【2018.05.08學習筆記】【linux基礎知識10.11-10.14】
10.11 Linux網絡相關
ifconfig命令:查看網卡信息(安裝net-tools包),ip addr命令也能查看網卡信息(顯示沒那麼規整)html
[root@lgs-01 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.87.130 netmask 255.255.255.0 broadcast 192.168.87.255
inet6 fe80::f74d:28a0:35b4:f7a3 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:d0:e2:b8 txqueuelen 1000 (Ethernet)
RX packets 109 bytes 11724 (11.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 90 bytes 11619 (11.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 72 bytes 5712 (5.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 72 bytes 5712 (5.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@lgs-01 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:d0:e2:b8 brd ff:ff:ff:ff:ff:ff
inet 192.168.87.130/24 brd 192.168.87.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::f74d:28a0:35b4:f7a3/64 scope link
valid_lft forever preferred_lft forever
-a選項:顯示全部網絡接口的信息,不管是否激活(如禁用網卡 ifconfig ens33 down以後)linux
ifconfig ens33 down:禁用網卡; ifconfig ens33 up:啓用網卡。shell
不加-a選項,看不到禁用的網卡。 
vim
ifdown ens33:把網卡斷開鏈接 centos
ifup ens33:把網卡鏈接上 bash
ifup、ifdown只是腳本,不是命令。服務器
ifdown要與ifup 一塊兒連着用,防止遠程登陸失效,致使外地的服務器鏈接不上。網絡
[root@lgs-01 ~]# ifdown ens33 && ifup ens33 成功斷開設備 'ens33'。 鏈接已成功激活(D-Bus 活動路徑:/org/freedesktop/NetworkManager/ActiveConnection/7)
設定一個虛擬網卡:拷貝網卡配置文件,修改ip信息便可。虛擬網卡通常在lvs、keepalived中使用架構
修改完配置文件,重連網卡app
[root@lgs-01 ~]# cd /etc/sysconfig/network-scripts/
[root@lgs-01 network-scripts]# ls
ifcfg-ens33 ifdown-eth ifdown-post ifdown-Team ifup-aliases ifup-ipv6 ifup-post ifup-Team init.ipv6-global
ifcfg-lo ifdown-ippp ifdown-ppp ifdown-TeamPort ifup-bnep ifup-isdn ifup-ppp ifup-TeamPort network-functions
ifdown ifdown-ipv6 ifdown-routes ifdown-tunnel ifup-eth ifup-plip ifup-routes ifup-tunnel network-functions-ipv6
ifdown-bnep ifdown-isdn ifdown-sit ifup ifup-ippp ifup-plusb ifup-sit ifup-wireless
[root@lgs-01 network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0
[root@lgs-01 network-scripts]# ls
ifcfg-ens33 ifdown-bnep ifdown-isdn ifdown-sit ifup ifup-ippp ifup-plusb ifup-sit ifup-wireless
ifcfg-ens33:0 ifdown-eth ifdown-post ifdown-Team ifup-aliases ifup-ipv6 ifup-post ifup-Team init.ipv6-global
ifcfg-lo ifdown-ippp ifdown-ppp ifdown-TeamPort ifup-bnep ifup-isdn ifup-ppp ifup-TeamPort network-functions
ifdown ifdown-ipv6 ifdown-routes ifdown-tunnel ifup-eth ifup-plip ifup-routes ifup-tunnel network-functions-ipv6
[root@lgs-01 network-scripts]# vim ifcfg-ens33:0
[root@lgs-01 network-scripts]# ifdown ens33 && ifup ens33
成功斷開設備 'ens33'。
鏈接已成功激活(D-Bus 活動路徑:/org/freedesktop/NetworkManager/ActiveConnection/9)
[root@lgs-01 network-scripts]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.87.130 netmask 255.255.255.0 broadcast 192.168.87.255
inet6 fe80::f74d:28a0:35b4:f7a3 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:d0:e2:b8 txqueuelen 1000 (Ethernet)
RX packets 2197 bytes 186162 (181.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1125 bytes 172779 (168.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.87.138 netmask 255.255.255.0 broadcast 192.168.87.255
ether 00:0c:29:d0:e2:b8 txqueuelen 1000 (Ethernet)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 72 bytes 5712 (5.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 72 bytes 5712 (5.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
查看網卡是否接線:link ok便可;用ethtool也能夠:Link detected: yes
[root@lgs-01 network-scripts]# mii-tool ens33 ens33: negotiated 1000baseT-FD flow-control, link ok [root@lgs-01 network-scripts]# ethtool ens33 Settings for ens33: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supported pause frame use: No Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised pause frame use: No Advertised auto-negotiation: Yes Speed: 1000Mb/s Duplex: Full Port: Twisted Pair PHYAD: 0 Transceiver: internal Auto-negotiation: on MDI-X: off (auto) Supports Wake-on: d Wake-on: d Current message level: 0x00000007 (7) drv probe link Link detected: yes
更改主機名:hostnamectl set-hostname lgs-xp
進入子bash生效,或者重連shell就生效。
