目录
1 linux网络相关
- ifconfig查看网卡ip(yum install net-tools)
[root@worker1 ~]# yum install -y net-tools
- ip addr查看网卡ip
[root@worker1 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:e5:56:b1 brd ff:ff:ff:ff:ff:ff
inet 192.168.139.100/24 brd 192.168.139.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fee5:56b1/64 scope link
valid_lft forever preferred_lft forever
- ifconfig -a 查看没启动的网卡
[root@worker1 network-scripts]# ifconfig -a
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.139.100 netmask 255.255.255.0 broadcast 192.168.139.255
inet6 fe80::20c:29ff:fee5:56b1 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:e5:56:b1 txqueuelen 1000 (Ethernet)
RX packets 520582 bytes 713621719 (680.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 144471 bytes 15896861 (15.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- 启动网卡/关闭网卡ifupeno16777736:0/ifdowneno16777736:0
- 一般使用方式ifdown eno16777736:0&& ifupeno16777736:0
[root@worker1 network-scripts]# ifup eno16777736:0
[root@worker1 network-scripts]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.139.100 netmask 255.255.255.0 broadcast 192.168.139.255
inet6 fe80::20c:29ff:fee5:56b1 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:e5:56:b1 txqueuelen 1000 (Ethernet)
RX packets 520629 bytes 713625509 (680.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 144499 bytes 15900837 (15.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno16777736:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.139.99 netmask 255.255.255.0 broadcast 192.168.139.255
ether 00:0c:29:e5:56:b1 txqueuelen 1000 (Ethernet)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@worker1 network-scripts]# ifdown eno16777736:0
[root@worker1 network-scripts]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.139.100 netmask 255.255.255.0 broadcast 192.168.139.255
inet6 fe80::20c:29ff:fee5:56b1 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:e5:56:b1 txqueuelen 1000 (Ethernet)
RX packets 520673 bytes 713629679 (680.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 144530 bytes 15905615 (15.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- 设定虚拟网卡eno16777736:0 输入时候是eno16777736:\0
- 拷贝eno16777736网卡的配置文件改名为eno16777736:0
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736:0
UUID=32447f57-e011-4b11-97ea-a7fe8a52099a
DEVICE=eno16777736:0
ONBOOT=yes
IPADDR=192.168.139.99
NETMASK=255.255.255.0
- mii-tool eno16777736 查看网卡是否连接
[root@worker1 ~]# mii-tool eno16777736
eno16777736: negotiated 1000baseT-FD flow-control, link ok
[root@worker1 ~]# mii-tool eno16777736\:0
eno16777736:0: negotiated 1000baseT-FD flow-control, link ok
- ethtool eno16777736 也可以查看网卡是否连接
[root@worker1 ~]# ethtool eno16777736:0
Settings for eno16777736:0:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off (auto)
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
[root@worker1 ~]# ethtool eno16777736
Settings for eno16777736:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off (auto)
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
- 更改主机名 hostnamectl set-hostname worker01
[root@worker1 ~]# hostnamectl set-hostname worker01
[root@worker1 ~]# hostname
worker01
- 相关的配置文件/etc/hostname
[root@worker1 ~]# vim /etc/hostname
worker01
退出重新登陆或者进入子shell都可以生效
- DNS配置文件/etc/resolv.conf //这里是临时修改,永久更改是在网卡的配置文件里
[root@worker1 ~]# vim /etc/resolv.conf
# Generated by NetworkManager
nameserver 8.8.8.8
nameserver 119.29.29.29
- /etc/hosts文件 临时解析某个域名,自定义域名
[root@worker1 ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.139.100 worker01
[root@worker1 ~]# ping -c 3 worker01
PING worker01 (192.168.139.100) 56(84) bytes of data.
