lLinux网络相关命令，防火墙介绍及相关命令-白红宇

lLinux网络相关命令，防火墙介绍及相关命令

阅读量：6323 次

发布时间：2019-06-22

本文共 13476 字，大约阅读时间需要 44 分钟。

10月25日任务

10.11 Linux网络相关

10.12 firewalld和netfilter

10.13 netfilter5表5链介绍

10.14 iptables语法

10.11、Linux网络相关

ifconfig查看网卡IP （yum install -y net-tools）

ifup eth0/ifdown eth0

设定虚拟网卡eth0:1

mii-tool eth0 查看网卡是否连接

ethtool ens33 也可以查看网卡是否连接

更改主机名 hostname set-hostname aminglinux

DNS配置文件/etc/resolv.conf

/etc/hosts文件

#，因为是远程连接，所致只能演示同时运行关闭网卡和开启网卡。（当修改指定网卡配置信息后可以运行这条命令重启网卡）

[root@centos6 ~]# ifdown eth0 && ifup eth0Determining if ip address 172.16.5.235 is already in use for device eth0...

#设置一个虚拟的网卡信息

[root@centos6 ~]# cd /etc/sysconfig/network-scripts/[root@centos6 network-scripts]# lsifcfg-eth0    ifdown-isdn    ifup-eth    ifup-routesifcfg-eth0:1  ifdown-post    ifup-ib     ifup-sitifcfg-lo      ifdown-ppp     ifup-ippp   ifup-tunnelifdown        ifdown-routes  ifup-ipv6   ifup-wirelessifdown-bnep   ifdown-sit     ifup-isdn   init.ipv6-globalifdown-eth    ifdown-tunnel  ifup-plip   net.hotplugifdown-ib     ifup           ifup-plusb  network-functionsifdown-ippp   ifup-aliases   ifup-post   network-functions-ipv6ifdown-ipv6   ifup-bnep      ifup-ppp[root@centos6 network-scripts]# cp ifcfg-eth0 ifcfg-eth0\:1[root@centos6 network-scripts]# vim !$vim ifcfg-eth0\:1[root@centos6 network-scripts]# ifdown eth0 && ifup eth0Determining if ip address 172.16.5.235 is already in use for device eth0...Determining if ip address 172.16.5.236 is already in use for device eth0...[root@centos6 network-scripts]# ifconfigeth0      Link encap:Ethernet  HWaddr 00:50:56:A4:3D:92            inet addr:172.16.5.235  Bcast:172.16.5.255  Mask:255.255.255.0          inet6 addr: fe80::250:56ff:fea4:3d92/64 Scope:Link          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1          RX packets:492143 errors:0 dropped:0 overruns:0 frame:0          TX packets:92971 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:1000          RX bytes:41370766 (39.4 MiB)  TX bytes:29602942 (28.2 MiB)eth0:1    Link encap:Ethernet  HWaddr 00:50:56:A4:3D:92            inet addr:172.16.5.236  Bcast:172.16.5.255  Mask:255.255.255.0          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1lo        Link encap:Local Loopback            inet addr:127.0.0.1  Mask:255.0.0.0          inet6 addr: ::1/128 Scope:Host          UP LOOPBACK RUNNING  MTU:65536  Metric:1          RX packets:0 errors:0 dropped:0 overruns:0 frame:0          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:0          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

# 远程查看网卡是否联网，提示link ok 说明连接了网线，link no说明没有连接网线

[root@centos6 network-scripts]# mii-tool eth0eth0: negotiated 100baseTx-FD, link ok

#更改主机名

[root@zgxlinux-01 ~]# hostnamectl set-hostname zgxlinux-001[root@zgxlinux-01 ~]# bash[root@zgxlinux-001 ~]# exitexit

#DNS配置文件，修改这个配置文件只能临时生效，重启后将恢复成eth0配置文件的DNS

[root@zgxlinux-01 ~]# cat /etc/resolv.conf# Generated by NetworkManagernameserver 119.29.29.29

10.12、firewalld和netfilter

linux防火墙-netfilter

selinux 临时关闭setenforce 0

selinux 永久关闭 vi /etc/selinux/config

entos7之前使用netfilter防火墙

centos7开始使用firewalld防火墙

关闭firewalld开启netfilter方法

systemctl stop filewalld

systemctl disable firwalled

yum install -y iptables-services

systemctl enable iptables

systemctl start iptables

#临时关闭和永久关闭防火墙，永久关闭把SELINUX=enforing改为SELINUX=disabled，然后重启系统。getenforce输出Permissive表示临时关闭，Enforcing 表示打开。

[root@zgxlinux-01 ~]# setenforce 0[root@zgxlinux-01 ~]# vim /etc/selinux/config# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:#     enforcing - SELinux security policy is enforced.#     permissive - SELinux prints warnings instead of enforcing.#     disabled - No SELinux policy is loaded.SELINUX=enforcing# SELINUXTYPE= can take one of three two values:#     targeted - Targeted processes are protected,#     minimum - Modification of targeted policy. Only selected processes are protected.#     mls - Multi Level Security protection.SELINUXTYPE=targeted[root@zgxlinux-01 ~]# getenforcePermissive

#centos7开始防火墙是firewalld，centos7之前防火墙是netfilter，但是很多企业都还用的是centos6甚至更早的版本，所以我们不能不知道。那如何把centos7防火墙切换到centos6使用的netfilter呢，下边我们来操作。

