lLinux網絡相關命令,防火牆介紹及相關命令
10月25日任務html
10.11 Linux網絡相關linux
10.12 firewalld和netfiltervim
10.13 netfilter5表5鏈介紹centos
10.14 iptables語法bash
10.十一、Linux網絡相關網絡
-
ifconfig查看網卡IP (yum install -y net-tools)less
-
ifup eth0/ifdown eth0tcp
-
設定虛擬網卡eth0:1oop
-
mii-tool eth0 查看網卡是否鏈接post
-
ethtool ens33 也能夠查看網卡是否鏈接
-
更改主機名 hostname set-hostname aminglinux
-
DNS配置文件/etc/resolv.conf
-
/etc/hosts文件
#,由於是遠程鏈接 ,所致只能演示同時運行關閉網卡和開啓網卡。(當修改指定網卡配置信息後能夠運行這條命令重啓網卡)
[root@centos6 ~]# ifdown eth0 && ifup eth0 Determining if ip address 172.16.5.235 is already in use for device eth0...
#設置一個虛擬的網卡信息
[root@centos6 ~]# cd /etc/sysconfig/network-scripts/
[root@centos6 network-scripts]# ls
ifcfg-eth0 ifdown-isdn ifup-eth ifup-routes
ifcfg-eth0:1 ifdown-post ifup-ib ifup-sit
ifcfg-lo ifdown-ppp ifup-ippp ifup-tunnel
ifdown ifdown-routes ifup-ipv6 ifup-wireless
ifdown-bnep ifdown-sit ifup-isdn init.ipv6-global
ifdown-eth ifdown-tunnel ifup-plip net.hotplug
ifdown-ib ifup ifup-plusb network-functions
ifdown-ippp ifup-aliases ifup-post network-functions-ipv6
ifdown-ipv6 ifup-bnep ifup-ppp
[root@centos6 network-scripts]# cp ifcfg-eth0 ifcfg-eth0\:1
[root@centos6 network-scripts]# vim !$
vim ifcfg-eth0\:1
[root@centos6 network-scripts]# ifdown eth0 && ifup eth0
Determining if ip address 172.16.5.235 is already in use for device eth0...
Determining if ip address 172.16.5.236 is already in use for device eth0...
[root@centos6 network-scripts]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:A4:3D:92
inet addr:172.16.5.235 Bcast:172.16.5.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fea4:3d92/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:492143 errors:0 dropped:0 overruns:0 frame:0
TX packets:92971 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:41370766 (39.4 MiB) TX bytes:29602942 (28.2 MiB)
eth0:1 Link encap:Ethernet HWaddr 00:50:56:A4:3D:92
inet addr:172.16.5.236 Bcast:172.16.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
# 遠程查看網卡是否聯網,提示link ok 說明鏈接了網線,link no說明沒有鏈接網線
[root@centos6 network-scripts]# mii-tool eth0 eth0: negotiated 100baseTx-FD, link ok
#更改主機名
[root@zgxlinux-01 ~]# hostnamectl set-hostname zgxlinux-001 [root@zgxlinux-01 ~]# bash [root@zgxlinux-001 ~]# exit exit
#DNS配置文件,修改這個配置文件只能臨時生效 ,重啓後將恢復成eth0配置文件的DNS
[root@zgxlinux-01 ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 119.29.29.29
10.十二、firewalld和netfilter
linux防火牆-netfilter
-
selinux 臨時關閉setenforce 0
-
selinux 永久關閉 vi /etc/selinux/config
-
entos7以前使用netfilter防火牆
-
centos7開始使用firewalld防火牆
-
關閉firewalld開啓netfilter方法
-
systemctl stop filewalld
-
systemctl disable firwalled
-
yum install -y iptables-services
-
systemctl enable iptables
-
systemctl start iptables
#臨時關閉和永久關閉防火牆,永久關閉把SELINUX=enforing改成SELINUX=disabled,而後重啓系統 。getenforce輸出Permissive表示臨時關閉,Enforcing 表示打開。
[root@zgxlinux-01 ~]# setenforce 0 [root@zgxlinux-01 ~]# vim /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root@zgxlinux-01 ~]# getenforce Permissive
#centos7開始防火牆是firewalld,centos7以前防火牆是netfilter,可是不少企業都還用的是centos6甚至更早的版本 ,因此咱們不能不知道。那如何把centos7防火牆切換到centos6使用的netfilter呢 ,下邊咱們來操做。
[root@zgxlinux-01 ~]# systemctl disable firewalld #先把firewalld改成開機不自啓動
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@zgxlinux-01 ~]# systemctl stop firewalld #而後再停掉firewelld防火牆
[root@zgxlinux-01 ~]# yum install -y iptables-services #在開啓netfileter以前須要安裝這個包
[root@zgxlinux-01 ~]# systemctl enable iptables #安裝以後會產生一個iptables服務
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@zgxlinux-01 ~]# systemctl start iptables #開啓iptables服務
[root@zgxlinux-01 ~]# iptables -nvL #運行iptables -nvL命令能夠查看iptables的一些默認規則
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
36 2432 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 23 packets, 2012 bytes)
pkts bytes target prot opt in out source destination
10.1三、netfilter5表5鏈介紹
-
netfilter的5個表
-
fileter表示過濾包,最經常使用的表,有INPUT、FORWARD、OUTPUT三個鏈
-
nat表用於網絡地址轉換,有PREROUTING、OUTPUT、POSTROUTING三個鏈
