【2018.05.08学习笔记】【linux基础知识10.11-10.14】

最新推荐文章于 2024-05-07 21:43:01 发布
最新推荐文章于 2024-05-07 21:43:01 发布
阅读量170 收藏
点赞数
文章标签: 操作系统 网络 开发工具
原文链接:https://my.oschina.net/u/3804114/blog/1809755
版权

2019独角兽企业重金招聘Python工程师标准>>> hot3.png

10.11 Linux网络相关

ifconfig命令:查看网卡信息(安装net-tools包),ip addr命令也能查看网卡信息(显示没那么规整)

[root@lgs-01 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.87.130  netmask 255.255.255.0  broadcast 192.168.87.255
        inet6 fe80::f74d:28a0:35b4:f7a3  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:d0:e2:b8  txqueuelen 1000  (Ethernet)
        RX packets 109  bytes 11724 (11.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 90  bytes 11619 (11.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 72  bytes 5712 (5.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 72  bytes 5712 (5.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@lgs-01 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:d0:e2:b8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.87.130/24 brd 192.168.87.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::f74d:28a0:35b4:f7a3/64 scope link 
       valid_lft forever preferred_lft forever

-a选项:显示所有网络接口的信息,无论是否激活(如禁用网卡 ifconfig ens33 down之后)

ifconfig ens33 down:禁用网卡; ifconfig ens33 up:启用网卡。

不加-a选项,看不到禁用的网卡。 输入图片说明

ifdown ens33:把网卡断开连接 输入图片说明

ifup ens33:把网卡连接上 输入图片说明

ifup、ifdown只是脚本,不是命令。

ifdown要与ifup 一起连着用,防止远程登录失效,导致外地的服务器连接不上。

[root@lgs-01 ~]# ifdown ens33 && ifup ens33
成功断开设备 'ens33'。
连接已成功激活(D-Bus 活动路径:/org/freedesktop/NetworkManager/ActiveConnection/7)

设定一个虚拟网卡:拷贝网卡配置文件,修改ip信息即可。虚拟网卡一般在lvs、keepalived中使用

修改完配置文件,重连网卡

[root@lgs-01 ~]# cd /etc/sysconfig/network-scripts/
[root@lgs-01 network-scripts]# ls
ifcfg-ens33  ifdown-eth   ifdown-post    ifdown-Team      ifup-aliases  ifup-ipv6   ifup-post    ifup-Team      init.ipv6-global
ifcfg-lo     ifdown-ippp  ifdown-ppp     ifdown-TeamPort  ifup-bnep     ifup-isdn   ifup-ppp     ifup-TeamPort  network-functions
ifdown       ifdown-ipv6  ifdown-routes  ifdown-tunnel    ifup-eth      ifup-plip   ifup-routes  ifup-tunnel    network-functions-ipv6
ifdown-bnep  ifdown-isdn  ifdown-sit     ifup             ifup-ippp     ifup-plusb  ifup-sit     ifup-wireless
[root@lgs-01 network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0
[root@lgs-01 network-scripts]# ls
ifcfg-ens33    ifdown-bnep  ifdown-isdn    ifdown-sit       ifup          ifup-ippp  ifup-plusb   ifup-sit       ifup-wireless
ifcfg-ens33:0  ifdown-eth   ifdown-post    ifdown-Team      ifup-aliases  ifup-ipv6  ifup-post    ifup-Team      init.ipv6-global
ifcfg-lo       ifdown-ippp  ifdown-ppp     ifdown-TeamPort  ifup-bnep     ifup-isdn  ifup-ppp     ifup-TeamPort  network-functions
ifdown         ifdown-ipv6  ifdown-routes  ifdown-tunnel    ifup-eth      ifup-plip  ifup-routes  ifup-tunnel    network-functions-ipv6
[root@lgs-01 network-scripts]# vim ifcfg-ens33:0
[root@lgs-01 network-scripts]# ifdown ens33 && ifup ens33
成功断开设备 'ens33'。
连接已成功激活(D-Bus 活动路径:/org/freedesktop/NetworkManager/ActiveConnection/9)
[root@lgs-01 network-scripts]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.87.130  netmask 255.255.255.0  broadcast 192.168.87.255
        inet6 fe80::f74d:28a0:35b4:f7a3  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:d0:e2:b8  txqueuelen 1000  (Ethernet)
        RX packets 2197  bytes 186162 (181.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1125  bytes 172779 (168.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.87.138  netmask 255.255.255.0  broadcast 192.168.87.255
        ether 00:0c:29:d0:e2:b8  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 72  bytes 5712 (5.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 72  bytes 5712 (5.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

