Linux網絡相關 firewalld和netfilter netfilte5表5鏈介紹 iptab
阿新 • • 發佈:2018-07-16
多個 nat accep cmp one toolbar 高級網絡 reference lld 10.11 Linux網絡相關
修改配置網卡配置文件/etc/sysconfig/network-scripts/ifcfg-xxx(網卡)
ifconfig 查看網卡的ip,
安裝網卡的命令:yum install net-tools
ifdown ens33 && ifup ens33 重啟網卡(服務器上和終端連接)
systemctl restart network 重啟網卡
mii-tool ens33:查看ens33網卡是否連接,lin-ok(連接)
[root@bogon ~]# mii-tool ens33 ens33: negotiated 1000baseT-FD flow-control, link ok
ethtool ens33這個命令也可以查看網卡是否連接,detected yes/no
[root@bogon ~]# ethtool ens33
Settings for ens33:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Supported FEC modes: Not reported
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Advertised FEC modes: Not reported
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off (auto)
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes更改主機名
命令hostname 臨時更改
hostnamectl set-hostname aminglinux-123 永久更改用戶名
[root@bogon ~]# hostname bogon [root@bogon ~]# hostname Aing [root@bogon ~]# hostname Aing [root@bogon ~]# hostnamectl set-hostname aminglinux-123 [root@bogon ~]# hostname aminglinux-123 [root@bogon ~]# cat /etc/hostname aminglinux-123
設置DNS
把DNS寫到配置文件/etc/resolv.conf
[root@bogon ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 202.106.0.20
修改/etc/hosts文件
[root@bogon network-scripts]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@bogon network-scripts]# vim /etc/hosts [root@bogon network-scripts]# ping -c 2 www.baidu.com PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.104 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.039 ms --- localhost ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.039/0.071/0.104/0.033 ms
一個IP後面可以跟多個域名,可以是幾十個甚至上百個
每一行只能一個IP,也就是說一個域名不能對應多個IP
如果有多行中出現相同的域名(對應的IP不一樣),會按最前面出現的記錄來解析。
LINUX防火墻
SELinux是LInux系統特有的安全機制。
臨時關閉SElinux的方法
[root@aminglinux-123 ~]# setenforce 0 setenforce: SELinux is disabled [root@aminglinux-123 ~]#
永久關閉 把SELINUX=enforcing改成SELINUX=disabled 重啟生效
getenforce 查看當前SELinux的狀態
[root@aminglinux-123 ~]# vim /etc/selinux/config
netfilter
netfilter5表5鏈介紹
netfilter的5個表:
filter表用於過濾包,系統預設的最常用的表,該表有3個鏈,分別是 INPUT、OUTPUT以及FORWARD 。
INPUT鏈作用於進入本機的包
OUTPUT作用於送出本機的包
FORWARD鏈作用於那些跟本機無關的包。
nat表主要用於網絡地址轉換,他也有3個鏈,分別是:
PREROUTING鏈的作用是在包剛剛到達防火墻時改變它的目的地址(需要的時候可以使用這個鏈)
OUTPUT鏈是改變本地產生的包的目的地址
POSTROUTING鏈的作用是在包即將離開防火墻的時候改變其源地址。
以下3個表幾乎不用:
mangle表:主要用來修改數據包
security表:用於實現強制訪問控制安全模型。
raw表:其他各種用途。
iptables
Iptables是linux上特有的防火墻機制,其功能非常強大,然而阿銘在日常的管理工作中僅僅用到了一兩個應用,這並不代表iptables不重要。作為一個網絡管理員,iptables是必要要熟練掌握的。但是作為系統管理員,我們也應該會最基本的iptables操作,認識iptables的基本規則。
CentOS上默認是設有iptables規則的,這個規則雖然很安全,但是對於我們來說沒有用,建議你先清除規則,然後把清除後的規則保存一下。
[root@aminglinux-123 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
53713 27M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7 528 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
56824 4641K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
56824 4641K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0 .0.0/0
56824 4641K INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
56818 4641K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122. 0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0 /0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0 .0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0. 0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 186 packets, 18143 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
83145 23M OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/ 0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0. 0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0 .0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0. 0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0. 0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0 .0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0. 0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
1959 160K IN_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
11 2534 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
56824 4641K IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/ 0
