linux 网络相关
ifconfig 查看网卡及 ip, 子网, 网关, mac 地址
yum install net-tools
重启指定网卡 ifdown 网卡名字 && ifup 网卡名字
添加虚拟网卡
- [root@localhost ~]# cd /etc/sysconfig/network-scripts/
- [root@localhost network-scripts]# ls
ifcfg-ens33 ifdown-ib ifdown-ppp ifdown-tunnel ifup-ib ifup-plusb ifup-Team network-functions
ifcfg-lo ifdown-ippp ifdown-routes ifup ifup-ippp ifup-post ifup-TeamPort network-functions-ipv6
ifdown ifdown-ipv6 ifdown-sit ifup-aliases ifup-ipv6 ifup-ppp ifup-tunnel
ifdown-bnep ifdown-isdn ifdown-Team ifup-bnep ifup-isdn ifup-routes ifup-wireless
ifdown-eth ifdown-post ifdown-TeamPort ifup-eth ifup-plip ifup-sit init.ipv6-global
- [root@localhost network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0
- [root@localhost network-scripts]# vi !$
- vi ifcfg-ens33\:0
- TYPE=Ethernet
- BOOTPROTO=static
- DEFROUTE=yes
- PEERDNS=yes
- PEERROUTES=yes
- IPV4_FAILURE_FATAL=no
- IPV6INIT=yes
- IPV6_AUTOCONF=yes
- IPV6_DEFROUTE=yes
- IPV6_PEERDNS=yes
- IPV6_PEERROUTES=yes
- IPV6_FAILURE_FATAL=no
- IPV6_ADDR_GEN_MODE=stable-privacy
- NAME=ens33
UUID=c6ff01b6-78d5-462c-b288-7acfafa4f5b5
- DEVICE=ens33:
- ONBOOT=yes
- IPADDR=192.168.245.130
- NETMASK=255.255.255.0
- ~
- [root@localhost network-scripts]# ifdown ens33 && ifup ens33
成功断开设备'ens33'.
成功激活的连接(D-Bus 激活路径:/org/freedesktop/NetworkManager/ActiveConnection/1)
- [root@localhost network-scripts]#
- ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
- inet 192.168.245.128 netmask 255.255.255.0 broadcast 192.168.245.255
- inet6 fe80::dbd:48aa:6994:bf39 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:d6:6f:fa txqueuelen 1000 (Ethernet)
RX packets 4396 bytes 330121 (322.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 1291 bytes 122535 (119.6 KiB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- ens33:: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
- inet 192.168.245.130 netmask 255.255.255.0 broadcast 192.168.245.255
- ether 00:0c:29:d6:6f:fa txqueuelen 1000 (Ethernet)
- lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
- inet 127.0.0.1 netmask 255.0.0.0
- inet6 ::1 prefixlen 128 scopeid 0x10<host>
- loop txqueuelen 1 (Local Loopback)
- RX packets 80 bytes 6940 (6.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 80 bytes 6940 (6.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
虚拟网卡能 ping 通
查看一个网卡的网线是否连接 mii-tool ens33
[root@localhost network-scripts]# mii-tool ens33
ens33: negotiated 1000baseT-FD flow-control, link ok
[root@localhost network-scripts]#
link ok 代表连接, no link 代表未连接
或者使用 ethtool ens33 也能查看.
更改计算机名
- [root@localhost network-scripts]# hostnamectl set-hostname aminglinux-01
- [root@localhost network-scripts]# hostname
- aminglinux-01
- [root@localhost network-scripts]# bash
- [root@aminglinux-01 network-scripts]#
查看 DNS
- [root@aminglinux-01 network-scripts]# cat /etc/resolv.conf
- # Generated by NetworkManager
- nameserver 119.29.29.29
- [root@aminglinux-01 network-scripts]#
linux 防火墙 netfilter
selinux 临时关闭 setenforce 0
selinux 永久关闭 vi /etc/selinux/config
在 centOS 7 之前还有个防火墙是 netfilter ,contos7 以后改用 firewalld
关闭 firewalld : systemctl disable firewalld
[root@aminglinux-01 network-scripts]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[root@aminglinux-01 network-scripts]#
开启 netfilter
- yum install -y iptables-services
- [root@aminglinux-01 network-scripts]# systemctl enable iptables
- Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
- [root@aminglinux-01 network-scripts]# systemctl start iptables
- [root@aminglinux-01 network-scripts]# iptables -nvL
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 8 576 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
- 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
- 6 468 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain OUTPUT (policy ACCEPT 8 packets, 928 bytes)
- pkts bytes target prot opt in out source destination
- [root@aminglinux-01 network-scripts]#
netfilter 的 5 个表 5 个链接
五个表
filter 主要用于过滤包, 是系统预设的表, 该表内建 3 个链: INPUT,OUTPUT,FORWARD.INPUT 链作用于进入本机的包, OUTPUT 链作用于本机送出去的包, FORWARD 链作用于那些跟本机无关的包.
