七週三次課
七週三次課html
10.11 Linux網絡相關linux
10.12 firewalld和netfiltervim
10.13 netfilter5表5鏈介紹windows
10.14 iptables語法centos
10.11 Linux網絡相關安全
ifconfig命令bash
查看網卡IP服務器
若是系統沒有該命令可使用yum安裝:網絡
[root@tianqi-01 ~]# yum install -y net-toolsless
查看網卡IP還可使用命令:ip add,這個顯示有點亂!
ifconfig -a
顯示全部網卡信息(包括down掉的或者沒有IP地址的網卡)
啓動/關閉網卡
ifup/ifdown [網卡名]
應用環境:更改單個指定網卡配置後須要重啓才能生效,爲了不關閉或重啓全部網卡,能夠對單個網卡執行該命令。
注: 若是網卡正在使用中,不要單獨使用ifdown命令!!!解決辦法: 「# ifdown ens33 && ifup ens33」,使兩個命令一塊兒執行!
爲虛擬機添加網卡
在linux系統中,網卡是能夠設定多重IP的。
如今想增長一個IP,就須要增長一個虛擬網卡。
[root@tianqi-01 ~]# cd /etc/sysconfig/network-scripts
[root@tianqi-01 network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0
[root@tianqi-01 network-scripts]# ls
ifcfg-ens33 ifdown-bnep ifdown-isdn ifdown-sit ifup ifup-ippp ifup-plusb ifup-sit ifup-wireless
ifcfg-ens33:0 ifdown-eth ifdown-post ifdown-Team ifup-aliases ifup-ipv6 ifup-post ifup-Team init.ipv6-global
ifcfg-lo ifdown-ippp ifdown-ppp ifdown-TeamPort ifup-bnep ifup-isdn ifup-ppp ifup-TeamPort network-functions
ifdown ifdown-ipv6 ifdown-routes ifdown-tunnel ifup-eth ifup-plip ifup-routes ifup-tunnel network-functions-ipv6
#之因此加\,是爲了脫義:,否則在linux命令行下面沒法識別。而後編輯ifcfg-ens33\:0,必定要把DEVICE改爲ens33\:0.
[root@tianqi-01 network-scripts]# vim ifcfg-ens33:0
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33:0
UUID=bd1e1864-e75b-4f5f-bc63-9b1b0d64feff
DEVICE=ens33:0
ONBOOT=yes
IPADDR=192.168.11.139
NETMASK=255.255.255.0
GATEWAY=192.168.11.2
[root@tianqi-01 network-scripts]# ifdown ens33 && ifup ens33
Device 'ens33' successfully disconnected.
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
[root@tianqi-01 network-scripts]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.11.136 netmask 255.255.255.0 broadcast 192.168.11.255
inet6 fe80::1eb9:8f9e:264a:7159 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:08:64:43 txqueuelen 1000 (Ethernet)
RX packets 1503 bytes 133236 (130.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1210 bytes 115291 (112.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.11.139 netmask 255.255.255.0 broadcast 192.168.11.255
ether 00:0c:29:08:64:43 txqueuelen 1000 (Ethernet)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
上面就多了一個網卡,看看windows能不能ping通192.168.11.139,發現是能夠ping通的,這就證實沒問題。
• mii-tool ens33 查看網卡是否鏈接
查看服務器是否連着網線,在機房的話,能夠看網卡的燈是否是亮着,在系統裏面的話,使用上面的命令。
[root@tianqi-01 network-scripts]# mii-tool ens33
ens33: negotiated 1000baseT-FD flow-control, link ok
這裏顯示link ok,說明網卡爲鏈接狀態。若是顯示no link,就說明網卡壞了或者沒有鏈接網線。若是顯示not support,可使用下面一個命令。
• ethtool ens33 也能夠查看網卡是否鏈接
[root@tianqi-01 network-scripts]# ethtool ens33
Settings for ens33:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off (auto)
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
若是網卡沒有鏈接,最下面一行Link detected顯示爲no。
• 更改主機名 hostnamectl set-hostname aminglinux
[root@tianqi-01 network-scripts]# hostname
tianqi-01
[root@tianqi-01 network-scripts]# hostnamectl set-hostname tianqi
[root@tianqi-01 network-scripts]# bash
#這裏root@tianqi-01沒有發生變化,能夠退出從新登錄或者bash命令進入子目錄。
[root@tianqi network-scripts]# cat /etc/hostname
tianqi
• DNS配置文件/etc/resolv.conf
DNS是用來解析域名的,平時咱們訪問網站都是直接輸入一個網址,而DNS把這個網址解析到一個IP。
在linux下設置DNS很是簡單,只要把DNS地址寫到配置文件/etc/resolv.conf中便可。
