ifconfig 命令
ifconfig 在 centos6 中是默认安装的, centos7 版本默认是没有这个命令的, 需要使用 yum 来进行安装: yum install net-tools
使用 ifdown 和 ifup 单独启动个别网卡
[root@localhost /]# ifdown enp0s3 && ifup enp0s3
成功断开设备'enp0s3'.
成功激活的连接(D-Bus 激活路径:/org/freedesktop/NetworkManager/ActiveConnection/2)
设置虚拟网卡, 拷贝原网卡文件, 修改网卡配置文件中的网卡名称再次重启后生成虚拟网卡, 生成的虚拟网卡是一个有独立 ip 的设备 , 可以使用这个 ip 和其他主机进行通信
- [root@localhost network-scripts]# cp ifcfg-enp0s3 ifcfg-enp0s3\:0
- [root@localhost network-scripts]# vim ifcfg-enp0s3\:0
- TYPE=Ethernet
- BOOTPROTO=static
- DEFROUTE=yes
- PEERROUTES=yes
- IPV4_FAILURE_FATAL=no
- NAME=enp0s3:0
- UUID=bf8adc16-a9c3-494a-b47e-f572fad38639
- DEVICE=enp0s3:0
- [root@localhost network-scripts]# ifdown enp0s3 && ifup enp0s3
成功断开设备'enp0s3'.
成功激活的连接(D-Bus 激活路径:/org/freedesktop/NetworkManager/ActiveConnection/3)
- [root@localhost network-scripts]# ifconfig
- enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
- inet 192.168.1.223 netmask 255.255.255.0 broadcast 192.168.1.255
- ether 08:00:27:a7:f9:c2 txqueuelen 1000 (Ethernet)
- RX packets 20698 bytes 21236657 (20.2 MiB)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 9509 bytes 924400 (902.7 KiB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- enp0s3:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
- inet 192.168.1.233 netmask 255.255.255.0 broadcast 192.168.1.255
- ether 08:00:27:a7:f9:c2 txqueuelen 1000 (Ethernet)
临时修改主机名 hostname 主机名 ; 永久修改 linux 主机名 vim /etc/hostname , 重启或 source /etc/profile 重新加载系统环境变量文件
DNS 配置文件: /etc/resolv.conf 这里的 DNS 文件优先级会低于网卡配置文件中指定的 DNS, 如果发生重启会被网卡中的 DNS 配置所覆盖
linux 中简单解析文件:/etc/hosts , 修改的解析只在本机生效, 一行内一个 ip 可以配置多个对应域名
- [root@localhost network-scripts]# vim /etc/hosts
- ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
- 192.168.1.233 www.bilibili.com www.abc.com www.123.com
- [root@localhost network-scripts]# ping www.bilibili.com
- PING www.bilibili.com (192.168.1.233) 56(84) bytes of data.
- 64 bytes from www.bilibili.com (192.168.1.233): icmp_seq=1 ttl=64 time=0.219 ms
firewalld 和 netfilter 工具
关闭 selinux 工具, selinux 默认开启状态, 安装某些服务 selinux 会影响服务正常启动, 临时关闭 selinux:
- [root@localhost network-scripts]# setenforce 0
- [root@localhost network-scripts]# getenforce
- Disabled
永久关闭 selinux
- [root@localhost ~]# vim /etc/selinux/config
- # This file controls the state of SELinux on the system.
- # SELINUX= can take one of these three values:
- # enforcing - SELinux security policy is enforced.
- # permissive - SELinux prints warnings instead of enforcing.
- # disabled - No SELinux policy is loaded.
- SELINUX=disabled
- # SELINUXTYPE= can take one of three two values:
- # targeted - Targeted processes are protected,
- # minimum - Modification of targeted policy. Only selected processes are protected.
- # mls - Multi Level Security protection.