-
managle表用於給數據包作標記,幾乎用不到
-
raw表能夠實現不追蹤某些數據包,阿銘歷來不用
-
security表在centos6中並無,用於強制訪問控制(MAC)的網絡規則,阿銘沒用過
-
參考文章 http://www.cnblogs.com/metoy/p/4320813.html
10.14 、iptables語法
-
數據包流向與netfilter的5個鏈
-
PREROUTING:數據包進入路由表以前
-
INPUT:經過路由表後目的地爲本機
-
FORWARD:經過路由表後,目的地不爲本機
-
OUTPUT:由本機產生,向外發送
-
POSTROUTING:發送到網卡接口以前
相關命令和用法
-
查看iptables規則:iptables -nvL
-
iptables -F 清空規則
-
service iptables save 保存規則
-
iptables -t nat //-t指定表
-
iptables -Z 能夠把計數器清零
-
iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
-
iptables -I/-A/-D INPUT -s 1.1.1.1 -j DROP #-A新增 -I 插入 -D 刪除
-
iptables -I INTPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
-
iptables -nvL --line-numbers
-
iptables -D INPUT 1
-
iptables -P INPUT DROP #-P 默認規則,這條通常不要輕易執行。
#默認規則保存位置在/etc/sysconfig/iptables下
[root@zgxlinux-01 ~]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
#iptables -F清空規則 ,可是配置文件裏邊還保存着。運行service iptables save 保存規則;修改完規則後須要重啓服務。
[root@zgxlinux-01 ~]# iptables -F [root@zgxlinux-01 ~]# iptables -nvL Chain INPUT (policy ACCEPT 29 packets, 1940 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17 packets, 1508 bytes) pkts bytes target prot opt in out source destination [root@zgxlinux-01 ~]# service iptables save [root@zgxlinux-01 ~]# service iptables restart Redirecting to /bin/systemctl restart iptables.service
# -A表示增長規則 ,-I表示插入規則。
[root@zgxlinux-01 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@zgxlinux-01 ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@zgxlinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
67 4740 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
1 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
pkts bytes target prot opt in out source destination
#刪除規則。
[root@zgxlinux-01 ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[root@zgxlinux-01 ~]# iptables -D INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@zgxlinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
309 24924 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
2 458 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 17 packets, 1628 bytes)
pkts bytes target prot opt in out source destination
#刪除規則的時候必需要把規則寫的徹底相同,可是時間久了咱們記不住具體規則了怎麼刪除呢?這時候咱們能夠把規則編號;
[root@zgxlinux-01 ~]# iptables -nvL --line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 2 604 48564 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 6 2 458 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 7 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 61 packets, 10052 bytes) num pkts bytes target prot opt in out source destination [root@zgxlinux-01 ~]# iptables -D INPUT 7 [root@zgxlinux-01 ~]# iptables -D INPUT 1 [root@zgxlinux-01 ~]# iptables -nvL --line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 677 53536 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 2 458 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 6 packets, 696 bytes) num pkts bytes target prot opt in out source destination
相關文章
- 1. 防火牆的相關知識介紹及命令
- 2. firewall操做防火牆相關命令
- 3. centos7防火牆相關命令
- 4. 防火牆相關操做命令
- 5. centos 防火牆相關命令
- 6. CentOS 8 防火牆 firewall 相關命令
- 7. mysqld命令相關介紹
- 8. linux系統防火牆相關問題及經常使用命令介紹
- 9. 【linux】命令-網絡相關
- 10. linux網絡相關命令
- 更多相關文章...
- • XML 相關技術 - XML 教程
- • Docker info 命令 - Docker命令大全
- • NewSQL-TiDB相關
- • Docker 清理命令
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. vs2019運行opencv圖片顯示代碼時,窗口亂碼
- 2. app自動化 - 元素定位不到?別慌,看完你就能解決
- 3. 在Win8下用cisco ××× Client連接時報Reason 422錯誤的解決方法
- 4. eclipse快速補全代碼
- 5. Eclipse中Java/Html/Css/Jsp/JavaScript等代碼的格式化
- 6. idea+spring boot +mabitys(wanglezapin)+mysql (1)
- 7. 勒索病毒發生變種 新文件名將帶有「.UIWIX」後綴
- 8. 【原創】Python 源文件編碼解讀
- 9. iOS9企業部署分發問題深入瞭解與解決
- 10. 安裝pytorch報錯CondaHTTPError:******
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 防火牆的相關知識介紹及命令
- 2. firewall操做防火牆相關命令
- 3. centos7防火牆相關命令
- 4. 防火牆相關操做命令
- 5. centos 防火牆相關命令
- 6. CentOS 8 防火牆 firewall 相關命令
- 7. mysqld命令相關介紹
- 8. linux系統防火牆相關問題及經常使用命令介紹
- 9. 【linux】命令-網絡相關
- 10. linux網絡相關命令