[root@lgs-01 ~]# hostnamectl set-hostname lgs [root@lgs-01 ~]# hostname lgs [root@lgs-01 ~]# cat /etc/hostname lgs [root@lgs-01 ~]# bash [root@lgs ~]#
修改DNS:在配置文件 /etc/resolv/conf 修改,臨時生效。網卡重啓時,會被網卡的配置文件的DNS覆蓋。
[root@lgs ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 119.29.29.29 [root@lgs ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 [root@lgs ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 119.29.29.29 [root@lgs ~]# ifdown ens33 && ifup ens33 成功斷開設備 'ens33'。 鏈接已成功激活(D-Bus 活動路徑:/org/freedesktop/NetworkManager/ActiveConnection/10) [root@lgs ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 119.29.29.29 nameserver 8.8.8.8
host文件:指定本機域名解析到指定的ip,只在本機生效,繞過DNS服務器。能夠多個域名指向一個ip。
[root@lgs ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@lgs ~]# vim /etc/hosts [root@lgs ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.87.130 www.123.com www.163.com 192.168.87.2 www.qq.com 192.168.87.2 www.abc.com [root@lgs ~]# ping www.163.com PING www.123.com (192.168.87.130) 56(84) bytes of data. 64 bytes from www.123.com (192.168.87.130): icmp_seq=1 ttl=64 time=0.102 ms 64 bytes from www.123.com (192.168.87.130): icmp_seq=2 ttl=64 time=0.082 ms 64 bytes from www.123.com (192.168.87.130): icmp_seq=3 ttl=64 time=0.087 ms ^C --- www.123.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 0.082/0.090/0.102/0.011 ms [root@lgs ~]# ping www.123.com PING www.123.com (192.168.87.130) 56(84) bytes of data. 64 bytes from www.123.com (192.168.87.130): icmp_seq=1 ttl=64 time=0.060 ms 64 bytes from www.123.com (192.168.87.130): icmp_seq=2 ttl=64 time=0.070 ms ^C --- www.123.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.060/0.065/0.070/0.005 ms
若是有一樣重複的域名的,只有最後一行生效。
[root@lgs ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.87.130 www.123.com www.163.com 192.168.87.2 www.qq.com 127.0.0.1 www.123.com [root@lgs ~]# ping www.123.com PING www.123.com (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.042 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.079 ms 64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.079 ms 64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.067 ms ^C --- www.123.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.042/0.066/0.079/0.018 ms
10.12 firewalld和netfilter
setenforce 0:臨時關閉selinux
[root@lgs ~]# getenforce Enforcing [root@lgs ~]# setenforce 0 [root@lgs ~]# getenforce Permissive
要永久關閉selinux:修改配置文件SELINUX=disabled,重啓系統生效
[root@lgs ~]# vim /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
防火牆firewalld:centos 7版本的防火牆
防火牆netfilter:centos 五、6版本的防火牆
在centos7上也能夠開啓netfilter防火牆:
一、不開機啓動firewalld,關閉firewalld
[root@lgs ~]# systemctl disable firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@lgs ~]# systemctl stop firewalld
二、安裝iptables-services包
[root@lgs ~]# yum install -y iptables-services 已加載插件:fastestmirror Loading mirror speeds from cached hostfile * epel: mirror01.idc.hinet.net 正在解決依賴關係 --> 正在檢查事務 ---> 軟件包 iptables-services.x86_64.0.1.4.21-18.3.el7_4 將被 安裝 --> 正在處理依賴關係 iptables = 1.4.21-18.3.el7_4,它被軟件包 iptables-services-1.4.21-18.3.el7_4.x86_64 須要 --> 正在檢查事務 ---> 軟件包 iptables.x86_64.0.1.4.21-18.0.1.el7.centos 將被 升級 ---> 軟件包 iptables.x86_64.0.1.4.21-18.3.el7_4 將被 更新 --> 解決依賴關係完成 依賴關係解決 ============================================================================================================================================================== Package 架構 版本 源 大小 ============================================================================================================================================================== 正在安裝: iptables-services x86_64 1.4.21-18.3.el7_4 updates 51 k 爲依賴而更新: iptables x86_64 1.4.21-18.3.el7_4 updates 428 k 事務概要 ============================================================================================================================================================== 安裝 1 軟件包 升級 ( 1 依賴軟件包) 總下載量:479 k Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/2): iptables-services-1.4.21-18.3.el7_4.x86_64.rpm | 51 kB 00:00:00 (2/2): iptables-1.4.21-18.3.el7_4.x86_64.rpm | 428 kB 00:00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------- 總計 691 kB/s | 479 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction 正在更新 : iptables-1.4.21-18.3.el7_4.x86_64 1/3 正在安裝 : iptables-services-1.4.21-18.3.el7_4.x86_64 2/3 清理 : iptables-1.4.21-18.0.1.el7.centos.x86_64 3/3 驗證中 : iptables-1.4.21-18.3.el7_4.x86_64 1/3 驗證中 : iptables-services-1.4.21-18.3.el7_4.x86_64 2/3 驗證中 : iptables-1.4.21-18.0.1.el7.centos.x86_64 3/3 已安裝: iptables-services.x86_64 0:1.4.21-18.3.el7_4 做爲依賴被升級: iptables.x86_64 0:1.4.21-18.3.el7_4 完畢!