[root@tianqi-01 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 119.29.29.29
第一行是個註釋,說明這個配置文件中的DNS IP地址是由NetworkManager服務生成的。NetworkManager是一個集成的linux網絡管理器,不經常使用。resolv.conf有它固定的格式,必定要寫成
nameserver IP的格式。能夠多寫幾個nameserver,系統默認會用第一個nameserver去解析域名,當第一個解析不成功時會使用第二個。
若是隻是臨時修改DNS IP地址,就直接修改/etc/resolv.conf;若是是永久生效的話,仍是要修改網卡的配置文件。
[root@tianqi-01 network-scripts]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=bd1e1864-e75b-4f5f-bc63-9b1b0d64feff
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.11.136
NETMASK=255.255.255.0
GATEWAY=192.168.11.2
DNS1=119.29.29.29
DNS2=8.8.8.8 #這個是谷歌DNS
[root@tianqi-01 network-scripts]# ifdown ens33 && ifup ens33
Device 'ens33' successfully disconnected.
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[root@tianqi-01 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 119.29.29.29
nameserver 8.8.8.8
/etc/hosts文件是Linux、Windows都有的,用於指定域名訪問的IP地址:
在linux下還有一個特殊文件也能解析域名,不過須要咱們在裏面手動添加IP地址和域名。它的做用是臨時解析某個域名,很是有用。
[root@tianqi-01 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
如今ping一下qq,如今發現是公網IP。
[root@tianqi-01 network-scripts]# ping www.qq123.com
PING www.qq123.com (211.155.235.108) 56(84) bytes of data.
64 bytes from 211.155.235.108 (211.155.235.108): icmp_seq=1 ttl=128 time=33.8 ms
64 bytes from 211.155.235.108 (211.155.235.108): icmp_seq=2 ttl=128 time=30.0 ms
64 bytes from 211.155.235.108 (211.155.235.108): icmp_seq=3 ttl=128 time=30.1 ms
64 bytes from 211.155.235.108 (211.155.235.108): icmp_seq=4 ttl=128 time=29.9 ms
64 bytes from 211.155.235.108 (211.155.235.108): icmp_seq=5 ttl=128 time=38.9 ms
^C
--- www.qq123.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4030ms
rtt min/avg/max/mdev = 29.984/32.593/38.929/3.493 ms
例如我修改hosts文件指定一個域名的ip:
[root@tianqi-01 network-scripts]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 www.test.com
[root@tianqi-01 network-scripts]# ping www.test.com
PING www.test.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.070 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.085 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.130 ms
^C
--- www.test.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2020ms
rtt min/avg/max/mdev = 0.070/0.095/0.130/0.025 ms
ping這個域名時就會訪問127.0.0.1 IP地址
一個IP能夠指定多個域名:
[root@tianqi-01 network-scripts]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 www.test.com www.123.com www.0000000.com www.8888.com
[root@tianqi-01 network-scripts]# ping www.8888.com
PING www.test.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.058 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.057 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.057 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.058 ms
^C
--- www.test.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3018ms
rtt min/avg/max/mdev = 0.057/0.057/0.058/0.007 ms
若是有兩個一樣的域名指定了不一樣的IP,以第一個的那個IP爲準:
[root@tianqi-01 network-scripts]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 www.test.com www.123.com www.0000000.com www.8888.com
192.168.11.136 www.123.com
[root@tianqi-01 network-scripts]# ping www.123.com