64 bytes from worker01 (192.168.139.100): icmp_seq=1 ttl=64 time=0.110 ms
64 bytes from worker01 (192.168.139.100): icmp_seq=2 ttl=64 time=0.056 ms
64 bytes from worker01 (192.168.139.100): icmp_seq=3 ttl=64 time=0.056 ms
--- worker01 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.056/0.074/0.110/0.025 ms
2 firewalld和netfilter
之前的CentOS版本(比如5和6)的防火墙为netfilter
CentOS7的防火墙为firewalld
- selinux临时关闭 setenforce 0
[root@worker1 ~]# setenforce 0
- selinux永久关闭 vi /etc/selinux/config
[root@worker1 ~]# vim /etc/selinux/config
修改为:SELINUX=disabled
centos7之前使用netfilter防火墙;centos7开始使用firewalld防火墙;两者都支持iptables规则
先以netfilter防火墙为例,关闭firewalld防火墙
- 停止firewalld服务
[root@worker1 ~]# systemctl stop firewalld.service
- 查看firewalld服务状态
[root@worker1 ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Sun 2018-10-21 22:31:45 CST; 6s ago
Process: 654 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 654 (code=exited, status=0/SUCCESS)
Oct 21 21:05:14 worker1 systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 21 21:05:20 worker1 systemd[1]: Started firewalld - dynamic firewall daemon.
Oct 21 22:31:44 worker01 systemd[1]: Stopping firewalld - dynamic firewall daemon...
Oct 21 22:31:45 worker01 systemd[1]: Stopped firewalld - dynamic firewall daemon.
- 关闭firewalld开机启动
[root@worker1 ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
- 接着安装iptables包
[root@worker1 ~]# yum install -y iptables-services
- 开启iptables服务
[root@worker1 ~]# systemctl enable iptables
- 启动iptables服务
[root@worker1 ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Sun 2018-10-21 22:34:05 CST; 12s ago
Process: 7466 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 7466 (code=exited, status=0/SUCCESS)
Oct 21 22:34:05 worker01 systemd[1]: Starting IPv4 firewall with iptables...
Oct 21 22:34:05 worker01 iptables.init[7466]: iptables: Applying firewall rules: [ ... ]
Oct 21 22:34:05 worker01 systemd[1]: Started IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.
3 netfilter5表5链介绍
netfilter的5个表
filter表主要用于过滤包,是系统预设的表,这个表也是用得最多的表。该表内建3个链:INPUT、OUTPUT以及FORWARD。INPUT链作用于进入本机的包,OUTPUT链作用于本机送出的包,FORWARD链作用于那些跟本机无关的包
nat表主要用于网络地址转换,它也有3个链。PREROUTING链的作用是在包刚刚到达防火墙时改变它的目的地址(如果需要的话),OUTPUT链的作用是改变本地产生的包的目的地址,POSTROUTING链的作用是在包即将离开防火墙时改变其源地址
mangle表主要用于给数据包做标记,然后根据标记去操作相应的包。这个表几乎不怎么用,除非你想成为一个高级网络工程师,否则就不需要太关注。
raw表可以实现不追踪某些数据包,默认系统的数据包都会被追踪,但追踪势必消耗一定的资源,所以可以用raw表来指定某些端口的包不被追踪
security表在CentOS 6中是没有的,它用于强制访问控制(MAC)的网络规则
iptables传输数据包的过程
- 1 当一个数据包进入网卡时,它首先进入PREROUTING链,内核根据数据包目的IP判断是否需要转送出去。
- 2 如果数据包就是进入本机的,它就会沿着图向下移动,到达INPUT链。数据包到了INPUT链后,任何进程都会收到它。本机上运行的程序可以发送数据包,这些数据包会经过OUTPUT链,然后到达POSTROUTING链输出。
- 3 如果数据包是要转发出去的,且内核允许转发,数据包就会如图所示向右移动,经过FORWARD链,然后到达POSTROUTING链输出。
netfilter的5个链
5个链分别为PREROUTING、INPUT、FORWARD、OUTPUT、POSTROUTING
- PREROUTING:数据包进入路由表之前
- INPUT:通过路由表后目的地为本机
- FORWARDING:通过路由表后,目的地不为本机
- OUTPUT:由本机产生,向外转发
- POSTROUTIONG:发送到网卡接口之前
iptables的规则表和链:
- 表(tables)提供特定的功能,iptables内置了4个表,即filter表、nat表、mangle表和raw表,分别用于实现包过滤,网络地址转换、包重构(修改)和数据跟踪处理。
- 链(chains)是数据包传播的路径,每一条链其实就是众多规则中的一个检查清单,每一条链中可以有一条或数条规则。当一个数据包到达一个链时,iptables就会从链中第一条规则开始检查,看该数据包是否满足规则所定义的条件。如果满足,系统就会根据该条规则所定义的方法处理该数据包;否则iptables将继续检查下一条规则,如果该数据包不符合链中任一条规则,iptables就会根据该链预先定 义的默认策略来处理数据包。
- Iptables采用“表”和“链”的分层结构。在REHL4中是三张表五个链。现在REHL5成了四张表五个链了,不过多出来的那个表用的也不太多,所以基本还是和以前一样。下面罗列一下这四张表和五个链。注意一定要明白这些表和链的关系及作用。
4 iptables语法
- /etc/sysconfig/iptables 规则保存的文件
- 查看iptables规则:iptables -nvL