三、開機啓動iptables,開啓iptables服務
[root@lgs ~]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@lgs ~]# systemctl start iptables
四、開啓netfilter防火牆成功,查看iptables默認規則。netfilter纔是防火牆的名字,iptables只是他的一個工具。
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
25 1728 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1412 bytes)
pkts bytes target prot opt in out source destination
10.13 netfilter5表5鏈介紹
netfilter的5個表:filter、nat、mangle、raw、security,通常操做filter和nat便可。 CentOS 五、6沒有 security表。
[root@lgs ~]# man iptables
IPTABLES(8) iptables 1.4.21 IPTABLES(8)
NAME
iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT
SYNOPSIS
iptables [-t table] {-A|-C|-D} chain rule-specification
ip6tables [-t table] {-A|-C|-D} chain rule-specification
iptables [-t table] -I chain [rulenum] rule-specification
iptables [-t table] -R chain rulenum rule-specification
iptables [-t table] -D chain rulenum
iptables [-t table] -S [chain [rulenum]]
iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target
iptables [-t table] -E old-chain-name new-chain-name
rule-specification = [matches...] [target]
match = -m matchname [per-match-options]
target = -j targetname [per-target-options]
DESCRIPTION
Iptables and ip6tables are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. Several dif‐
ferent tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `tar‐
get', which may be a jump to a user-defined chain in the same table.
TARGETS
A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is examined; if it does
match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain, one of the targets described in
iptables-extensions(8), or one of the special values ACCEPT, DROP or RETURN.
ACCEPT means to let the packet through. DROP means to drop the packet on the floor. RETURN means stop traversing this chain and resume at the
next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched,
the target specified by the chain policy determines the fate of the packet.
TABLES
There are currently five independent tables (which tables are present at any time depends on the kernel configuration options and which modules are
present).
-t, --table table
This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module
loading, an attempt will be made to load the appropriate module for that table if it is not already there.
The tables are as follows:
filter:
This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets),
FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
nat:
This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for
altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering
packets as they are about to go out). IPv6 NAT support is available since kernel 3.7.
mangle:
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming
packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in
chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box),
and POSTROUTING (for altering packets as they are about to go out).
raw:
This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at
the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following
built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)
security:
This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets.
Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The security table is called after the filter table,
allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides the fol‐
lowing built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated packets before routing),
and FORWARD (for altering packets being routed through the box).