PING www.123.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.067 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.186 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.057 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.057 ms
^C
--- www.123.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.057/0.091/0.186/0.055 ms
[root@tianqi-01 network-scripts]#
10.12 firewalld和netfilter
selinux是linux系統特有的安全機制,安裝完系統後,通常要把selinux關閉,以避免引發沒必要要的麻煩。
•selinux臨時關閉 setenforce 0
這僅僅是臨時的,要想永久關閉須要更改配置文件,須要把SELINUX=enforcing改爲
SELINUX=disabled。
更改完配置文件之後,重啓系統方可生效。可使用getenforce命令得到當前selinux的狀態。
[root@tianqi-01 network-scripts]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@tianqi-01 network-scripts]# getenforce
Enforcing
[root@tianqi-01 network-scripts]# setenforce 0
[root@tianqi-01 network-scripts]# getenforce
Permissive
• centos7以前使用netfilter防火牆,centos7的防火牆是firewalld,iptables是其中的工具。工具用法是同樣的,用這個工具能夠添加一些規則,好比關閉和開啓一些端口。
在centos7上使用centos6的防火牆機制也是沒有問題的。
一、關閉firewalld服務
[root@tianqi-01 network-scripts]# systemctl disable firewalld //停掉firewalld,就是限制開機啓動
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@tianqi-02 ~]# systemctl stop firewalld //關閉firewalld服務
2.安裝iptables-services包:
開啓netfilter
在開啓以前,須要先安裝一個iptables-services包
[root@tianqi-01 network-scripts]# yum install -y iptables-services
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
這樣就可使用以前的iptables了
安裝完以後就會有一個iptables服務:
[root@tianqi-01 network-scripts]# systemctl enable iptables //設置開機啓動
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
3.開啓iptables服務:
[root@tianqi-01 ~]# systemctl start iptables
4.使用iptables -nvL命令查看iptables服務自帶的一些規則:
[root@tianqi-01 network-scripts]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
27 1808 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1460 bytes)
pkts bytes target prot opt in out source destination
10.13 netfilter5表5鏈介紹
• netfilter的5個表
• filter表用於過濾包,最經常使用的表,有INPUT、FORWARD、OUTPUT三個鏈
• nat表用於網絡地址轉換,有PREROUTING、OUTPUT、POSTROUTING三個鏈
• managle表用於給數據包作標記,幾乎用不到
• raw表能夠實現不追蹤某些數據包,阿銘歷來不用
• security表在centos6中並無,用於強制訪問控制(MAC)的網絡規則,阿銘沒用過
• 參考文章 http://www.cnblogs.com/metoy/p/4320813.html
netfilter的五個表
- filter表,就是默認的一個表,包含了三個內置的鏈:INPUT、FORWARD、OUTPUT
- INPUT鏈,表示數據進來的包進來要通過的一個鏈,進入到本機
- 好比,進入到本機後,將80端口進來的數據包,訪問80端口的數據包檢查下它的原IP是什麼,發現可疑的IP須要禁掉
- FORWARD鏈,這個數據包到了機器,並不會進入內核裏,由於這個數據包不是給你處理的,而是給另一臺機器處理的,因此這時候須要判斷下你的目標地址是否爲本機,若是不是本機,則須要通過FORWARD這個鏈
- 在通過 FORWARD鏈的時候,也會作一些操做,把目標地址作一些更改,或者作一個轉發
- OUTPUT鏈,是在本機產生的一些包,在出去以前作的一些操做
- 好比,這個包是發給某一個IP的,這個IP我要禁掉,不讓這個包過去(已加入到黑名單),只要是到那個IP的,都給禁掉。
- INPUT鏈,表示數據進來的包進來要通過的一個鏈,進入到本機
- nat表,也有三個鏈PREROUTING 、OUTPUT、POSTROUTING
- PREROUTING鏈,這個鏈用來更改這個數據包——>在進來的那一刻就去更改
- OUTPUT鏈,它和上面filter表中的OUTPUT鏈是同樣的
- POSTROUTING鏈,這個鏈也是更改數據包——>在出去的那一刻更改
- nat表,使用案列
- 路由器的實現的共享上網就是nat實現的
- 端口映射
- mangle表和raw表和security表幾乎用不到
netfilter的五個鏈
PREROUTING:數據包進入路由表以前
INPUT:經過路由表後目的地爲本機
FORWARDING:經過路由表後,目的地不爲本機
OUTPUT:由本機產生,向外轉發
POSTROUTING:發送到網卡接口以前
iptables傳輸數據包的過程
① 當一個數據包進入網卡時,它首先進入PREROUTING鏈,內核根據數據包目的IP判斷是否須要轉送出去。
② 若是數據包就是進入本機的,它就會沿着圖向下移動,到達INPUT鏈。數據包到了INPUT鏈後,任何進程都會收到它。本機上運行的程序能夠發送數據包,這些數據包會通過OUTPUT鏈,而後到達POSTROUTING鏈輸出。
③ 若是數據包是要轉發出去的,且內核容許轉發,數據包就會如圖所示向右移動,通過FORWARD鏈,而後到達POSTROUTING鏈輸出。
- 總結:
- 若是是本機的,則會通過PREROUTING鏈--->INPUT鏈--->OUTPUT鏈--->POSTROUTING鏈
- 若是不是本機的,則會通過PREROUTING鏈--->FORWARD鏈--->POSTROUTING鏈