56824 4641K IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0 /0
56824 4641K IN_public_allow all -- * * 0.0.0.0/0 0.0.0. 0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
6 312 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination-nvL 就是查看規則, -F 是把當前規則清除,但這個只是臨時的,重啟系統或者重啟 iptalbes 服務後還會加載已經保存的規則,所以需要使用 /etc/init.d/iptables save 保存一下規則,通過上邊的命令輸出我們也可以看到,防火墻規則保存在了/etc/sysconfig/iptables 你可以查看一下這個文件。
1)iptalbes的三個表
filter 這個表主要用於過濾包的,是系統預設的表,這個表也是阿銘用的最多的。內建三個鏈INPUT、OUTPUT以及FORWARD。INPUT作用於進入本機的包;OUTPUT作用於本機送出的包;FORWARD作用於那些跟本機無關的包。
nat 主要用處是網絡地址轉換,也有三個鏈。PREROUTING 鏈的作用是在包剛剛到達防火墻時改變它的目的地址,如果需要的話。OUTPUT鏈改變本地產生的包的目的地址。POSTROUTING鏈在包就要離開防火墻之前改變其源地址。該表阿銘用的不多,但有時候會用到。
mangle 這個表主要是用於給數據包打標記,然後根據標記去操作哪些包。這個表幾乎不怎麽用。除非你想成為一個高級網絡工程師,否則你就沒有必要花費很多心思在它上面。
iptables 基本語法
A. 查看規則以及清除規則
[root@aminglinux-123 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1999 packets, 162K bytes)
pkts bytes target prot opt in out source destination
56652 4601K PREROUTING_direct all -- * * 0.0.0.0/0 0.0. 0.0/0
56652 4601K PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
56652 4601K PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0 .0/0
Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 146 packets, 11067 bytes)
pkts bytes target prot opt in out source destination
1642 122K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/ 0
Chain POSTROUTING (policy ACCEPT 146 packets, 11067 bytes)
pkts bytes target prot opt in out source destination
11 627 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255. 255
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122 .0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122 .0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122 .0/24
1631 121K POSTROUTING_direct all -- * * 0.0.0.0/0 0.0 .0.0/0
1631 121K POSTROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
1631 121K POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0. 0.0/0
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
146 11067 POST_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
7 528 POST_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public (2 references)
pkts bytes target prot opt in out source destination
1631 121K POST_public_log all -- * * 0.0.0.0/0 0.0.0. 0/0
1631 121K POST_public_deny all -- * * 0.0.0.0/0 0.0.0 .0/0
1631 121K POST_public_allow all -- * * 0.0.0.0/0 0.0. 0.0/0
Chain POST_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
1999 162K PRE_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
8 1664 PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public (2 references)
pkts bytes target prot opt in out source destination
56652 4601K PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0 /0
56652 4601K PRE_public_deny all -- * * 0.0.0.0/0 0.0.0. 0/0
56652 4601K PRE_public_allow all -- * * 0.0.0.0/0 0.0.0 .0/0
Chain PRE_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_log (1 references)
pkts bytes target prot opt in out source destination-t 後面跟表名,-nvL 即查看該表的規則,其中-n表示不針對IP反解析主機名;-L表示列出的意思;而-v表示列出的信息更加詳細。如果不加-t ,則打印filter表的
[root@aminglinux-123 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
53742 27M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7 528 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
56909 4648K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
56909 4648K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
56909 4648K INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
56903 4647K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 209 packets, 32823 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
83168 23M OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
2044 167K IN_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
11 2534 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
56909 4648K IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
56909 4648K IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
56909 4648K IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
6 312 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destinationLinux網絡相關 firewalld和netfilter netfilte5表5鏈介紹 iptab