查看网卡是否接线:link ok即可;用ethtool也可以:Link detected: yes

[root@lgs-01 network-scripts]# mii-tool ens33
ens33: negotiated 1000baseT-FD flow-control, link ok
[root@lgs-01 network-scripts]# ethtool ens33
Settings for ens33:
	Supported ports: [ TP ]
	Supported link modes:   10baseT/Half 10baseT/Full 
	                        100baseT/Half 100baseT/Full 
	                        1000baseT/Full 
	Supported pause frame use: No
	Supports auto-negotiation: Yes
	Advertised link modes:  10baseT/Half 10baseT/Full 
	                        100baseT/Half 100baseT/Full 
	                        1000baseT/Full 
	Advertised pause frame use: No
	Advertised auto-negotiation: Yes
	Speed: 1000Mb/s
	Duplex: Full
	Port: Twisted Pair
	PHYAD: 0
	Transceiver: internal
	Auto-negotiation: on
	MDI-X: off (auto)
	Supports Wake-on: d
	Wake-on: d
	Current message level: 0x00000007 (7)
			       drv probe link
	Link detected: yes

更改主机名:hostnamectl set-hostname lgs-xp

进入子bash生效,或者重连shell就生效。

[root@lgs-01 ~]# hostnamectl set-hostname lgs
[root@lgs-01 ~]# hostname
lgs
[root@lgs-01 ~]# cat /etc/hostname 
lgs
[root@lgs-01 ~]# bash
[root@lgs ~]#

修改DNS:在配置文件 /etc/resolv/conf 修改,临时生效。网卡重启时,会被网卡的配置文件的DNS覆盖。

[root@lgs ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 119.29.29.29
[root@lgs ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
[root@lgs ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 119.29.29.29
[root@lgs ~]# ifdown ens33 && ifup ens33
成功断开设备 'ens33'。
连接已成功激活(D-Bus 活动路径:/org/freedesktop/NetworkManager/ActiveConnection/10)
[root@lgs ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 119.29.29.29
nameserver 8.8.8.8

host文件:指定本机域名解析到指定的ip,只在本机生效,绕过DNS服务器。可以多个域名指向一个ip。

[root@lgs ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@lgs ~]# vim /etc/hosts
[root@lgs ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.87.130 www.123.com www.163.com
192.168.87.2 www.qq.com
192.168.87.2 www.abc.com
[root@lgs ~]# ping www.163.com
PING www.123.com (192.168.87.130) 56(84) bytes of data.
64 bytes from www.123.com (192.168.87.130): icmp_seq=1 ttl=64 time=0.102 ms
64 bytes from www.123.com (192.168.87.130): icmp_seq=2 ttl=64 time=0.082 ms
64 bytes from www.123.com (192.168.87.130): icmp_seq=3 ttl=64 time=0.087 ms
^C
--- www.123.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.082/0.090/0.102/0.011 ms
[root@lgs ~]# ping www.123.com
PING www.123.com (192.168.87.130) 56(84) bytes of data.
64 bytes from www.123.com (192.168.87.130): icmp_seq=1 ttl=64 time=0.060 ms
64 bytes from www.123.com (192.168.87.130): icmp_seq=2 ttl=64 time=0.070 ms
^C
--- www.123.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.060/0.065/0.070/0.005 ms

如果有同样重复的域名的,只有最后一行生效。

[root@lgs ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.87.130 www.123.com www.163.com
192.168.87.2 www.qq.com
127.0.0.1  www.123.com
[root@lgs ~]# ping www.123.com
PING www.123.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.042 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.079 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.079 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.067 ms
^C
--- www.123.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.042/0.066/0.079/0.018 ms

10.12 firewalld和netfilter

setenforce 0:临时关闭selinux

[root@lgs ~]# getenforce
Enforcing
[root@lgs ~]# setenforce 0
[root@lgs ~]# getenforce
Permissive

要永久关闭selinux:修改配置文件SELINUX=disabled,重启系统生效

[root@lgs ~]# vim /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

防火墙firewalld:centos 7版本的防火墙

防火墙netfilter:centos 5、6版本的防火墙

在centos7上也可以开启netfilter防火墙:

1、不开机启动firewalld,关闭firewalld

[root@lgs ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@lgs ~]# systemctl stop firewalld

2、安装iptables-services包

[root@lgs ~]# yum install -y iptables-services
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
 * epel: mirror01.idc.hinet.net
正在解决依赖关系
--> 正在检查事务
---> 软件包 iptables-services.x86_64.0.1.4.21-18.3.el7_4 将被 安装
--> 正在处理依赖关系 iptables = 1.4.21-18.3.el7_4,它被软件包 iptables-services-1.4.21-18.3.el7_4.x86_64 需要
--> 正在检查事务
---> 软件包 iptables.x86_64.0.1.4.21-18.0.1.el7.centos 将被 升级
---> 软件包 iptables.x86_64.0.1.4.21-18.3.el7_4 将被 更新
--> 解决依赖关系完成

依赖关系解决

==============================================================================================================================================================
 Package                                    架构                            版本                                       源                                大小
==============================================================================================================================================================
正在安装:
 iptables-services                          x86_64                          1.4.21-18.3.el7_4                          updates                           51 k
为依赖而更新:
 iptables                                   x86_64                          1.4.21-18.3.el7_4                          updates                          428 k

事务概要
==============================================================================================================================================================
安装  1 软件包
升级           ( 1 依赖软件包)

总下载量:479 k
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/2): iptables-services-1.4.21-18.3.el7_4.x86_64.rpm                                                                                  |  51 kB  00:00:00     
(2/2): iptables-1.4.21-18.3.el7_4.x86_64.rpm                                                                                           | 428 kB  00:00:00     
--------------------------------------------------------------------------------------------------------------------------------------------------------------
总计                                                                                                                          691 kB/s | 479 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  正在更新    : iptables-1.4.21-18.3.el7_4.x86_64                                                                                                         1/3 
  正在安装    : iptables-services-1.4.21-18.3.el7_4.x86_64                                                                                                2/3 
  清理        : iptables-1.4.21-18.0.1.el7.centos.x86_64                                                                                                  3/3 
  验证中      : iptables-1.4.21-18.3.el7_4.x86_64                                                                                                         1/3 
  验证中      : iptables-services-1.4.21-18.3.el7_4.x86_64                                                                                                2/3 
  验证中      : iptables-1.4.21-18.0.1.el7.centos.x86_64                                                                                                  3/3 

已安装:
  iptables-services.x86_64 0:1.4.21-18.3.el7_4                                                                                                                

作为依赖被升级:
  iptables.x86_64 0:1.4.21-18.3.el7_4                                                                                                                         

完毕!

3、开机启动iptables,开启iptables服务

[root@lgs ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@lgs ~]# systemctl start iptables

4、开启netfilter防火墙成功,查看iptables默认规则。netfilter才是防火墙的名字,iptables只是他的一个工具。

[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   25  1728 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 15 packets, 1412 bytes)
 pkts bytes target     prot opt in     out     source               destination

10.13 netfilter5表5链介绍

netfilter的5个表:filter、nat、mangle、raw、security,一般操作filter和nat即可。 CentOS 5、6没有 security表。

[root@lgs ~]# man iptables




IPTABLES(8)                                                           iptables 1.4.21                                                          IPTABLES(8)

NAME
       iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT

SYNOPSIS
       iptables [-t table] {-A|-C|-D} chain rule-specification

       ip6tables [-t table] {-A|-C|-D} chain rule-specification

       iptables [-t table] -I chain [rulenum] rule-specification

       iptables [-t table] -R chain rulenum rule-specification

       iptables [-t table] -D chain rulenum

       iptables [-t table] -S [chain [rulenum]]

       iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]

       iptables [-t table] -N chain

       iptables [-t table] -X [chain]

       iptables [-t table] -P chain target

       iptables [-t table] -E old-chain-name new-chain-name

       rule-specification = [matches...] [target]

       match = -m matchname [per-match-options]

       target = -j targetname [per-target-options]

DESCRIPTION
       Iptables and ip6tables are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel.  Several dif‐
       ferent tables may be defined.  Each table contains a number of built-in chains and may also contain user-defined chains.

       Each chain is a list of rules which can match a set of packets.  Each rule specifies what to do with a packet that matches.  This is called a `tar‐
       get', which may be a jump to a user-defined chain in the same table.