[root@worker1 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 322 packets, 25655 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 77 packets, 6572 bytes)
pkts bytes target prot opt in out source destination
- iptables -F 清空规则
[root@worker1 ~]# iptables -F
- service iptables save 保存规则
[root@worker1 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
- iptables -t nat //-t指定表,默认是filter表
[root@worker1 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 8 packets, 955 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 8 packets, 955 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 140 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 140 bytes)
pkts bytes target prot opt in out source destination
- iptables -Z 可以把计数器清零
[root@worker1 ~]# iptables -Z
- 增加一条规则 iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP //使用了--dport,--sport,一定要加上-p否则会报错
[root@worker1 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@worker1 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 29 packets, 2204 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 18 packets, 2056 bytes)
pkts bytes target prot opt in out source destination
- 设置一条规则 (-I 表示插入 -A表示增加 -D表示删除)iptables -I/-A/-D INPUT -s 1.1.1.1 -j DROP
[root@worker1 ~]# iptables -I INPUT -s 1.1.1.1 -j DROP
[root@worker1 ~]# iptables -A INPUT -s 1.1.1.1 -j DROP
[root@worker1 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 48 packets, 3552 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 1.1.1.1 0.0.0.0/0
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
0 0 DROP all -- * * 1.1.1.1 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 29 packets, 3756 bytes)
pkts bytes target prot opt in out source destination
[root@worker1 ~]# iptables -D INPUT -s 1.1.1.1 -j DROP
[root@worker1 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
0 0 DROP all -- * * 1.1.1.1 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 496 bytes)
pkts bytes target prot opt in out source destination
- 指定网卡插入一条规则 iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
[root@worker1 ~]# iptables -I INPUT -s 192.168.139.0/24 -i eno16777736:0 -j ACCEPT
[root@worker1 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 13 packets, 958 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eno16777736:0 * 192.168.139.0/24 0.0.0.0/0
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6 packets, 1128 bytes)
pkts bytes target prot opt in out source destination
- 查看所有设置的规则 iptables -nvL --line-numbers
[root@worker1 ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 135 packets, 9884 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- eno16777736:0 * 192.168.139.0/24 0.0.0.0/0
2 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 69 packets, 7888 bytes)
num pkts bytes target prot opt in out source destination
- 删除规则iptables -D INPUT 1
[root@worker1 ~]# iptables -D INPUT 1
[root@worker1 ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 22 packets, 1510 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12 packets, 1440 bytes)
num pkts bytes target prot opt in out source destination
- 预设策略,就是没有设置规则的时候,默认设定预设策略(ACCEPT,DROP,REJECT),iptables -P INPUT DROP //不要在远程设定规则,否则会断开,无法连接上
[root@worker1 ~]# iptables -P INPUT DROP
- 恢复预设策略 iptables -P INPUT ACCEPT
[root@worker1 ~]# iptables -P INPUT ACCEPT
扩展(selinux了解)
1. selinux教程 http://os.51cto.com/art/201209/355490.htm
2.selinux pdf电子书 http://pan.baidu.com/s/1jGGdExK