网卡相关,防火墙,iptables
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了网卡相关,防火墙,iptables相关的知识,希望对你有一定的参考价值。
Linux网络相关- ifconfig查看网卡ip(yum install net-tools)
- ifdown ens33 /ifup ens33,单独重启某一个网卡的服务(ifdown ens33 && ifup ens33)
- 设定虚拟网卡ens33:0
[[email protected] ~]# cd /etc/sysconfig/network-scripts/
[[email protected] network-scripts]# ls
ifcfg-ens33 ifdown-isdn ifup ifup-plip ifup-tunnel
ifcfg-lo ifdown-post ifup-aliases ifup-plusb ifup-wireless
ifdown ifdown-ppp ifup-bnep ifup-post init.ipv6-global
ifdown-bnep ifdown-routes ifup-eth ifup-ppp network-functions
ifdown-eth ifdown-sit ifup-ib ifup-routes network-functions-ipv6
ifdown-ib ifdown-Team ifup-ippp ifup-sit
ifdown-ippp ifdown-TeamPort ifup-ipv6 ifup-Team
ifdown-ipv6 ifdown-tunnel ifup-isdn ifup-TeamPort
[[email protected] network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0
[[email protected] network-scripts]# vim !$
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33:0
DEVICE=ens33:0
ONBOOT=yes
IPADDR=192.168.16.150
NETMASK=255.255.255.0
[[email protected] network-scripts]# ifdown ens33 && ifup ens33
成功断开设备 ‘ens33‘。
成功激活的连接(D-Bus 激活路径:/org/freedesktop/NetworkManager/ActiveConnection/1)
[[email protected] network-scripts]# ifconfig -a
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.16.120 netmask 255.255.255.0 broadcast 192.168.16.255
inet6 fe80::1712:620b:c34:266e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:c6:6d:0b txqueuelen 1000 (Ethernet)
RX packets 614 bytes 56738 (55.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 515 bytes 58688 (57.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.16.150 netmask 255.255.255.0 broadcast 192.168.16.255
ether 00:0c:29:c6:6d:0b txqueuelen 1000 (Ethernet)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 76 bytes 6204 (6.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 76 bytes 6204 (6.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- 查看网卡是否连接
[[email protected] network-scripts]# mii-tool ens33
ens33: negotiated 1000baseT-FD flow-control, link ok
[[email protected] network-scripts]# ethtool ens33
Settings for ens33:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off (auto)
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
- 更改主机名:hostnamectl set-hostname aminglinux-001 ,所在文件/etc/hostname
- DNS配置文件/etc/resolv.conf,在这里只能临时更改,需要永久改去网卡配置文件/etc/sysconfig/network-scripts/ifcfg-ens33
- /etc/host文件,本机的域名解析,一个ip可以对应多个域名,相同ip的最后一行生效。
Linux防火墙
- selinux临时关闭:setenforce 0
- 永久关闭
[[email protected] ~]# vim /etc/selinux/config
SELINUX=disabled
- centos7之前使用netfilter防火墙
- centos7开始使用firewalld防火墙
- 关闭firewalld开启netfilter方法
- systemctl disable firewalld
- systemctl stop firewalld
- yum install -y iptables-services
- systemctl enable iptables
- systemctl start iptables
- iptables -nvL查看默认规则,iptables是linux防火墙的工具
Linux防火墙netfilter
- netfilter的5个表
- filter表用于过滤包,是最常用的表,有INPUT,FORWARD(不是本机),OUTPUT三个链
- nat表用于网络地址转换,有PREROUTING,OUTPUT,POSTROUTING三个链
- managle表用于给数据包做标记,几乎用不到
- raw表可以实现不追踪某些数据包,从来不用
- security表在centos6中并没有,用于强制访问控制(MAC)的网络规则,没有用过
- 参考文章
- 进入本机的包,先进入PREROUTING--INPUT--OUTPUT--POSTROUTING.不进入本机的PREROUTING--FORWARD--POSTROUTING.
iptables语法
- 查看iptables规则:iptables -nvL
- iptables -F清空规则,临时清空,/etc/sysconfig/iptables文件
- service iptables save保存规则,永久改变
- iptables -t nat---->-t指定表
[[email protected] ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
- iptables -Z可以把计数器清零,pkts bytes清空这两列的数据。用于重新计算数据包
- -A增加规则,最后增加,-s指定源ip,-d指定目标ip,-p指定协议,--dport指定端口,-j指定策略
[[email protected] ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 20 packets, 1372 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12 packets, 1168 bytes)
pkts bytes target prot opt in out source destination
- -I插入一条规则,到第一行,-D删除一条规则,从第一条开始执行
[[email protected] ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 512 bytes)
pkts bytes target prot opt in out source destination
[[email protected] ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 512 bytes)
pkts bytes target prot opt in out source destination
- iptables -I INPUT -s 192.168.188.1/24 -i eth0 -j ACCEPT指定网卡
- iptables -nvL --line-number显示规则的编号
- iptables -D INPUT 2删除指定编号的规则
- iptables -P INPUT DROP修改链的默认策略,这样会导致拒绝22端口数据,不能远程连接,一般保持默认。
扩展
- [selinux教程](http://os.51cto.com/art/201209/355490.htm)
- [selinux电子书](http://pan.baidu.com/s/1jGGdExK)
以上是关于网卡相关,防火墙,iptables的主要内容,如果未能解决你的问题,请参考以下文章
双网卡centos7 iptables防火墙与/etc/rc.d/rc.local开机运行