TARGETS
       A  firewall  rule  specifies  criteria for a packet and a target.  If the packet does not match, the next rule in the chain is examined; if it does
       match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain, one of the targets  described  in
       iptables-extensions(8), or one of the special values ACCEPT, DROP or RETURN.

       ACCEPT  means  to  let  the packet through.  DROP means to drop the packet on the floor.  RETURN means stop traversing this chain and resume at the
       next rule in the previous (calling) chain.  If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is  matched,
       the target specified by the chain policy determines the fate of the packet.

TABLES
       There are currently five independent tables (which tables are present at any time depends on the kernel configuration options and which modules are
       present).

       -t, --table table
              This option specifies the packet matching table which the command should operate on.  If the kernel  is  configured  with  automatic  module
              loading, an attempt will be made to load the appropriate module for that table if it is not already there.

              The tables are as follows:

              filter:
                  This  is  the  default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets),
                  FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).

              nat:
                  This table is consulted when a packet that creates a new connection is encountered.  It consists of  three  built-ins:  PREROUTING  (for
                  altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering
                  packets as they are about to go out).  IPv6 NAT support is available since kernel 3.7.

              mangle:
                  This table is used for specialized packet alteration.  Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming
                  packets  before  routing) and OUTPUT (for altering locally-generated packets before routing).  Since kernel 2.4.18, three other built-in
                  chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the  box),
                  and POSTROUTING (for altering packets as they are about to go out).

              raw:
                  This  table  is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target.  It registers at
                  the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP  tables.   It  provides  the  following
                  built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)

              security:
                  This  table  is  used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets.
                  Mandatory Access Control is implemented by Linux Security Modules such as SELinux.  The security table is called after the filter table,
                  allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before MAC rules.  This table provides the fol‐
                  lowing built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated packets before  routing),
                  and FORWARD (for altering packets being routed through the box).

filter表:有 INPUT、FORWARD、OUTPUT三个链(chain)

INPUT:数据包进入本机时进行操作的规则

FORWARD:目标地址不是本机的数据包,经过本机转发,没有进入系统内核。转发处理时的规则。

OUTPUT:本机产生的数据包,出去前进行操作的规则。

-t选项:指定表
[root@lgs ~]# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  171 13076 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    2   473 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 133 packets, 20408 bytes)
 pkts bytes target     prot opt in     out     source               destination

nat表:路由器的实现就是用nat原理,还可以进行端口映射。nat有 PREROUTING、OUTPUT、POSTROUTING三个链(chain)

PREROUTING:数据包进来本机时,进行修改的规则

OUTPUT:本机产生的数据包,出去前进行操作的规则。

POSTROUTING:数据包出去本机时,进行修改的规则

默认nat三个链的规则都为空

[root@lgs ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

netfilter的5表5链 参考学习文章:iptables详解 www.cnblogs.com/metoy/p/4320813.html

10.14 iptables语法

iptables -nvL 默认规则:即filter表的默认规则。在配置文件/etc/sysconfig/iptables 里定义。

[root@lgs ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  279 21744 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
   58  5158 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 221 packets, 30752 bytes)
 pkts bytes target     prot opt in     out     source               destination

-F选项:清空后规则,临时生效。重启iptables服务后还是会加载默认规则。

[root@lgs ~]# iptables -F
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 5 packets, 388 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 432 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@lgs ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    5   388 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 4 packets, 496 bytes)
 pkts bytes target     prot opt in     out     source               destination

要永久生效,修改规则后要保存一下:

service iptables save

-Z选项:计数器清零包数据的统计

[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   55  4084 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 45 packets, 7720 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@lgs ~]# iptables -Z && iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

-A选项:增加规则,在现有规则最后增加。后面指定链,-s指定源ip,-p指定协议,--sport端口,-d目标ip,-dport目标端口 -j操作 DROP 丢弃。另外有 ACCEPT 、REJECT等。

[root@lgs ~]# iptables -A INPUT -s 192.168.87.150 -p tcp --sport 1234 -d 192.168.87.130 --dport 80 -j DROP
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  194 13960 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    0     0 DROP       tcp  --  *      *       192.168.87.150       192.168.87.130       tcp spt:1234 dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 6 packets, 744 bytes)
 pkts bytes target     prot opt in     out     source               destination