nat 表 主要用于网络地址转换, 它也有三个链. PREROUTING 链的作用是在包刚刚到达防火墙时改变它的目的地址(如果需要的话),OUTPUT 链的作用是改变本地产生的包的目的地址, POSTROUTING 链的作用是在包即将离开防火墙时改变其源地址.
mangle 表主要用于给数据包做标记, 然后根据标记去操作相应的包. 这个表几乎不怎么用, 除非像称为一个高级网络工程师.
raw 表 可以实现不追踪某些数据包, 默认系统的数据包都会被追踪, 但追踪势必消耗一定的资源, 所以可以用 raw 表来指定某些端口的包不被追踪.
security 表, 在 centos6 中是没有的, 他用于强制访问控制 (MAC) 的网络规则.
netfilter 的 5 个链
PREROUTING: 数据包进入路由表之前.
INPUT: 通过路由表后目的地为本机.
FORWARDING: 通过路由表后, 目的地不为本机.
OUTPUT: 由本机产生, 向外转发.
POSTROUTONG: 发送到网卡接口之前.
iptables 语法
iptables 规则的储存位置
- [root@aminglinux-01 network-scripts]# cat /etc/sysconfig/iptables
- # sample configuration for iptables service
- # you can edit this manually or use system-config-firewall
- # please do not ask us to add additional ports/services to this default configuration
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -p icmp -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
- -A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
- COMMIT
- [root@aminglinux-01 network-scripts]#
清空 iptables 所有规则 iptables -F , 清空之后规则储存文件里面还是有配置的.-t 后面可以跟表名字. 如果不加 - t 选项, 则打印的是 filter 表.
- [root@aminglinux-01 ~]# iptables -F
- [root@aminglinux-01 ~]# ^C
- [root@aminglinux-01 ~]# iptables -nvL
- Chain INPUT (policy ACCEPT 13 packets, 948 bytes)
- pkts bytes target prot opt in out source destination
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- Chain OUTPUT (policy ACCEPT 12 packets, 1208 bytes)
- pkts bytes target prot opt in out source destination
- [root@aminglinux-01 ~]#
iptables -nvL --line-number 显示规则编号
清除包及流量计数器置零: iptables -Z .
保存规则: service iptables save
-A/-D: 表示增加 / 删除一条规则
-I: 表示插入一条规则, 其实效果跟 - A 一样
-p: 表示指定协议, 可以是 tcp,udp, 或者 icmp
--dport: 跟 - p 一起使用, 表示指定目标端口.
--sport: 跟 - p 一起使用, 表示指定端口.
-s: 表示指定源 IP(可以是一个 IP 段).
-j: 后面跟动作, 其中 ACCEPT 表示允许包, DROP 表示丢掉包, REJECT 表示拒绝包.
-i: 指定网卡(不常用: 但是偶尔能用到).
- [root@aminglinux-01 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
- [root@aminglinux-01 ~]# iptables -nvL
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 440 36272 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- 21 1472 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
- 2 104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
- 71 7269 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain OUTPUT (policy ACCEPT 15 packets, 1288 bytes)
- pkts bytes target prot opt in out source destination
- [root@aminglinux-01 ~]#
按照编号删除规则
- [root@aminglinux-01 ~]# iptables -nvL --line-number
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
- 1 531 42528 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- 3 21 1472 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
- 4 2 104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
- 5 73 7737 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- 6 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
- 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain OUTPUT (policy ACCEPT 69 packets, 7276 bytes)
num pkts bytes target prot opt in out source destination
- [root@aminglinux-01 ~]# iptables -D INPUT 6
- [root@aminglinux-01 ~]# iptables -nvL --line-number
- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
- 1 585 46272 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
- 3 21 1472 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
- 4 2 104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
- 5 73 7737 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
- 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- Chain OUTPUT (policy ACCEPT 4 packets, 480 bytes)
num pkts bytes target prot opt in out source destination
[root@aminglinux-01 ~]#
来源: http://www.bubuko.com/infodetail-2593189.html