网卡相关,防火墙,iptables

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了网卡相关,防火墙,iptables相关的知识,希望对你有一定的参考价值。

Linux网络相关
  • ifconfig查看网卡ip(yum install net-tools)
  • ifdown ens33 /ifup ens33,单独重启某一个网卡的服务(ifdown ens33 && ifup ens33)
  • 设定虚拟网卡ens33:0
[[email protected] ~]# cd /etc/sysconfig/network-scripts/
[[email protected] network-scripts]# ls
ifcfg-ens33  ifdown-isdn      ifup          ifup-plip      ifup-tunnel
ifcfg-lo     ifdown-post      ifup-aliases  ifup-plusb     ifup-wireless
ifdown       ifdown-ppp       ifup-bnep     ifup-post      init.ipv6-global
ifdown-bnep  ifdown-routes    ifup-eth      ifup-ppp       network-functions
ifdown-eth   ifdown-sit       ifup-ib       ifup-routes    network-functions-ipv6
ifdown-ib    ifdown-Team      ifup-ippp     ifup-sit
ifdown-ippp  ifdown-TeamPort  ifup-ipv6     ifup-Team
ifdown-ipv6  ifdown-tunnel    ifup-isdn     ifup-TeamPort
[[email protected] network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0
[[email protected] network-scripts]# vim !$
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33:0
DEVICE=ens33:0
ONBOOT=yes
IPADDR=192.168.16.150
NETMASK=255.255.255.0

[[email protected] network-scripts]# ifdown ens33 && ifup ens33
成功断开设备 ‘ens33‘。
成功激活的连接(D-Bus 激活路径:/org/freedesktop/NetworkManager/ActiveConnection/1)
[[email protected] network-scripts]# ifconfig -a
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.16.120  netmask 255.255.255.0  broadcast 192.168.16.255
        inet6 fe80::1712:620b:c34:266e  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:c6:6d:0b  txqueuelen 1000  (Ethernet)
        RX packets 614  bytes 56738 (55.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 515  bytes 58688 (57.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.16.150  netmask 255.255.255.0  broadcast 192.168.16.255
        ether 00:0c:29:c6:6d:0b  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 76  bytes 6204 (6.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 76  bytes 6204 (6.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  • 查看网卡是否连接
[[email protected] network-scripts]# mii-tool ens33
ens33: negotiated 1000baseT-FD flow-control, link ok
[[email protected] network-scripts]# ethtool ens33
Settings for ens33:
    Supported ports: [ TP ]
    Supported link modes:   10baseT/Half 10baseT/Full 
                            100baseT/Half 100baseT/Full 
                            1000baseT/Full 
    Supported pause frame use: No
    Supports auto-negotiation: Yes
    Advertised link modes:  10baseT/Half 10baseT/Full 
                            100baseT/Half 100baseT/Full 
                            1000baseT/Full 
    Advertised pause frame use: No
    Advertised auto-negotiation: Yes
    Speed: 1000Mb/s
    Duplex: Full
    Port: Twisted Pair
    PHYAD: 0
    Transceiver: internal
    Auto-negotiation: on
    MDI-X: off (auto)
    Supports Wake-on: d
    Wake-on: d
    Current message level: 0x00000007 (7)
                   drv probe link
    Link detected: yes
  • 更改主机名:hostnamectl set-hostname aminglinux-001 ,所在文件/etc/hostname
  • DNS配置文件/etc/resolv.conf,在这里只能临时更改,需要永久改去网卡配置文件/etc/sysconfig/network-scripts/ifcfg-ens33
  • /etc/host文件,本机的域名解析,一个ip可以对应多个域名,相同ip的最后一行生效。

Linux防火墙

  • selinux临时关闭:setenforce 0
  • 永久关闭
[[email protected] ~]# vim /etc/selinux/config
SELINUX=disabled
  • centos7之前使用netfilter防火墙
  • centos7开始使用firewalld防火墙
  • 关闭firewalld开启netfilter方法
    • systemctl disable firewalld
    • systemctl stop firewalld
    • yum install -y iptables-services
    • systemctl enable iptables
    • systemctl start iptables
  • iptables -nvL查看默认规则,iptables是linux防火墙的工具

Linux防火墙netfilter

  • netfilter的5个表
    • filter表用于过滤包,是最常用的表,有INPUT,FORWARD(不是本机),OUTPUT三个链
    • nat表用于网络地址转换,有PREROUTING,OUTPUT,POSTROUTING三个链
    • managle表用于给数据包做标记,几乎用不到
    • raw表可以实现不追踪某些数据包,从来不用
    • security表在centos6中并没有,用于强制访问控制(MAC)的网络规则,没有用过
  • 参考文章
  • 进入本机的包,先进入PREROUTING--INPUT--OUTPUT--POSTROUTING.不进入本机的PREROUTING--FORWARD--POSTROUTING.

iptables语法

  • 查看iptables规则:iptables -nvL
  • iptables -F清空规则,临时清空,/etc/sysconfig/iptables文件
  • service iptables save保存规则,永久改变
  • iptables -t nat---->-t指定表
[[email protected] ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  • iptables -Z可以把计数器清零,pkts bytes清空这两列的数据。用于重新计算数据包
  • -A增加规则,最后增加,-s指定源ip,-d指定目标ip,-p指定协议,--dport指定端口,-j指定策略

[[email protected] ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 20 packets, 1372 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 12 packets, 1168 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  • -I插入一条规则,到第一行,-D删除一条规则,从第一条开始执行
[[email protected] ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 512 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[[email protected] ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[[email protected] ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 512 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  • iptables -I INPUT -s 192.168.188.1/24 -i eth0 -j ACCEPT指定网卡
  • iptables -nvL --line-number显示规则的编号
  • iptables -D INPUT 2删除指定编号的规则
  • iptables -P INPUT DROP修改链的默认策略,这样会导致拒绝22端口数据,不能远程连接,一般保持默认。

扩展

以上是关于网卡相关,防火墙,iptables的主要内容,如果未能解决你的问题,请参考以下文章

iptables

iptables四表五链

双网卡centos7 iptables防火墙与/etc/rc.d/rc.local开机运行

Iptables防火墙

linux学习8章-iptables与firewalld防火墙

网络安全课程实验二-iptabls实现路由转发