-I选项:插入规则,在现有规则前面插入变成第一条规则。优先过滤执行,如果有匹配的立马执行,后面有相同匹配的就不执行了。

[root@lgs ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
  306 22376 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    2   473 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    0     0 DROP       tcp  --  *      *       192.168.87.150       192.168.87.130       tcp spt:1234 dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
 pkts bytes target     prot opt in     out     source               destination

-D选项:删除规则。

[root@lgs ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  360 27348 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    2   473 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    0     0 DROP       tcp  --  *      *       192.168.87.150       192.168.87.130       tcp spt:1234 dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
 pkts bytes target     prot opt in     out     source               destination

如果想删除很久之前添加的规则,但是有不记得具体的参数命令了。可以用规则编号

[root@lgs ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      407 30984 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
5        2   473 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
6        0     0 DROP       tcp  --  *      *       192.168.87.150       192.168.87.130       tcp spt:1234 dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 38 packets, 4860 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
[root@lgs ~]# iptables -D INPUT 6
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  483 36808 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    2   473 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 20 packets, 2108 bytes)
 pkts bytes target     prot opt in     out     source               destination

-i选项:指定网卡 -i eth0

-P选项:修改默认规则的动作策略,默认是policy ACCEPT,谨慎修改,会导致网络无法访问。

[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  490 37296 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    3   702 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 28 packets, 3860 bytes)
 pkts bytes target     prot opt in     out     source               destination