filter表:有 INPUT、FORWARD、OUTPUT三個鏈(chain)
INPUT:數據包進入本機時進行操做的規則
FORWARD:目標地址不是本機的數據包,通過本機轉發,沒有進入系統內核。轉發處理時的規則。
OUTPUT:本機產生的數據包,出去前進行操做的規則。
-t選項:指定表
[root@lgs ~]# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
171 13076 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
2 473 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 133 packets, 20408 bytes)
pkts bytes target prot opt in out source destination
nat表:路由器的實現就是用nat原理,還能夠進行端口映射。nat有 PREROUTING、OUTPUT、POSTROUTING三個鏈(chain)
PREROUTING:數據包進來本機時,進行修改的規則
OUTPUT:本機產生的數據包,出去前進行操做的規則。
POSTROUTING:數據包出去本機時,進行修改的規則
默認nat三個鏈的規則都爲空
[root@lgs ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
netfilter的5表5鏈 參考學習文章:iptables詳解 www.cnblogs.com/metoy/p/4320813.html
10.14 iptables語法
iptables -nvL 默認規則:即filter表的默認規則。在配置文件/etc/sysconfig/iptables 裏定義。
[root@lgs ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
279 21744 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
58 5158 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 221 packets, 30752 bytes)
pkts bytes target prot opt in out source destination
-F選項:清空後規則,臨時生效。重啓iptables服務後仍是會加載默認規則。
[root@lgs ~]# iptables -F
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 5 packets, 388 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 432 bytes)
pkts bytes target prot opt in out source destination
[root@lgs ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5 388 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 496 bytes)
pkts bytes target prot opt in out source destination
要永久生效,修改規則後要保存一下:
service iptables save
-Z選項:計數器清零包數據的統計
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
55 4084 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 45 packets, 7720 bytes)
pkts bytes target prot opt in out source destination
[root@lgs ~]# iptables -Z && iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
-A選項:增長規則,在現有規則最後增長。後面指定鏈,-s指定源ip,-p指定協議,--sport端口,-d目標ip,-dport目標端口 -j操做 DROP 丟棄。另外有 ACCEPT 、REJECT等。
[root@lgs ~]# iptables -A INPUT -s 192.168.87.150 -p tcp --sport 1234 -d 192.168.87.130 --dport 80 -j DROP
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
194 13960 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.87.150 192.168.87.130 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 6 packets, 744 bytes)
pkts bytes target prot opt in out source destination
-I選項:插入規則,在現有規則前面插入變成第一條規則。優先過濾執行,若是有匹配的立馬執行,後面有相同匹配的就不執行了。
[root@lgs ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
306 22376 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
2 473 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.87.150 192.168.87.130 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
pkts bytes target prot opt in out source destination
-D選項:刪除規則。
[root@lgs ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
360 27348 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
2 473 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.87.150 192.168.87.130 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
pkts bytes target prot opt in out source destination
若是想刪除好久以前添加的規則,可是有不記得具體的參數命令了。能夠用規則編號
[root@lgs ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 407 30984 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 2 473 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 0 0 DROP tcp -- * * 192.168.87.150 192.168.87.130 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 38 packets, 4860 bytes)
num pkts bytes target prot opt in out source destination
[root@lgs ~]# iptables -D INPUT 6
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
483 36808 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
2 473 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 20 packets, 2108 bytes)
pkts bytes target prot opt in out source destination
-i選項:指定網卡 -i eth0
-P選項:修改默認規則的動做策略,默認是policy ACCEPT,謹慎修改,會致使網絡沒法訪問。
[root@lgs ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
490 37296 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
3 702 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 28 packets, 3860 bytes)
pkts bytes target prot opt in out source destination
相關文章
- 1. Linux之基礎知識學習筆記
- 2. Linux學習筆記:基礎知識學習整理【圖】
- 3. Hibernate學習筆記之基礎知識
- 4. Java基礎知識學習筆記五
- 5. Struts2學習筆記1——基礎知識
- 6. WireShark學習筆記(一)基礎知識
- 7. HTML基礎知識學習筆記
- 8. Python學習筆記(1)——基礎知識
- 9. Redis學習筆記:基礎知識
- 10. san學習筆記(二)--基礎知識
- 更多相關文章...
- • Kotlin 基礎語法 - Kotlin 教程
- • Scala 基礎語法 - Scala教程
- • Tomcat學習筆記(史上最全tomcat學習筆記)
- • Kotlin學習(二)基本類型
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. No provider available from registry 127.0.0.1:2181 for service com.ddbuy.ser 解決方法
- 2. Qt5.7以上調用虛擬鍵盤(支持中文),以及源碼修改(可拖動,水平縮放)
- 3. 軟件測試面試- 購物車功能測試用例設計
- 4. ElasticSearch(概念篇):你知道的, 爲了搜索…
- 5. redux理解
- 6. gitee創建第一個項目
- 7. 支持向量機之硬間隔(一步步推導,通俗易懂)
- 8. Mysql 異步複製延遲的原因及解決方案
- 9. 如何在運行SEPM配置嚮導時將不可認的複雜數據庫密碼改爲簡單密碼
- 10. windows系統下tftp服務器使用
歡迎關注本站公眾號,獲取更多信息
相關文章