linux網絡相關,iptables語法
ifconfig 查看網卡及ip,子網,網關,mac地址
yum install net-tools
重啟指定網卡 ifdown 網卡名字 && ifup 網卡名字
添加虛擬網卡
[root@localhost ~]# cd /etc/sysconfig/network-scripts/ [root@localhost network-scripts]# ls ifcfg-ens33 ifdown-ib ifdown-ppp ifdown-tunnel ifup-ib ifup-plusb ifup-Team network-functions ifcfg-lo ifdown-ippp ifdown-routes ifup ifup-ippp ifup-post ifup-TeamPort network-functions-ipv6 ifdown ifdown-ipv6 ifdown-sit ifup-aliases ifup-ipv6 ifup-ppp ifup-tunnel ifdown-bnep ifdown-isdn ifdown-Team ifup-bnep ifup-isdn ifup-routes ifup-wireless ifdown-eth ifdown-post ifdown-TeamPort ifup-eth ifup-plip ifup-sit init.ipv6-global [root@localhost network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0 [root@localhost network-scripts]# vi !$ vi ifcfg-ens33\:0
TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens33 UUID=c6ff01b6-78d5-462c-b288-7acfafa4f5b5 DEVICE=ens33: ONBOOT=yes IPADDR=192.168.245.130 NETMASK=255.255.255.0 ~
[root@localhost network-scripts]# ifdown ens33 && ifup ens33
成功斷開設備 ‘ens33‘。
成功激活的連接(D-Bus 激活路徑:/org/freedesktop/NetworkManager/ActiveConnection/1)
[root@localhost network-scripts]#
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.245.128 netmask 255.255.255.0 broadcast 192.168.245.255 inet6 fe80::dbd:48aa:6994:bf39 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:d6:6f:fa txqueuelen 1000 (Ethernet) RX packets 4396 bytes 330121 (322.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1291 bytes 122535 (119.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.245.130 netmask 255.255.255.0 broadcast 192.168.245.255 ether 00:0c:29:d6:6f:fa txqueuelen 1000 (Ethernet) lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 80 bytes 6940 (6.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 80 bytes 6940 (6.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
虛擬網卡能ping通
-
查看一個網卡的網線是否連接 mii-tool ens33
[root@localhost network-scripts]# mii-tool ens33
ens33: negotiated 1000baseT-FD flow-control, link ok
[root@localhost network-scripts]#
link ok 代表連接,no link 代表未連接
或者使用ethtool ens33也能查看。
-
更改計算機名
[root@localhost network-scripts]# hostnamectl set-hostname aminglinux-01
[root@localhost network-scripts]# hostname
aminglinux-01
[root@localhost network-scripts]# bash
[root@aminglinux-01 network-scripts]#
-
查看DNS
[root@aminglinux-01 network-scripts]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 119.29.29.29
[root@aminglinux-01 network-scripts]#
linux防火墻 netfilter
selinux 臨時關閉 setenforce 0
selinux 永久關閉 vi /etc/selinux/config
在centOS 7之前還有個防火墻是netfilter ,contos7以後改用 firewalld
關閉firewalld : systemctl disable firewalld
[root@aminglinux-01 network-scripts]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[root@aminglinux-01 network-scripts]#
開啟netfilter
yum install -y iptables-services
[root@aminglinux-01 network-scripts]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@aminglinux-01 network-scripts]# systemctl start iptables
[root@aminglinux-01 network-scripts]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 576 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 468 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 8 packets, 928 bytes)
pkts bytes target prot opt in out source destination
[root@aminglinux-01 network-scripts]#
netfilter的5個表5個鏈接
-
五個表
filter 主要用於過濾包,是系統預設的表,該表內建3個鏈:INPUT,OUTPUT,FORWARD。INPUT鏈作用於進入本機的包,OUTPUT鏈作用於本機送出去的包,FORWARD鏈作用於那些跟本機無關的包。
nat表 主要用於網絡地址轉換,它也有三個鏈。PREROUTING鏈的作用是在包剛剛到達防火墻時改變它的目的地址(如果需要的話),OUTPUT鏈的作用是改變本地產生的包的目的地址,POSTROUTING鏈的作用是在包即將離開防火墻時改變其源地址。
mangle表主要用於給數據包做標記,然後根據標記去操作相應的包。這個表幾乎不怎麽用,除非像稱為一個高級網絡工程師。
raw表 可以實現不追蹤某些數據包,默認系統的數據包都會被追蹤,但追蹤勢必消耗一定的資源,所以可以用raw表來指定某些端口的包不被追蹤。
security表,在centos6中是沒有的,他用於強制訪問控制(MAC)的網絡規則。
-
netfilter的5個鏈
PREROUTING: 數據包進入路由表之前。
INPUT:通過路由表後目的地為本機。
FORWARDING: 通過路由表後,目的地不為本機。
OUTPUT: 由本機產生,向外轉發。
POSTROUTONG: 發送到網卡接口之前。
iptables 語法
iptables規則的儲存位置
[root@aminglinux-01 network-scripts]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@aminglinux-01 network-scripts]#
清空iptables所有規則iptables -F ,清空之後規則儲存文件裏面還是有配置的。-t 後面可以跟表名字。如果不加-t選項,則打印的是filter表。
[root@aminglinux-01 ~]# iptables -F
[root@aminglinux-01 ~]# ^C
[root@aminglinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 13 packets, 948 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12 packets, 1208 bytes)
pkts bytes target prot opt in out source destination
[root@aminglinux-01 ~]#
iptables -nvL --line-number 顯示規則編號
清除包及流量計數器置零:iptables -Z 。
保存規則:service iptables save
-A/-D:表示增加/刪除一條規則
-I: 表示插入一條規則,其實效果跟-A一樣
-p:表示指定協議,可以是tcp,udp,或者icmp
--dport: 跟-p 一起使用,表示指定目標端口。
--sport: 跟-p 一起使用,表示指定端口。
-s:表示指定源IP(可以是一個IP段)。
-j:後面跟動作,其中ACCEPT表示允許包,DROP表示丟掉包,REJECT 表示拒絕包。
-i:指定網卡(不常用:但是偶爾能用到)。
[root@aminglinux-01 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@aminglinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
440 36272 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
21 1472 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
71 7269 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1288 bytes)
pkts bytes target prot opt in out source destination
[root@aminglinux-01 ~]#
按照編號刪除規則
[root@aminglinux-01 ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 531 42528 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 21 1472 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 2 104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 73 7737 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 69 packets, 7276 bytes)
num pkts bytes target prot opt in out source destination
[root@aminglinux-01 ~]# iptables -D INPUT 6
[root@aminglinux-01 ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 585 46272 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 21 1472 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 2 104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 73 7737 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 480 bytes)
num pkts bytes target prot opt in out source destination
[root@aminglinux-01 ~]#
linux網絡相關,iptables語法