org/freedesktop/NetworkManager/ActiveConnection/4) [root@weix01 network-scripts]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.188.130 netmask 255.255.255.0 broadcast 192.168.188.255 inet6 fe80::9835:40a7:677a:8a07 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:ed:fb:e6 txqueuelen 1000 (Ethernet) RX packets 744 bytes 67249 (65.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 568 bytes 70477 (68.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.188.150 netmask 255.255.255.0 broadcast 192.168.188.255 ether 00:0c:29:ed:fb:e6 txqueuelen 1000 (Ethernet) lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 72 bytes 5712 (5.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0
5.查看網卡是否連接:
[root@weix01 network-scripts]# mii-tool ens33
ens33: negotiated 1000baseT-FD flow-control, link ok
也可以使用
[root@weix01 network-scripts]# ethtool ens33
Settings for ens33:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off (auto)
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
6.更改主機名:
[root@weix01 network-scripts]# hostnamectl set-hostname weixing01
[root@weix01 network-scripts]# cd
[root@weix01 ~]# hostname
weixing01
[root@weix01 ~]# bash #進入bash顯示已經更改
[root@weixing01 ~]#
[root@weixing01 ~]# exit
exit
[root@weix01 ~]# cat /etc/hostname #配置文件地址
weixing01
7.DNS配置文件:
[root@weix01 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 199.29.29.29
8.更改解析地址:
[root@weix01 ~]# ping www.qq123.com
PING www.qq123.com (202.91.250.93) 56(84) bytes of data.
64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=1 ttl=128 time=26.3 ms
64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=2 ttl=128 time=28.1 ms
64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=3 ttl=128 time=25.3 ms
64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=4 ttl=128 time=23.2 ms
^C
--- www.qq123.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 23.246/25.771/28.145/1.768 ms
[root@weix01 ~]# vim /etc/hosts #更改該文件後生效
[root@weix01 ~]# ping www.qq123.com
PING www.qq123.com (192.168.188.150) 56(84) bytes of data.
64 bytes from www.qq123.com (192.168.188.150): icmp_seq=1 ttl=64 time=0.039 ms
64 bytes from www.qq123.com (192.168.188.150): icmp_seq=2 ttl=64 time=0.131 ms
^C
--- www.qq123.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.039/0.085/0.131/0.046 ms
hosts文件更改,一個ip可以對應多個域名,一個域名對應多個ip時,以先出現的為主
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.188.150 www.qq123.com
防火墻
1.永久關閉,更改配置文件:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled #此行改為disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@weix01 ~]# vi /etc/selinux/config
[root@weix01 ~]# getenforce
Enforcing
[root@weix01 ~]# setenforce 0
[root@weix01 ~]# getenforce
Permissive
重啟後生效
2.啟用netfilter服務:
(1)首先關閉 firewalled
[root@weix01 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@weix01 ~]# systemctl stop firewalld
[root@weix01 ~]# yum install -y iptables-services #安裝iptables包
已加載插件:fastestmirror
base | 3.6 kB 00:00:00
epel/x86_64/metalink | 6.6 kB 00:00:00
epel | 4.7 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/3): epel/x86_64/group_gz | 266 kB 00:00:00
(2/3): epel/x86_64/primary_db | 6.2 MB 00:00:08
epel/x86_64/updateinfo FAILED MB 24:02:49 ETA
http://repo.fedoralinux.ir/pub/epel/7/x86_64/repodata/8c5ceb073924e98c6b29b5c344e9ff6443bbe44ef82bec9360fd313b8d210c53-updateinfo.xml.bz2: [Errno 12] Timeout on http://repo.fedoralinu
(2)啟動iptables服務
[root@weix01 ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@weix01 ~]# systemctl start iptables
(3)查看iptables規則
[root@weix01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
30 2340 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 16 packets, 1712 bytes)
pkts bytes target prot opt in out source destination
netfilter介紹
1.一共5個表,5個鏈:
2.5個表和5個鏈之間關系:
http://www.cnblogs.com/metoy/p/4320813.html
iptables語法
1.默認規則存放位置:
[root@weix01 ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
2.清空規則:-F
[root@weix01 ~]# iptables -F
[root@weix01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 8 packets, 672 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 712 bytes)
pkts bytes target prot opt in out source destination
3.重啟後加載默認規則:默認是filter表
[root@weix01 ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[root@weix01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 500 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 576 bytes)
pkts bytes target prot opt in out source destination
4.保存規則:
service iptables save
5.指定nat表:-t
[root@weix01 ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6.使用Z選項清空計數:
[root@weix01 ~]# iptables -Z ;iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7.常用用法:增加一條規則,在最後面,將來源過濾掉:
[root@weix01 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@weix01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
214 16748 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1 328 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 14 packets, 1996 bytes)
pkts bytes target prot opt in out source destination
8.插入一條規則:在最前面
[root@weix01 ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@weix01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
368 29272 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1 328 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 608 bytes)
pkts bytes target prot opt in out source destination
9.刪除規則:-D
[root@weix01 ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[root@weix01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
427 35264 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
2 656 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 608 bytes)
pkts bytes target prot opt in out source destination
10.另外一種方法刪除規則:
(1)打印規則編號
[root@weix01 ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 644 55892 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 2 656 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
7 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 25 packets, 4504 bytes)
num pkts bytes target prot opt in out source destination (2)刪除對應編號
[root@weix01 ~]# iptables -D INPUT 7
[root@weix01 ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 701 60544 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 2 656 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 10 packets, 2448 bytes)
num pkts bytes target prot opt in out source destination
11.修改默認規則:
iptables -P OUTPUT DROP/ACCEPT
網絡相關,netfilter,iptables