转载于:https://my.oschina.net/u/3804114/blog/1809755

weixin_33895695
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
解读iaas-pre-host.脚本(国基北盛)
weixin_46396917的博客
12-04 965
国基北盛脚本搭建iaas-pre-host.sh解读
postgresql-10.11-1-windows-x64.zip
04-01
"inputFields": { "label": { "fieldClass": "java.lang.String", "fieldName": "label", "fieldValue": "消费城市", "multiple": false }, "type": { "fieldClass": "java.lang.String", ... },
Error downloading packages: iptables-1.4.21-35.el7.x86_64: [Errno 256] No more mirrors to try.
u014771464的博客
06-13 2111
Error downloading packages: iptables-1.4.21-35.el7.x86_64: [Errno 256] No more mirrors to try.
坚持#第262天~DNS域名系统2(DNS转发、DNS主从、DNS子域)
libanxian9527的博客
01-05 1550
转发DNS服务器: 场合: 比如说你不能直接访问外网的dns服务器,但是公司里有一个人他可以访问外网的dns,那么你只能通过他转发请求。 实验环境:两台dns服务器和一个客户端 1)192.168.10.10 真正的dns服务器,拥有全部的解析以baidu.com正向解析为例 2)192.168.10.14 转发dns服务器,没有主机的解析信息 192.168.30.14可以通的网段
192.168.10.0/24
weixin_33924220的博客
01-14 1469
实际IP地址是32位的2进制数,也就是********.********.********.********。192.168.10.0/24代表前24位代表网络位,后8位为子网位。 转载于:https://www.cnblogs.com/simpman/archive/2013/01/14/2859215.html...
python大数据分析代码案例
weixin_33681778的博客
02-07 715
#查询用户余额代码案例import sysimport MySQLdbimport pandas as pdoptmap = { 'dbuser' : 'aduser', 'dbpass' : '123654', 'dbhost' : '192.168.10.14', ...
PostgreSQL10.11-1 + postgis 3.0.0-2 window_x64.zip
01-11
PostgreSQL10.11-1 + postgis 3.0.0-2 window_x64.zip
VM创建客户端MacOS版本号10.8-10.14.zip
05-16
使用VM虚拟机创建操作系统,没有Apple Mac OS 版本号,提供MACOS版本
phpMyAdmin-4.0.10.11-all-languages.zip
10-25
MySQL管理工具phpMyAdmin 4.0.10.11,兼容PHP 5.2 和 MySQL 5。 从官网下载,MD5:(934aea4e16597a2a15ac51eb34e244a3) phpMyAdmin更新的版本已经不再兼容PHP 5.2,如果小盆友的服务器还在运行5.3以下版本的PHP,...
postgresql-10.11-3-windows.exe
12-25
psotgresql安装包,PostgreSQL是一种特性非常齐全的自由软件的对象-关系型数据库管理系统(ORDBMS),是以加州大学计算机系开发的POSTGRES,4.2版本为基础的对象关系型数据库管理系统。
Linux服务器跨三网的网卡配置方法(4网卡3网段)
洒满阳光的午后的博客
01-09 1516
服务器有4个网卡,其中1、2号网卡进行绑定,配置10地址;3号网卡配置互联网地址;4号网卡配置192私网地址。IP信息如下 IP 202.*.*.* 10.14.167.229 192.168.188.202 掩码 255.255.255.240 255.255.255.240 255.255.255.192 网关 202.*.*.* 10...
nginx配置
samwalt的博客
10-27 128
http://freeloda.blog.51cto.com/2033581/1288553 1、反向代理 有一个java应用example用tomcat部署,访问url是http://localhost:8080/example, 希望用nginx做反向代理,用url http://localhost就可以访问 [code="java"]location / { proxy...
Keepalived+mysql高可用
一条大河
08-10 603
DB1: 192.168.10.13:3358  DB2: 192.168.10.14:3358 VIP: 192.168.10.100:3358 注意: /etc/my.cnf中,bind_address注销掉,或者改为0.0.0.0 (mysql已安装完毕,并配置了主-主关系) 安装环境: yum install -y keepalived yum install -y ipvs...
2018.1.24 7周3次课
weixin_34233618的博客
01-24 116
七周三次课(1月24日)10.11 Linux网络相关 10.12 firewalld和netfilter 10.13 netfilter5表5链介绍 10.14 iptables语法10.11 Linux网络相关用ifconfig命令查看网卡IP前面曾用过ip addr这个命令来查看系统的IP地址。其实在centos 7之前,我们使用最多的命令是ifconfig,它类似于W...
坚持#第259天~数据库只读模式,amoeba8066端口负载均衡
libanxian9527的博客
01-02 397
多台服务器有多个ip导致使用使用数据库的时候不方便 所以出现了调度器:读写分离 之前分离实验只读没有效果?把服务器作为只读 启动数据库服务 进入数据库 show variables like ‘%read%’;可以看到有一条是read_only   flush tables with read lock;锁定所有,只能读,不能写 解锁的话就是unlocktables;锁定之后主机改
后端必备 Nginx 配置
IT哈哈的博客
09-16 307
防盗链 location~*\.(gif|jpg|png)${ #只允许192.168.0.1请求资源 valid_referersnoneblocked192.168.0.1; if($invalid_referer){ rewrite^/http://$host/logo.png; } } 根据文件类型设置过...
【鸿蒙开发】第二十二章 Media Library媒体文件管理服务
Yvan
04-30 771
提供了,包括照片和视频,帮助你的应用快速构建图片视频展示和播放能力。通过Media Library Kit, 开发者可以管理相册和媒体文件,包括创建相册以及访问、修改相册中的媒体信息等,其中对三方应用开放的能力有:媒体资源(图片、视频)相关获取指定媒体资源获取图片和视频缩略图创建媒体资源(安全控件)重命名媒体资源用户相册相关获取用户相册重命名用户相册添加图片和视频到用户相册中获取用户相册中的图片和视频从用户相册中移除图片和视频系统相册相关视频相册。
Linux】文件内容相关的命令,补充:管道符
最新发布
yannan20190313的博客
05-07 686
Linux】文件内容相关的命令,补充:管道符
【12575嵌入式系统】嵌入式系统考前复习题终结版期末复习自考复习
嵌入式行业打工人,不定期更新博客。
05-05 529
答:1)小端存储器组织是较高的有效字节存放在较高的存储器地址,较低的有效。嵌入式系统是以应用为中心,以计算机技术为基础,软件硬件可裁剪,适应应用系。答:寻址方式是根据指令中给出的地址码字段来实现寻找真实操作数地址的方式。器产生一个具有一定时间宽度的复位信号,迫使系统复位,恢复系统正常运行。答:通用操作系统是一种通用的操作系统,可运行在不同的。答:当系统程序出现功能错乱,引起系统程序死循环时,能。存放在较低的存储器地址,较低的有效字节存放在较高的。正常运行,恢复系统程序的正常运行。
10.11.33.75
04-20
10.11.33.75是一个IP地址,它是一个用于在计算机网络中标识设备的唯一地址。IP地址分为IPv4和IPv6两种类型,10.11.33.75是IPv4地址的一种。IPv4地址由四个由点分隔的十进制数表示,每个数的取值范围是0到255。 关于...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值