Linux对外提供服务 网络连接 端口操作 1.开启服务监听端口 2.设置防火墙,放行访问端口的包 iptables&netfilter 四表五链和通堵策略

Posted mozq

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux对外提供服务 网络连接 端口操作 1.开启服务监听端口 2.设置防火墙,放行访问端口的包 iptables&netfilter 四表五链和通堵策略相关的知识,希望对你有一定的参考价值。

应用举例:
	Linux上安装Tomcat后,客户端要能够访问服务器上的Tomcat
操作:
	1.网络操作 本机必须能够ping通目标主机(本地虚拟机或者远程主机)
	2.端口操作 1.开启服务监听端口 2.设置防火墙,放行访问该端口的数据包
关键iptables和netfilter:
	iptables中的四表五链和堵通策略
	
CentOS6.7端口操作最佳实践:
	查看iptables命令的帮助:
		iptables --help 不详细
		man iptables 一般详细 手册页
		info iptables 最详细
		
	1.查看当前包过滤规则
		示例:# service iptables status
	2.根据需求添加或删除相应的规则。配置文件或者指令
		示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
	3.iptables指令修改规则,立即生效,但不会持久化,所以根据需要手动进行持久化操作
		示例:# service iptables save
	4.直接修改/etc/sysconfig/iptables文件,规则不会立即生效,通过重启iptables,使其生效。
		示例:# service iptables restart

1.网络操作:
	1.1 使用ifconfig查看虚拟机网络地址
		示例:# ifconfig
[[email protected] ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:71:C4:BB  
          inet addr:192.168.211.130  Bcast:192.168.211.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe71:c4bb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:420 errors:0 dropped:0 overruns:0 frame:0
          TX packets:229 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:35784 (34.9 KiB)  TX bytes:28445 (27.7 KiB)
          Interrupt:19 Base address:0x2000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:480 (480.0 b)  TX bytes:480 (480.0 b)

	1.2 在本地ping虚拟机网络地址,必须保证ping通
		示例:ping 192.168.211.130

本机与虚拟机
	网络不通:
C:\Users\jie>ping 192.168.211.130
正在 Ping 192.168.211.130 具有 32 字节的数据:
来自 192.168.211.1 的回复: 无法访问目标主机。

	网络联通:
C:\Users\jie>ping 192.168.211.130
正在 Ping 192.168.211.130 具有 32 字节的数据:
来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64

192.168.211.130 的 Ping 统计信息:
    数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
    最短 = 0ms,最长 = 0ms,平均 = 0ms


	
2.端口操作:
	2.1.启动服务,监听某个端口
		查看某个端口是否已经被监听:(即相应的服务已经启动)
			示例:# netstat -ntlp
	2.2设置防火墙,放行访问这个端口的包
	
查看某个端口是否已经被监听:(即相应的服务已经启动)
[[email protected] ~]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1588/rpcbind        
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1835/sshd           
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      1684/cupsd          
tcp        0      0 127.0.0.1:6010              0.0.0.0:*                   LISTEN      2797/sshd           
tcp        0      0 0.0.0.0:53754               0.0.0.0:*                   LISTEN      1645/rpc.statd      
tcp        0      0 :::43942                    :::*                        LISTEN      1645/rpc.statd      
tcp        0      0 :::3306                     :::*                        LISTEN      1976/mysqld         
tcp        0      0 :::111                      :::*                        LISTEN      1588/rpcbind        
tcp        0      0 :::22                       :::*                        LISTEN      1835/sshd           
tcp        0      0 ::1:631                     :::*                        LISTEN      1684/cupsd          
tcp        0      0 ::1:6010                    :::*                        LISTEN      2797/sshd 	

CentOS6.7中设置防火墙,放行访问端口的数据包:
	查看防火墙的包过滤规则:(正在生效)
		示例:# service iptables status
	查看包过滤规则文件:(不一定正在生效)
		示例:# cat /etc/sysconfig/iptables
	查看链中的规则:(正在生效)
		示例:# iptables -L
		
	注意:
		修改包过滤规则,必须重启iptables服务,使新的规则生效。
		链中规则有顺序,请把规则放首位。
		
	参数解释:
		通堵策略: ACCEPT接收 DROP丢弃 REJECT拒绝
		-I 插入规则
		-D 删除规则
		
		方式1:修改/etc/sysconfig/iptables文件
			步骤:
				1.为/etc/sysconfig/iptables文件添加一条规则
					示例:-A INPUT -p tcp -m state --state NEW -m tcp --dport 端口号 -j ACCEPT
					注意:规则有顺序,所以把规则添加到上面,而不是下面。
					
				2.重启iptables服务,新加规则才会生效
					示例:service iptables restart
		方式2:
			步骤:
				1.使用iptables动态添加规则
					添加接收访问某端口的包的规则
					示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
					添加丢弃访问某端口的包的规则
					示例:# iptables -I INPUT -p tcp --dport=3306 -j DROP
					注意:立即生效,只对本次有效,规则不会添加到iptables文件,服务重启后失效
				
				2.将本次的规则保存到iptables文件中
					示例:# service iptables save		
					
		最佳实践:
			查看iptables命令的帮助:
				iptables --help 不详细
				man iptables 一般详细 手册页
				info iptables 最详细
				
			1.查看当前包过滤规则
				示例:# service iptables status
			2.根据需求添加或删除相应的规则。配置文件或者指令
				示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
			3.iptables指令修改,立即生效,可能需要进行持久化操作
				示例:# service iptables save
			4.直接修改/etc/sysconfig/iptables文件,规则不会立即生效,通过重启iptables,使其生效。
				示例:# service iptables restart

关键iptables:
	iptables中的四表五链和堵通策略

直接修改/etc/sysconfig/iptables文件,添加开放端口的规则:
[[email protected] ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Mon May 27 22:42:05 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:560]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT
# Completed on Mon May 27 22:42:05 2019

重启iptables服务,让规则生效:
[[email protected] ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

查看链中的规则:(链中规则有顺序,请把规则放首位)
[[email protected] ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

查看链中的规则:
[[email protected] ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  


查看/etc/sysconfig/iptables文件:
[[email protected] ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Mon May 27 22:42:05 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:560]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

iptables命令动态添加规则:
	示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
	
[[email protected] ~]# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
[[email protected] ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
3    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
6    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination 

将当前生效的规则保存到iptables文件:
[[email protected] ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

[[email protected] ~]# iptables -I INPUT -p tcp --dport=3306 -j DROP
[[email protected] ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
4    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
7    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

[[email protected] ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[[email protected] ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
[[email protected] ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue May 28 18:23:29 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [32:4416]
-A INPUT -p tcp -m tcp --dport 3306 -j DROP 
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Tue May 28 18:23:29 2019

 

以上是关于Linux对外提供服务 网络连接 端口操作 1.开启服务监听端口 2.设置防火墙,放行访问端口的包 iptables&netfilter 四表五链和通堵策略的主要内容,如果未能解决你的问题,请参考以下文章

navicat连接不上Linux服务器上的MySQL

Linux防火墙

在云服务器上使用tomcat部署web应用

linux之网卡绑定

'FTP服务器对外开放服务的端口多少'是啥意思?

TCP连接的状态详解以及故障排查