[root@zgxlinux-01 ~]# systemctl disable firewalld            #先把firewalld改为开机不自启动Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.[root@zgxlinux-01 ~]# systemctl stop firewalld                #然后再停掉firewelld防火墙[root@zgxlinux-01 ~]# yum install -y iptables-services   #在开启netfileter之前需要安装这个包[root@zgxlinux-01 ~]# systemctl enable iptables            #安装之后会产生一个iptables服务Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.[root@zgxlinux-01 ~]# systemctl start iptables                 #开启iptables服务[root@zgxlinux-01 ~]# iptables -nvL                                 #运行iptables -nvL命令可以查看iptables的一些默认规则Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination          36  2432 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0              0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0               0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination            0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 23 packets, 2012 bytes)pkts bytes target     prot opt in     out     source               destination

10.13、netfilter5表5链介绍

netfilter的5个表

fileter表示过滤包，最常用的表，有INPUT、FORWARD、OUTPUT三个链

nat表用于网络地址转换，有PREROUTING、OUTPUT、POSTROUTING三个链

managle表用于给数据包做标记，几乎用不到

raw表可以实现不追踪某些数据包，阿铭从来不用

security表在centos6中并没有，用于强制访问控制（MAC）的网络规则，阿铭没用过

参考文章 http://www.cnblogs.com/metoy/p/4320813.html

10.14 、iptables语法

数据包流向与netfilter的5个链

PREROUTING：数据包进入路由表之前

INPUT：通过路由表后目的地为本机

FORWARD:通过路由表后，目的地不为本机

OUTPUT：由本机产生，向外发送

POSTROUTING：发送到网卡接口之前

相关命令和用法

查看iptables规则：iptables -nvL

iptables -F 清空规则

service iptables save 保存规则

iptables -t nat //-t指定表

iptables -Z 可以把计数器清零

iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP

iptables -I/-A/-D INPUT -s 1.1.1.1 -j DROP #-A新增 -I 插入 -D 删除

iptables -I INTPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT

iptables -nvL --line-numbers

iptables -D INPUT 1

iptables -P INPUT DROP #-P 默认规则，这条一般不要轻易执行。

#默认规则保存位置在/etc/sysconfig/iptables下

[root@zgxlinux-01 ~]# cat /etc/sysconfig/iptables# sample configuration for iptables service# you can edit this manually or use system-config-firewall# please do not ask us to add additional ports/services to this default configuration*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT

#iptables -F清空规则，但是配置文件里边还保存着。运行service iptables save 保存规则；修改完规则后需要重启服务。

[root@zgxlinux-01 ~]# iptables -F[root@zgxlinux-01 ~]# iptables -nvLChain INPUT (policy ACCEPT 29 packets, 1940 bytes) pkts bytes target     prot opt in     out     source               destination         Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 17 packets, 1508 bytes) pkts bytes target     prot opt in     out     source               destination         [root@zgxlinux-01 ~]# service iptables save[root@zgxlinux-01 ~]# service iptables restartRedirecting to /bin/systemctl restart iptables.service

# -A表示增加规则，-I表示插入规则。

[root@zgxlinux-01 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP[root@zgxlinux-01 ~]# iptables -I INPUT -p tcp --dport 80 -j DROP[root@zgxlinux-01 ~]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination             0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80   67  4740 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0               0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0               0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22    1   229 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited    0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination             0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 15 packets, 1428 bytes) pkts bytes target     prot opt in     out     source               destination

#删除规则。

[root@zgxlinux-01 ~]# iptables -D INPUT -p tcp --dport 80 -j DROP[root@zgxlinux-01 ~]# iptables -D INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP[root@zgxlinux-01 ~]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination           309 24924 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0               0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0               0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22    2   458 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination             0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 17 packets, 1628 bytes) pkts bytes target     prot opt in     out     source               destination

#删除规则的时候必须要把规则写的完全相同，但是时间久了我们记不住具体规则了怎么删除呢？这时候我们可以把规则编号;

[root@zgxlinux-01 ~]# iptables -nvL --line-numberChain INPUT (policy ACCEPT 0 packets, 0 bytes)num   pkts bytes target     prot opt in     out     source               destination         1        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:802      604 48564 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED3        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           4        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:226        2   458 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited7        0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num   pkts bytes target     prot opt in     out     source               destination         1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 61 packets, 10052 bytes)num   pkts bytes target     prot opt in     out     source               destination         [root@zgxlinux-01 ~]# iptables -D INPUT 7[root@zgxlinux-01 ~]# iptables -D INPUT 1[root@zgxlinux-01 ~]# iptables -nvL --line-numberChain INPUT (policy ACCEPT 0 packets, 0 bytes)num   pkts bytes target     prot opt in     out     source               destination         1      677 53536 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:225        2   458 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)num   pkts bytes target     prot opt in     out     source               destination         1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 6 packets, 696 bytes)num   pkts bytes target     prot opt in     out     source               destination

转载于:https://my.oschina.net/u/3959708/blog/2252716

你可能感兴趣的文章

float情况下使用line-height垂直居中注意的若干问题

查看>>

更新日期 2015年8月5日 - Citrix桌面虚拟化平台交付推荐版本及相关hotfix

查看>>

std bind 原理简单图解

查看>>

人工智能教程014：创建卷积神经网络进阶（5）

查看>>

oracle 分析函数

查看>>