10.11 Linux网络相关
ifconfig查看网卡ip(yum install net-tools)
ifup ens33(开启网卡)/ifdown ens33 (关闭网卡)
设定虚拟网卡ens33:1
mii-tool ens33 查看网卡是否连接
ethtool ens33 也可以查看网卡是否连接
更改主机名 hostnamectl set-hostname aminglinux (
hostnamectl set-hostname 和 hostname 区别 用hostname重启以后你就会发现区别,它只在当前生效,你如果想要一直生效就要改/etc/hostname的文件了 )
DNS配置文件/etc/resolv.conf
/etc/hosts文件(
hosts解析是先解析的优先级高
以先出现的记录为主。 这个文件也是从上到下依次执行的,一旦匹配到一个域名就直接解析了,即使后面再出现这域名也不生效了。)
查看网卡IP
yum install -y net-tools
[root
@test ~]# ifconfig
显示所有的网卡包括挡掉或者没插网线的IP
[root
@test ~]# ifconfig -a
单独针对一个网卡更改时重启网卡命令
ifup ens33(开启网卡)/ifdown ens33 (关闭网卡)
合理的命令
[root
@test ~]# ifdown ens32 && ifup ens32
成功断开设备 'ens32'。
连接已成功激活(D-Bus 活动路径:/org/freedesktop/NetworkManager/ActiveConnection/5)
设定虚拟网卡,增加IP
[root
@test network-scripts]# cp ifcfg-ens32 ifcfg-ens32\:1
修改NAME DEVICE IP删除网关和DNS
重启网卡[root
@test network-scripts]# ifdown ens32:1 && ifup ens32:1
查看网卡是否连接网线
[root@test ~]# mii-tool ens32
ens32: negotiated 1000baseT-FD flow-control,
link ok
[root@test ~]# ethtool ens32
Settings for ens32:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Supported FEC modes: Not reported
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Advertised FEC modes: Not reported
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off (auto)
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
更改主机名:[root@test ~]# hostnamectl set-hostname 主机名
主机名主机名配置文件
[root@test ~]# cat /etc/hostname
test
DNS配置文件路径(网卡配置文件定义)
[root@test ~]# cat /etc/resolv.conf (此配置文件只能临时更改但是重启后会被网卡配置文件覆盖)
# Generated by NetworkManager
nameserver
nameserver
自定义域名配置文件(
hosts解析是先解析的优先级高 以先出现的记录为主。 这个文件也是从上到下依次执行的,一旦匹配到一个域名就直接解析了,即使后面再出现这域名也不生效了。)
[root@test ~]# cat /etc/hosts (域名只在本机生效,支持一个IP多个域名)
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.12 firewalld和netfilter
selinux临时关闭 setenforce 0
selinux永久关闭 vi /etc/selinux/config
centos7之前使用netfilter防火墙
centos7开始使用firewalld防火墙
关闭firewalld开启netfilter方法
systemctl stop firewalld
systemctl disable firewalled
yum install -y iptables-services
systemctl enable iptables
enable就是让它开机启动。
systemctl start iptables
start就是开启服务。
-
netfilter才是防火墙;
-
firewalld和iptables是两种不同的防火墙管理工具,其底层都是iptables命令。
centos6和centos7都有iptables,这里的iptables是一个工具(或者叫命令)
在centos6上的防火墙叫做netfilter,centos7上防火墙叫做firewalld。
而它们底层都是基于iptables的
selinux(很多服务受限于selinux,一般情况下关闭)
临时关闭
[root@test ~]# setenforce 0
永久关闭
[root@test ~]# vi /etc/selinux/config
查看selinux状态
[root@test ~]# getenforce
Disabled
注:permissive遇到需要阻断时不会真的阻断只会提示
centos7之前使用netfilter防火墙机制,centos7开始使用firewalld防火墙 (但是 centos7也可以使用netfilter防火墙机制)但是底层都是iptables
想要开启
netfilter防火墙机制(centos7)
关闭firewalld步骤
[root@test ~]# systemctl disable firewalld (开机不启动)
[root@test ~]# systemctl stop firewalld(关闭firewalld防火墙)
开启netfilter步骤
安装包[root@test ~]# yum install -y iptables-services
产生iptables服务
[root@test ~]# systemctl enable iptables (开机启动)
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@test ~]# systemctl start iptables (开启netfilter防火墙)
查看默认规则
[root@test ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
30 2032 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
23 1718 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 20 packets, 1752 bytes)
pkts bytes target prot opt in out source destination
10.13 netfilter5表5链介绍
主机A到主机B,数据是由A开始进行数据封装,由网络设备将封装后的数据传送给主机B。主机B开始解封装,得到数据。
由主机B到主机A,依旧是数据封装和解封装的过程。
数据是一个A-B,B-A是以一应一答的过程进行传输的。A与B之间的通信路径是通过路由表及网络设备上的规则制定的。
其包含OSI七层协议模型、tcp/ip协议及网络设备访问控制列表等相关要点。
netfilter的5个表
filter表用于过滤包,最常用的表,有INPUT、FORWARD、OUTPUT三个链
nat表用于网络地址转换,有PREROUTING、OUTPUT、POSTROUTING三个链
managle表用于给数据包做标记,几乎用不到
raw表可以实现不追踪某些数据包,阿铭从来不用
security表在centos6中并没有,用于强制访问控制(MAC)的网络规则,阿铭没用过
数据包流向与netfilter的5个链
PREROUTING:数据包进入路由表之前
INPUT:通过路由表后目的地为本机
FORWARD:通过路由表后,目的地不为本机
OUTPUT:由本机产生,向外发出
POSTROUTING:发送到网卡接口之前
filter:(默认表,包含三个链INPUT数据包进本机经过的链(检查源IP) FORWARD 数据包进机器不会进内核,判断目标地址是否是本机,不是本机经过的链,目标地址更改或者转发 OUTPUT本机产生包出去经过链,包发送 地址,检查是否是禁止的IP地址,是否需要禁止发送)
This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets
destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-gen‐
erated packets).
