安装:yum install -y net-tools
·查看网卡ip:ifconfig
[root@localhost ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.65.128 netmask 255.255.255.0 broadcast 192.168.65.255 inet6 fe80::7cd2:a780:c114:4d06 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:7e:8b:1b txqueuelen 1000 (Ethernet) RX packets 38578 bytes 19915225 (18.9 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 88936 bytes 20130502 (19.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 68 bytes 5916 (5.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 68 bytes 5916 (5.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
·查看所有网卡(包括没有启动的网卡):ifconfig -a
·启动网卡:ifup 网卡名
·关闭网卡:ifdown 网卡名
[root@localhost ~]# ifdown ens33 && ifup ens33 成功断开设备 'ens33'。 连接已成功激活(D-Bus 活动路径:/org/freedesktop/NetworkManager/ActiveConnection/2)
·设定虚拟网卡:
[root@localhost network-scripts]# cd /etc/sysconfig/network-scripts/ [root@localhost network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0 [root@localhost network-scripts]# vim ifcfg-ens33\:0
保存退出
[root@localhost network-scripts]# ifdown ens33 && ifup ens33 成功断开设备 'ens33'。 连接已成功激活(D-Bus 活动路径:/org/freedesktop/NetworkManager/ActiveConnection/3) [root@localhost network-scripts]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.65.128 netmask 255.255.255.0 broadcast 192.168.65.255 inet6 fe80::7cd2:a780:c114:4d06 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:7e:8b:1b txqueuelen 1000 (Ethernet) RX packets 39173 bytes 19967129 (19.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 89362 bytes 20190444 (19.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.65.150 netmask 255.255.255.0 broadcast 192.168.65.255 ether 00:0c:29:7e:8b:1b txqueuelen 1000 (Ethernet) lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 68 bytes 5916 (5.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 68 bytes 5916 (5.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(可以看出,已经多了一个虚拟网卡ens33:0)
·查看网卡是否连接:
mii-tool 网卡名
ethtool 网卡名
[root@localhost ~]# mii-tool ens33 ens33: negotiated 1000baseT-FD flow-control, link ok ##连接正常 [root@localhost ~]# ethtool ens33 Settings for ens33: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supported pause frame use: No Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised pause frame use: No Advertised auto-negotiation: Yes Speed: 1000Mb/s Duplex: Full Port: Twisted Pair PHYAD: 0 Transceiver: internal Auto-negotiation: on MDI-X: off (auto) Supports Wake-on: d Wake-on: d Current message level: 0x00000007 (7) drv probe link Link detected: yes ##连接正常
·更改主机名:hostnamectl
[root@localhost ~]# hostnamectl set-hostname alexis hostname配置文件:/etc/hostname
·DNS配置文件:/etc/resolv.conf
[root@localhost ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 119.29.29.29
(参数由网卡配置文件所定义,哪怕更改,再重启网卡,依然会被恢复为网卡内的参数)
/etc/hosts文件
[root@localhost ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
前面为IP,后面为域名
一行可以有多个域名
多个相同的域名不同的IP,默认使用最后一个IP
10.12 firewalld和netfilter
·临时关闭selinux:setenforce 0
[root@localhost ~]# getenforce Permissive
·永久关闭selinux:编辑/etc/selinux/config
[root@localhost ~]# vim /etc/selinux/config
·CentOS7之前使用netfilter防火墙,CentOS7开始使用firewalld防火墙
·关闭firewalld,开启netfilter
[root@localhost ~]# systemctl disable firewalld ##禁用firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@localhost ~]# systemctl stop firewalld##停止firewalld [root@localhost ~]# yum install -y iptables-services (过程省略) [root@localhost ~]# systemctl enable iptables ##允许iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@localhost ~]# systemctl start iptables ##开启iptables [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 26 1716 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 14 packets, 1320 bytes) pkts bytes target prot opt in out source destination
(netfilter防火墙的名字而iptables是工具)