學習擴展連接文章,能夠幫助咱們更好的學習iptables的表和鏈。
10.14 iptables語法
•數據包流向與netfilter的5個鏈
• PREROUTING:數據包進入路由表以前
• INPUT:經過路由表後目的地爲本機
• FORWARD:經過路由表後,目的地不爲本機
• OUTPUT:由本機產生,向外發出
• POSTROUTING:發送到網卡接口以前
iptables的默認規則在/etc/sysconfig/iptables文件裏保存着:
[root@tianqi-01 network-scripts]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
清除規則使用iptables -F命令:
這樣雖然清空了規則,可是默認規則還會保存在/etc/sysconfig/iptables文件裏。
想要當前的規則保存到/etc/sysconfig/iptables文件裏就要使用service iptables save命令:
若是沒有保存到/etc/sysconfig/iptables文件裏的話,重啓服務後就會從新加載/etc/sysconfig/iptables文件裏的規則:
[root@tianqi-01 network-scripts]# iptables -nvL //查看iptables默認規則
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
107 7496 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 69 packets, 7784 bytes)
pkts bytes target prot opt in out source destination
- service iptables restart 重啓iptables規則
[root@tianqi-02 ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[root@tianqi-02 ~]#
存放默認規則的位置
- /etc/sysconfig/iptables
[root@tianqi-02 ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@tianqi-02 ~]#
iptables -F清空規則
- iptables -F清空規則
- 在清空規則後,再去查看,會發現沒有規則了(可是在文件中依舊保存這規則)
[root@tianqi-02 ~]# iptables -F
[root@tianqi-02 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 28 packets, 1848 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1412 bytes)
pkts bytes target prot opt in out source destination
[root@tianqi-02 ~]#
-
service iptables save 保存規則
- 如果在清空規則後,去執行service iptables save保存規則,那存放規則的文件也會變成所保存的規則
-
在iptables -F清空規則後,重啓service restart iptables.service(重啓服務器或者iptables規則),都會加載配置文件裏面的規則
- 在重啓規則後,會看到原先被清空的規則從新加載了
[root@tianqi-02 ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[root@tianqi-02 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1412 bytes)
pkts bytes target prot opt in out source destination
[root@tianqi-02 ~]#
目前咱們作的這些操做都是針對的filter表,這是默認的表。
查看nat表的規則:
[root@tianqi-01 network-scripts]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@tianqi-01 network-scripts]#
使用iptables -nvL命令顯示的規則裏,能夠看到第一行是有數字的,加上-Z選項能夠將計數器清零:
iptables -Z 把計數器清零
- iptables -Z 把計數器清零
- 在查看filter表的時候,會看到第一列和第二列都是有數據的
- 第一列,是有多少個包
- 第二列,是數據量,數據大小(單位:bytes字節)
- 在查看filter表的時候,會看到第一列和第二列都是有數據的
[root@tianqi-01 network-scripts]# iptables -Z;iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@tianqi-01 network-scripts]#
- 這裏會看到數字都清零了,但過一會再來查看,會看到數字又出現了(由於在每時每刻都在通訊)
[root@tianqi-02 ~]# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
49 3244 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 27 packets, 3484 bytes)
pkts bytes target prot opt in out source destination
[root@tianqi-02 ~]#
清零是爲了在某些需求下,能夠計算某個時間段某個ip傳送過來的數據包數量。
iptables新增規則 -A
- 在iptables命令中,沒有-t 指定表的時候,默認就是filter表
- iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
- -A,就是增長一條規則(這裏針對的是INPUT鏈)
- 新增的規則會在規則的最後面
- -s ,指定來源IP
- -p,指定它的協議,是TCP,仍是UDP,或者是ICMP協議
- -sport,來源的端口
- -d,指目標的IP
- -dport,指目標的端口
- -j,操做
- DROP,扔掉
- REJECT,拒絕
- -A,就是增長一條規則(這裏針對的是INPUT鏈)
- DROP扔掉和REJECT拒絕,最終實現的效果是同樣的,都是爲了讓數據包過不來,至關於把IP給封掉
- DROP和REJECT區別:
- DROP,在這個數據包來了以後,看都不看直接扔掉
- REJECT,在這個數據包來了以後,先看一看,看完以後,在拒絕
添加規則示例:
[root@tianqi-01 network-scripts]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@tianqi-01 network-scripts]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10 760 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 3 packets, 356 bytes)