- SELINUXTYPE=targeted
停用 firewalld 改为使用 netfilter 工具, 需要安装 iptables-services 的 yum 包文件
- [root@localhost network-scripts]# systemctl disable firewalld
- Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
- Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
- [root@localhost network-scripts]# systemctl stop firewalld
- [root@localhost network-scripts]# yum install -y iptables-services
已加载插件: fastestmirror
- Loading mirror speeds from cached hostfile
- * base: mirrors.aliyun.com
- * epel: mirrors.ustc.edu.cn
- * extras: mirrors.aliyun.com
- * updates: mirrors.sohu.com
正在解决依赖关系
--> 正在检查事务
---> 软件包 iptables-services.x86_64.0.1.4.21-24.1.el7_5 将被 安装
--> 正在处理依赖关系 iptables = 1.4.21-24.1.el7_5, 它被软件包 iptables-services-1.4.21-24.1.el7_5.x86_64 需要
--> 正在检查事务
---> 软件包 iptables.x86_64.0.1.4.21-17.el7 将被 升级
---> 软件包 iptables.x86_64.0.1.4.21-24.1.el7_5 将被 更新
--> 解决依赖关系完成
已安装:
iptables-services.x86_64 0:1.4.21-24.1.el7_5
作为依赖被升级:
iptables.x86_64 0:1.4.21-24.1.el7_5
完毕!
- [root@localhost network-scripts]# systemctl enable iptables
- Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
- [root@localhost network-scripts]# systemctl start iptables
- [root@localhost network-scripts]# iptables -nvL
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 51 3496 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
- 8 699 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain OUTPUT (policy ACCEPT 29 packets, 2876 bytes)
- pkts bytes target prot opt in out source destination
iptables 只是 netfilter 使用的一个工具, 只是在使用的时候我们通常称为 iptables
netfilter5 表 5 链介绍
filter 表: 默认的一张表, 表中包含 INPUT,OUTPUT 和 FORWARD 链
INPUT 表示进入本机流量的过滤链, 检测端口或来源 ip
FORWARD 转发链, 检查是否为本机流量, 非本机流量将会被转发
OUTPUT 本机出流量, 可禁止到某 ip 的数据包
nat 表: 流量数据包转发
PREROUTING 数据包进入时更改来源 ip
POSTROUTING 数据包转发出去是修改目的 ip
实现内网服务器和公网服务器之间互相通信, 需要在一台出口设备上做端口映射, 也就是使用 PREROUTING 和 POSTROUTING 链
mangle 表: 给数据包做标记, 如数据类型
raw 表: 可以实现不追踪某些数据包
security 表: 加强访问控制的 (MAC) 网络规则
iptables 语法
iptables -nvL 查看默认 filter 表的规则
- [root@localhost network-scripts]# iptables -nvL
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 984 83612 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
- 3211 287K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain OUTPUT (policy ACCEPT 772 packets, 175K bytes)
- pkts bytes target prot opt in out source destination
iptables -F 清空规则
iptables -t nat -nvL 指定表查看规则
- [root@localhost network-scripts]# iptables -t nat -nvL
- Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
iptables -Z 清零计数器
记录通过规则链的数据流累计信息, 可以通过记录数判断数据量大小, 可以根据数据量发送接收大小来做限制
iptables -A INPUT -s 192.168.1.112 -p tcp --sport 1234 -d 192.168.1.223 --dport 80 -j DROP/REJECT 禁止 1.112 通过 1234 端口向 223 发送数据
- [root@localhost network-scripts]# iptables -nvL
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 1142 95952 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
- 4450 397K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- 0 0 DROP tcp -- * * 192.168.1.112 192.168.1.223 tcp spt:1234 dpt:80
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain OUTPUT (policy ACCEPT 17 packets, 1676 bytes)
- pkts bytes target prot opt in out source destination
-A 在现有规则后新增一条新规则
-I 在现有规则最前面插入一条规则
-I 和 - A 的区别: 匹配规则时会优先从最前面规则进行匹配, 如果匹配到规则后就不会再往下匹配了
删除 iptables 规则
iptables -D INPUT 规则序号
- [root@localhost network-scripts]# iptables -D INPUT 6
- [root@localhost network-scripts]# iptables -nvL
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 1200 100K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
- 4606 409K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain OUTPUT (policy ACCEPT 4 packets, 512 bytes)
- pkts bytes target prot opt in out source destination
修改链默认的匹配规则, 注意如果写入拒绝语句之前, 请放行需要使用的端口, 否则会造成通信中断(如 ssh 服务的 22 端口)
- iptables -P INPUT DROP
- [root@localhost ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- [root@localhost ~]# iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
- [root@localhost ~]# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
- [root@localhost ~]# iptables -A INPUT -p tcp --sport 22 -j ACCEPT
- [root@localhost ~]# iptables -P INPUT DROP
- [root@localhost ~]# iptables -nvL
- Chain INPUT (policy DROP 0 packets, 0 bytes)
来源: http://www.bubuko.com/infodetail-2682841.html