10.13 netfilter5表5链介绍
netfilter的5个表:(1)filter (2)nat (3)managle (4)raw (5)security
netfilter的5个链:(1)INPUT(2)OUTPUT(3)FORWARD(4)PREROUTING(5)POSTROUTING
managle,raw,security表基本用不到,因此不用关注,只需要关注filter和nat即可
·iptables传输数据包的过程:
数据包进入本机:PREROUTING—>INPUT—>OUTPUT—>POSTROUTING
数据包不经过本机,而是转发出去:PREROUTING—>FORWARD—>POSTROUTING
参考:http://www.cnblogs.com/metoy/p/4320813.html
10.14 iptables语法
·查看iptables规则:iptables -nvL
[root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 26 1716 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 14 packets, 1320 bytes) pkts bytes target prot opt in out source destination
·iptables规则保存在 /etc/sysconfig/iptables 中
[root@localhost ~]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
·清空iptables规则:iptables -F
[root@localhost ~]# iptables -F [root@localhost ~]# iptables -nvL ##清空规则后,实际配置文件并没有变化 Chain INPUT (policy ACCEPT 12 packets, 792 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 7 packets, 900 bytes) pkts bytes target prot opt in out source destination
·保存iptables规则:service iptables save
[root@localhost ~]# service iptables save
·加载iptables规则:重启服务器或者重新启动服务service iptables restart
[root@localhost ~]# service iptables restart Redirecting to /bin/systemctl restart iptables.service [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 12 792 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 7 packets, 884 bytes) pkts bytes target prot opt in out source destination
(重启服务器或者重启iptables规则,都会去加载配置文件 /etc/sysconfig/iptables 中的规则)
·默认iptables查看的时netfilter表的规则 iptables -t netfilter -nvL(不加 -t 就是filter表)
·查看nat表的规则:iptables -t nat -nvL
[root@localhost ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
·计数器清零:iptables -Z
[root@localhost ~]# iptables -Z;iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
·iptables:
-A 增加一条规则 INPUT:针对的链
-s 指定来源ip
-p 指定协议(tcp、udp、icmp)
--sport 来源端口
-d 目标ip
--dport 目标端口
-j 操作 (DROP扔掉 / REJECT 拒绝)
-I 插入
-i 指定网卡
·增加规则:iptables -A
[root@localhost ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
·插入规则:iptables -I
iptables -I INPUT -p tcp --dport 80 -j DROP## -I 直接插队到最前面,-A只是添加 [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 128 10156 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 2 470 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 5 packets, 636 bytes) pkts bytes target prot opt in out source destination
·删除规则:iptables -D
[root@localhost ~]# iptables -D INPUT -p tcp --dport 80 -j DROP [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 201 15908 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 3 705 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes) pkts bytes target prot opt in out source destination
·删除规则(简便方法):
1,先给规则一个规则号;2,再删除规则号对应的规则
[root@localhost ~]# iptables -nvL --line-number ##指定规则号 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 2 337 25080 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 6 3 705 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 7 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 67 packets, 6092 bytes) num pkts bytes target prot opt in out source destination [root@localhost ~]# iptables -D INPUT 1 ##删除第一个规则 [root@localhost ~]# iptables -nvL ##之前的第一条规则已经被删除 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 477 34948 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 4 940 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 55 packets, 6900 bytes) pkts bytes target prot opt in out source destination
·指定网卡:iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
·默认规则:(数据包如果没有具体规则来匹配,那么就走默认的策略 policy)
更改默认策略:iptables -P OUTPUT DROP(运行的话,远程连接就会被禁掉,只能到主机去修改规则)
改回策略:iptables -P OUTPUT ACCEPT (放行)、
DROP / REJECT / ACCEPT
2018-1-24 7周3次课 网络、firewalld、netfilter、iptables语法
原文:http://blog.51cto.com/11530642/2064806