pkts bytes target prot opt in out source destination
[root@tianqi-01 network-scripts]#
iptables命令 參數 -I
- iptables -I INPUT -p tcp --dport 80 -j DROP
- 這裏是簡寫,不指定來源IP,和目標IP,只寫目標的端口——>但必定要指定tcp/ip
- 如果使用了 dport 或 sport ,那麼前面必須 -p 指定它的協議
[root@tianqi-01 network-scripts]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@tianqi-01 network-scripts]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
23 1696 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 3 packets, 356 bytes)
pkts bytes target prot opt in out source destination
插入規則會在最前面,添加的規則會在後面。
- -I和-A的區別:
- -I,表示插入
- -A,表示增長
- 如果規則添加到前面,則是優先過濾最前面的規則,而後再去往下一條條的執行
- 如果數據包匹配了第一條規則(同時知足兩條規則),就會先匹配第一條規則。一旦匹配了第一條規則,那麼數據包就會被抓取掉了,就不會再往下執行規則了
- 一旦匹配規則,當即執行
iptables命令參數-D 刪除規則
- iptables -D INPUT -s 1.1.1.1 -j DROP 刪除規則
[root@tianqi-01 network-scripts]# iptables -D INPUT -p tcp --dport 80 -j DROP
[root@tianqi-01 network-scripts]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
34 2484 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 3 packets, 356 bytes)
pkts bytes target prot opt in out source destination
根據編號刪除規則
- 刪除規則的另外一種方法
- iptables -nvL --line-numbers 打印出規則的序列號
- 第一列就是number
[root@tianqi-01 network-scripts]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@tianqi-01 network-scripts]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
44 3196 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 3 packets, 356 bytes)
pkts bytes target prot opt in out source destination
[root@tianqi-01 network-scripts]#
[root@tianqi-01 network-scripts]# iptables -nvL --line-number #加上這個選項後會顯示行號
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 51 3684 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 1 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
7 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 8 packets, 2172 bytes)
num pkts bytes target prot opt in out source destination
刪除第7條規則
[root@tianqi-01 network-scripts]# iptables -D INPUT 7
[root@tianqi-01 network-scripts]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 67 4776 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 1 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 3 packets, 372 bytes)
num pkts bytes target prot opt in out source destination
iptables命令 參數 -P
-
iptables -P OUTPUT DROP 默認的規則
- 鏈中,有一個默認的策略policy,policy ACCEPT表示這個鏈不加這些規則的話,那OUTPUT沒有任何的規則,因此對於OUTPUT鏈的數據包來說,policy ACCEPT就是由默認的策略來決定的
- 默認的策略是由ACCEPT來決定,全部的數據包只要是沒有具體的規則來匹配,那麼它就走默認的策略
- 鏈中,有一個默認的策略policy,policy ACCEPT表示這個鏈不加這些規則的話,那OUTPUT沒有任何的規則,因此對於OUTPUT鏈的數據包來說,policy ACCEPT就是由默認的策略來決定的
-
默認的規則最好不要去改變!!!
注意: 儘可能不要隨意更改該配置,尤爲是在進行遠程登陸時,一旦執行該命令後將會斷開鏈接。這個策略設定後只能用命令:‘iptables -P OUTPUT ACCEPT’來恢復成原始狀態,不能使用-F參數。
友情連接:阿銘Linux
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. vs2019運行opencv圖片顯示代碼時,窗口亂碼
- 2. app自動化 - 元素定位不到?別慌,看完你就能解決
- 3. 在Win8下用cisco ××× Client連接時報Reason 422錯誤的解決方法
- 4. eclipse快速補全代碼
- 5. Eclipse中Java/Html/Css/Jsp/JavaScript等代碼的格式化
- 6. idea+spring boot +mabitys(wanglezapin)+mysql (1)
- 7. 勒索病毒發生變種 新文件名將帶有「.UIWIX」後綴
- 8. 【原創】Python 源文件編碼解讀
- 9. iOS9企業部署分發問題深入瞭解與解決
- 10. 安裝pytorch報錯CondaHTTPError:******