[root@daixuan ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced. 打開後,會阻斷部分匹配策略的行爲
# permissive - SELinux prints warnings instead of enforcing. 不阻斷,日誌記錄
# disabled - No SELinux policy is loaded. 禁用selinux
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targetedlinux
getenforce 是查詢 SELinux 目前所使用的模式tcp
[root@daixuan ~]# getenforce 獲得selinux狀態
Disabledide
setenforce 指令是用來修改 SELinux 在執行中的模式工具
指令語法:setenforce [ Enforcing | Permissive | 1 | 0 ]spa
執行「setenforce enforcing」或「setenforce 1」是把 SELinux 修改爲 Enforcing 模式;rest
執行「setenforce permissive」或「setenforce 0」是把 SELinux 修改爲 Permissive 模式。日誌
注意:須要修改配置文件,selinux重啓後才能生效 /etc/selinux/config
orm
[root@daixuan ~]# setenforce 0 臨時關閉selinux,SELINUX=enforcing前提下才能夠使用這條命令,
setenforce: SELinux is disabled
[root@daixuan ~]# setenforce 1 打開selinux,SELINUX=enforcing才能夠使用這條命令
setenforce: SELinux is disabled
[root@daixuan ~]# rpm -qf `which setenforce` setenforce使用前須要安裝libselinux-utils-2.0.94-5.8.el6.i686包
libselinux-utils-2.0.94-5.8.el6.i686[root@daixuan ~]# yum provides "/*setenforce" 一種方法找命令是有哪一個包three
防火牆netfilter 工具iptables
table 表
chain 鏈
[root@daixuan ~]# iptables -t filter -nvL -t filter查看錶filter下面的鏈,有3個,能夠自定義鏈
Chain INPUT (policy ACCEPT 98419 packets, 48M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 115K packets, 36M bytes)
pkts bytes target prot opt in out source
[root@daixuan ~]# iptables -t nat -nvL -t nat表有三個鏈
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
[root@daixuan ~]# iptables -t mangle -nvL -t mangle有5個鏈
filter 過濾進包和出包 INPUT OUTPUT
[root@daixuan ~]# iptables -t filter -I INPUT -p tcp --dport 80 -s 12.12.12.12 -j REJECT 過濾filter表的輸入表INPUT的tcp包到達80端口來源IP拒絕
[root@daixuan ~]# iptables -t filter -nvL 查看指定表filter的信息
Chain INPUT (policy ACCEPT 66 packets, 5658 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 12.12.12.12 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
[root@daixuan ~]# iptables -nvL 不加-t指定表,默認filter表
Chain INPUT (policy ACCEPT 668 packets, 54802 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 12.12.12.12 0.0.0.0/0 tcp dpt:80 reject-with icmp-port-unreachable
添加規則:
-I 插入規則,相對以前的其餘規則先生效;
-A 添加規則,相對以前添加的規則後生效;
-D刪除規則;
-j DROP 看都不看直接丟掉
-j REJECT 包拿過來看一看再決定丟掉
-j ACCEPT 接收全部的包
第一條規則匹配ACCEPT就經過,後面再也不匹配了ip
[root@daixuan ~]# iptables -Z zero ,清空訪問的pkts爲0
[root@daixuan ~]# iptables -nvL
Chain INPUT (policy ACCEPT 9 packets, 1014 bytes) -F 清空全部的規則,默認是清空filter表
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@daixuan ~]# service iptables restart 若是防火牆的規則沒有保存,則重啓iptables規則丟失
iptables:將鏈設置爲政策 ACCEPT:filter [肯定]
iptables:清除防火牆規則: [肯定]
iptables:正在卸載模塊: [肯定]
iptables:應用防火牆規則: [肯定]
[root@daixuan ~]# service iptables save 保存添加的iptables規則
iptables:將防火牆規則保存到 /etc/sysconfig/iptables: [肯定]
[root@daixuan ~]# iptables-save > 1.ipt 備份iptables規則到文件1.ipt中,默認是filter表
[root@daixuan ~]# cat 1.ipt
# Generated by iptables-save v1.4.7 on Thu Nov 19 16:45:45 2015
*filter
:INPUT ACCEPT [183:18378]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [107:13428]
-A INPUT -s 192.168.101.17/32 -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
[root@daixuan ~]# iptables -F 先清空iptables的規則
[root@daixuan ~]# iptables-restore < 1.ipt 還原1.ipt的規則到iptables中,默認的是filter表
將新裝的CentOS系統的默認規則清空並保存清空規則後的狀態
[root@daixuan ~]# service iptables save
iptables:將防火牆規則保存到 /etc/sysconfig/iptables: [肯定]
[root@daixuan ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 40 packets, 7096 bytes) 將公網IP轉換爲內網IP
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3 packets, 732 bytes) 將內網IP轉換爲公網IP
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 732 bytes)
pkts bytes target prot opt in out source destination
mangle表主要用來給包打標記
-P policy策略
chain ACCEPT 默認全部的數據包接收
chain DROP 默認全部的數據包拒絕
[root@daixuan ~]# iptables -P INPUT DROP 很危險,輕易不能作
[root@daixuan ~]# iptables -P INPUT ACCEPT