Linux網絡相關以及防火牆

時間  2019-11-25
標籤 linux 網絡 相關 以及 防火牆 欄目 Linux 简体版
原文   原文鏈接

Linux網絡相關

  • ifconfig 查看網卡ip (yum install net-tools)
  • ifup 網卡名,啓動網卡 / ifdown 網卡名,關閉網卡
  • 設定虛擬網卡
  • mii-tool 網卡名,查看網卡是否鏈接
  • ethtool 網卡名,也能夠查看網卡是否鏈接
  • 更改主機名hostnamectl set-hostname test-a
  • DNS配置文件/etc/resolv.conf
  • /etc/hosts文件
[root@centos01 ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.77.134  netmask 255.255.255.0  broadcast 192.168.77.255
        inet6 fe80::20c:29ff:feb9:5699  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b9:56:99  txqueuelen 1000  (Ethernet)
        RX packets 135  bytes 13528 (13.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 126  bytes 18880 (18.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@centos01 ~]# ifdown eno16777736 # 關閉網卡,以後在服務器上啓動該網卡 

[root@centos01 ~]# ifup eno16777736
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)

#重啓某個網卡的方法 
[root@centos01 ~]# ifdown eno16777736 && ifup eno16777736
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/5)

# 添加虛擬網卡
[root@centos01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eno16777736:t
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736:t  # 須要更改該的行1
ONBOOT=yes
IPADDR=192.168.77.139  # 須要更改該的行2
NETMASK=255.255.255.0
DEVICE=eno16777736:t  # 須要更改該的行3

[root@centos01 ~]# ifdown eno16777736 && ifup eno16777736
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/11)
[root@centos01 ~]# 
[root@centos01 ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.77.134  netmask 255.255.255.0  broadcast 192.168.77.255
        inet6 fe80::20c:29ff:feb9:5699  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b9:56:99  txqueuelen 1000  (Ethernet)
        RX packets 1920  bytes 180010 (175.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1532  bytes 220506 (215.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno16777736:t: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.77.139  netmask 255.255.255.0  broadcast 192.168.77.255
        ether 00:0c:29:b9:56:99  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

# 查看網卡是否已鏈接
[root@centos01 network-scripts]# mii-tool eno16777736
eno16777736: negotiated 1000baseT-FD flow-control, link ok
[root@centos01 network-scripts]# ethtool eno16777736
Settings for eno16777736:
        Supported ports: [ TP ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Supported pause frame use: No
        Supports auto-negotiation: Yes
        Advertised link modes:  10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Advertised pause frame use: No
        Advertised auto-negotiation: Yes
        Speed: 1000Mb/s
        Duplex: Full
        Port: Twisted Pair
        PHYAD: 0
        Transceiver: internal
        Auto-negotiation: on
        MDI-X: off (auto)
        Supports Wake-on: d
        Wake-on: d
        Current message level: 0x00000007 (7)
                               drv probe link
        Link detected: yes

[root@centos01 network-scripts]# hostnamectl set-hostname test-a
[root@centos01 network-scripts]# hostname
test-a
[root@centos01 network-scripts]# cat /etc/hostname
test-a
[root@centos01 network-scripts]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 119.29.29.29
[root@centos01 network-scripts]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@centos01 network-scripts]# vi /etc/hosts
[root@centos01 network-scripts]# ping www.gg.com
PING www.abc.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.104 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.082 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.080 ms
^C
--- www.abc.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.080/0.088/0.104/0.015 ms

Linux 防火牆

  • selinux 臨時關閉 setenforce 0
  • selinux 永久關閉 vi /etc/selinux/config
  • centos7以前使用netfilter防火牆
  • centos7開始使用firewalld防火牆
  • 關閉firewalld開啓netfilter方法
  • systemctl stop firewalld
  • systemctl disable firewalled
  • yum install -y iptables-services
  • systemctl enable iptables
  • systemctl start iptables
[root@centos01 ~]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing  # 改這裏
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted


[root@centos01 ~]# getenforce
Enforcing

[root@centos01 ~]# systemctl disable firewalld  # 關閉 firewalld
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
rm '/etc/systemd/system/basic.target.wants/firewalld.service'
[root@centos01 ~]# systemctl stop firewalld # 中止firewalld服務

[root@centos01 ~]# yum install -y iptables-services # 安裝iptables工具

[root@centos01 ~]# systemctl enable iptables # 設置開機啓動
ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/basic.target.wants/iptables.service'
[root@centos01 ~]# systemctl start iptables # 啓動iptables服務

[root@centos01 ~]# iptables -nvL  # 查當前iptables規則
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
   25  2024 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   
    1    76 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 12 packets, 1152 bytes)
 pkts bytes target     prot opt in     out     source               destination

Linux 防火牆——netfilter

  • netfilter的5個表html

  • filter表用於過濾包,最經常使用的表,有INPUT、FORWARD、OUTPUT三個鏈linux

  • nat表用於網絡地址轉換,有PREROUTING、OUTPUT、POSTROUTING三個鏈centos

  • managle表用於給數據包作標記,幾乎用不到服務器

  • raw表能夠實現不追蹤某些數據包,幾乎不用網絡

  • security表在centos6中並無,用於強制訪問控制(MAC)的網絡規則,幾乎不用dom

  • 參考問章 http://www.cnblogs.com/metoy/p/4320813.htmltcp

  • 數據包流向與netfilter的5個鏈工具

  • PREROUTING: 數據包進入路由表以前oop

  • INPUT: 經過路由表後目的地爲本機this

  • FORWARD: 經過路由表後,目的地不爲本機

  • OUTPUT: 由本機產生,向外發出

  • POSTROUTING: 發送到網卡接口以前

iptables 語法

  • 查看iptables規則 iptables -nvL
  • iptables -F 清空規則
  • service iptables save 保存規則
  • iptables -t nat, -t指定表
  • iptables -Z 能夠把計數器清零
  • iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
  • iptables -I/-A/-D INPUT -s 1.1.1.1 -j DROP
  • iptables -I INPUT -s 192.168.1.0/26 -i eht0 -j ACCEPT
  • iptables -nvL --line-numbers
  • iptables -D INPUT 1
  • iptables -P INPUT DROP
[root@centos01 ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@centos01 ~]# iptables -F
[root@centos01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 28 packets, 2016 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 15 packets, 1592 bytes)
 pkts bytes target     prot opt in     out     source               destination 
[root@centos01 ~]# service iptables restart
Redirecting to /bin/systemctl restart  iptables.service
[root@centos01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
   43  3128 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 23 packets, 2424 bytes)
 pkts bytes target     prot opt in     out     source               destination 

[root@centos01 ~]# iptables -Z;iptables -nvL #清空後pkts以及bytes爲0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
[root@centos01 ~]# iptables -nvL # 過一會執行命令有新的數據
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
   22  1904 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 17 packets, 2904 bytes)
 pkts bytes target     prot opt in     out     source               destination

[root@centos01 ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      112  8476 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
5        3   234 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 70 packets, 9936 bytes)
num   pkts bytes target     prot opt in     out     source               destination
相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程