linux网络相关,iptables语法

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux网络相关,iptables语法相关的知识,希望对你有一定的参考价值。

linux网络相关

ifconfig 查看网卡及ip,子网,网关,mac地址

yum install net-tools

重启指定网卡 ifdown 网卡名字 && ifup 网卡名字

添加虚拟网卡

[[email protected] ~]# cd /etc/sysconfig/network-scripts/
[[email protected] network-scripts]# ls
ifcfg-ens33  ifdown-ib    ifdown-ppp       ifdown-tunnel  ifup-ib    ifup-plusb   ifup-Team         network-functions
ifcfg-lo     ifdown-ippp  ifdown-routes    ifup           ifup-ippp  ifup-post    ifup-TeamPort     network-functions-ipv6
ifdown       ifdown-ipv6  ifdown-sit       ifup-aliases   ifup-ipv6  ifup-ppp     ifup-tunnel
ifdown-bnep  ifdown-isdn  ifdown-Team      ifup-bnep      ifup-isdn  ifup-routes  ifup-wireless
ifdown-eth   ifdown-post  ifdown-TeamPort  ifup-eth       ifup-plip  ifup-sit     init.ipv6-global
[[email protected] network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0
[[email protected] network-scripts]# vi !$
vi ifcfg-ens33\:0
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=c6ff01b6-78d5-462c-b288-7acfafa4f5b5
DEVICE=ens33:
ONBOOT=yes
IPADDR=192.168.245.130
NETMASK=255.255.255.0
~                           
[[email protected] network-scripts]# ifdown ens33 && ifup ens33
成功断开设备 ‘ens33‘。
成功激活的连接(D-Bus 激活路径:/org/freedesktop/NetworkManager/ActiveConnection/1)
[[email protected] network-scripts]# 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.245.128  netmask 255.255.255.0  broadcast 192.168.245.255
        inet6 fe80::dbd:48aa:6994:bf39  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:d6:6f:fa  txqueuelen 1000  (Ethernet)
        RX packets 4396  bytes 330121 (322.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1291  bytes 122535 (119.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.245.130  netmask 255.255.255.0  broadcast 192.168.245.255
        ether 00:0c:29:d6:6f:fa  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 80  bytes 6940 (6.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 80  bytes 6940 (6.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

虚拟网卡能ping通

  • 查看一个网卡的网线是否连接 mii-tool ens33

[[email protected] network-scripts]# mii-tool ens33
ens33: negotiated 1000baseT-FD flow-control, link ok
[[email protected] network-scripts]# 

link ok 代表连接,no link 代表未连接

或者使用ethtool ens33也能查看。

  • 更改计算机名

[[email protected] network-scripts]# hostnamectl set-hostname aminglinux-01
[[email protected] network-scripts]# hostname
aminglinux-01
[[email protected] network-scripts]# bash
[[email protected] network-scripts]# 
  • 查看DNS

[[email protected] network-scripts]# cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 119.29.29.29
[[email protected] network-scripts]# 

linux防火墙 netfilter

selinux 临时关闭 setenforce 0

selinux 永久关闭 vi /etc/selinux/config

在centOS 7之前还有个防火墙是netfilter ,contos7以后改用 firewalld

关闭firewalld : systemctl disable firewalld

[[email protected] network-scripts]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[[email protected] network-scripts]# 

开启netfilter

yum install -y iptables-services
[[email protected] network-scripts]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[[email protected] network-scripts]# systemctl start iptables
[[email protected] network-scripts]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8   576 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    6   468 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 8 packets, 928 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[[email protected] network-scripts]# 

netfilter的5个表5个链接

  • 五个表

    filter 主要用于过滤包,是系统预设的表,该表内建3个链:INPUT,OUTPUT,FORWARD。INPUT链作用于进入本机的包,OUTPUT链作用于本机送出去的包,FORWARD链作用于那些跟本机无关的包。

nat表 主要用于网络地址转换,它也有三个链。PREROUTING链的作用是在包刚刚到达防火墙时改变它的目的地址(如果需要的话),OUTPUT链的作用是改变本地产生的包的目的地址,POSTROUTING链的作用是在包即将离开防火墙时改变其源地址。

mangle表主要用于给数据包做标记,然后根据标记去操作相应的包。这个表几乎不怎么用,除非像称为一个高级网络工程师。

raw表 可以实现不追踪某些数据包,默认系统的数据包都会被追踪,但追踪势必消耗一定的资源,所以可以用raw表来指定某些端口的包不被追踪。

security表,在centos6中是没有的,他用于强制访问控制(MAC)的网络规则。

  • netfilter的5个链

    PREROUTING: 数据包进入路由表之前。

INPUT:通过路由表后目的地为本机。

FORWARDING: 通过路由表后,目的地不为本机。

OUTPUT: 由本机产生,向外转发。

POSTROUTONG: 发送到网卡接口之前。

iptables 语法

iptables规则的储存位置

[[email protected] network-scripts]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[[email protected] network-scripts]# 

清空iptables所有规则iptables -F ,清空之后规则储存文件里面还是有配置的。-t 后面可以跟表名字。如果不加-t选项,则打印的是filter表。

[[email protected] ~]# iptables -F
[[email protected] ~]# ^C
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 13 packets, 948 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 12 packets, 1208 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[[email protected] ~]# 

iptables -nvL --line-number 显示规则编号

清除包及流量计数器置零:iptables -Z 。

保存规则:service iptables save

-A/-D:表示增加/删除一条规则

-I: 表示插入一条规则,其实效果跟-A一样

-p:表示指定协议,可以是tcp,udp,或者icmp

--dport: 跟-p 一起使用,表示指定目标端口。

--sport: 跟-p 一起使用,表示指定端口。

-s:表示指定源IP(可以是一个IP段)。

-j:后面跟动作,其中ACCEPT表示允许包,DROP表示丢掉包,REJECT 表示拒绝包。

-i:指定网卡(不常用:但是偶尔能用到)。

[[email protected] ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  440 36272 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
   21  1472 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    2   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
   71  7269 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 15 packets, 1288 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[[email protected] ~]# 
按照编号删除规则
[[email protected] ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      531 42528 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3       21  1472 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        2   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
5       73  7737 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
6        0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 69 packets, 7276 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
[[email protected] ~]# iptables -D INPUT 6
[[email protected] ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      585 46272 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3       21  1472 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        2   104 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
5       73  7737 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 4 packets, 480 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
[[email protected] ~]# 

以上是关于linux网络相关,iptables语法的主要内容,如果未能解决你的问题,请参考以下文章

iptables基本用法和linux网络相关

网络相关的命令工具研究报告之iptables

Linux网络基础设定selinux/iptable/firewall

iptables常用语法与案例

2018-5-8

Linux----------防火墙