nat:路由器,共享上网、端口映射(三个链PREROUTING更改数据包,包进来时更改, OUTPUT与filter表中的作用一致,POSTROUTING
更改数据包,包出去时更改)
This table is consulted when a packet that creates a new connection is encountered. It consists of three
built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated
packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT sup‐
port is available since kernel 3.7.
端口映射:
mangle:
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PRE‐
ROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets
before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets
coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING
(for altering packets as they are about to go out).
raw:
This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK
target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or
any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any
network interface) OUTPUT (for packets generated by local processes)
security:
This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK
and CONNSECMARK targets. Mandatory Access Control is implemented by Linux Security Modules such as SELinux.
The security table is called after the filter table, allowing any Discretionary Access Control (DAC) rules in
the filter table to take effect before MAC rules. This table provides the following built-in chains: INPUT
(for packets coming into the box itself), OUTPUT (for altering locally-generated packets before routing), and
FORWARD (for altering packets being routed through the box).
本机的包经过PREROUTING——INPUT——OUTPUT——POSTROUTING
非本机的包经过PREROUTING——FORWARD(转发)——POSTROUTING
表中含链
10.14 iptables语法
源IP与目标IP 进本机的包,通常情况下目标地址就是本机的ip。 如果你这台机器做的角色是一台路由器,那目标地址就是其他机器,跟本机没有关系了。
查看iptables规则:iptables -nvL
iptables -F 清空规则
service iptables save 保存规则
iptables -t nat //-t指定表
iptables -Z 可以把计数器清零
iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
iptables -I/-A/-D INPUT -s 1.1.1.1 -j DROP
iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
iptables -nvL --line-numbers
iptables -D INPUT 1
iptables -P INPUT DROP
保存规则路径
[root@test ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
清空规则
[root@test ~]# iptables -F
保存规则至配置文件
[root@test ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]
更改规则默认都是filter
查看指定的表规则
[root@test ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 69956 packets, 5045K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 69881 packets, 5039K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4988 packets, 378K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 4988 packets, 378K bytes)
pkts bytes target prot opt in out source destination
计数器清零(抓包时一些请求异常,会将某些IP drop掉(拒绝) iptables -nvL时查会显示包量和数据量,脚本中可以设置过了半小时数据包量没有超过一定的量可以去解封掉并且清零重新每隔半小时去执行一次来统计)
pkts多少个包 bytes多少数据量(字节)
[root@test ~]# iptables -Z;iptables -nvL
增加规则
-t指定表,默认不加为filter表
-A增加规则(规则会放在后面)
-s指定来源IP
-p指定协议TCP 、UDP、icmp
--sport来源端口
-d目标IP
--dport目标端口
-j 操作DROP(包直接扔掉)REJECT(包拒绝) 封IP
[root@test ~]# iptables -A INPUT(增加在INPUT链) -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
省略来源IP来源端口目标IP目标端口 封端口 -I插入(规则会插在最前面)
[root@test ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
注:规则顺序,规则前面最先过滤,然后一条条执行,如果数据包已经匹配前面的规则,则后面的规则不会生效
删除规则 iptables -D
[root@test ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
方便的删除规则步骤
1.[root@test ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 26 packets, 1838 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 660 bytes)
num pkts bytes target prot opt in out source destination
2.[root@test ~]# iptables -D INPUT 2
[root@test ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 5 packets, 388 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 464 bytes)
num pkts bytes target prot opt in out source destination
根据网卡设置规则
iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
默认规则 -P
默认策略规定(如无规则) iptables -P INPUT DROP (这个默认规则一般不需要动,因为很多包无法执行,安全性高)
7594
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
