您的位置：首页 > 理论基础 > 计算机网络

2018-1-24 7周3次课网络、firewalld、netfilter、iptables语法

2018-01-24 21:06 381 查看

10.11 Linux网络相关

安装：yum install -y net-tools

·查看网卡ip：ifconfig

[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 192.168.65.128  netmask 255.255.255.0  broadcast 192.168.65.255
inet6 fe80::7cd2:a780:c114:4d06  prefixlen 64  scopeid 0x20<link>
ether 00:0c:29:7e:8b:1b  txqueuelen 1000  (Ethernet)
RX packets 38578  bytes 19915225 (18.9 MiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 88936  bytes 20130502 (19.1 MiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
inet 127.0.0.1  netmask 255.0.0.0
inet6 ::1  prefixlen 128  scopeid 0x10<host>
loop  txqueuelen 1  (Local Loopback)
RX packets 68  bytes 5916 (5.7 KiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 68  bytes 5916 (5.7 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

·查看所有网卡（包括没有启动的网卡）：ifconfig -a

·启动网卡：ifup 网卡名
·关闭网卡：ifdown 网卡名

[root@localhost ~]# ifdown ens33 && ifup ens33
成功断开设备 'ens33'。
连接已成功激活（D-Bus 活动路径：/org/freedesktop/NetworkManager/ActiveConnection/2）

·设定虚拟网卡：

[root@localhost network-scripts]# cd /etc/sysconfig/network-scripts/
[root@localhost network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0
[root@localhost network-scripts]# vim ifcfg-ens33\:0

保存退出

[root@localhost network-scripts]# ifdown ens33 && ifup ens33
成功断开设备 'ens33'。
连接已成功激活（D-Bus 活动路径：/org/freedesktop/NetworkManager/ActiveConnection/3）
[root@localhost network-scripts]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 192.168.65.128  netmask 255.255.255.0  broadcast 192.168.65.255
inet6 fe80::7cd2:a780:c114:4d06  prefixlen 64  scopeid 0x20<link>
ether 00:0c:29:7e:8b:1b  txqueuelen 1000  (Ethernet)
RX packets 39173  bytes 19967129 (19.0 MiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 89362  bytes 20190444 (19.2 MiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 192.168.65.150  netmask 255.255.255.0  broadcast 192.168.65.255
ether 00:0c:29:7e:8b:1b  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
inet 127.0.0.1  netmask 255.0.0.0
inet6 ::1  prefixlen 128  scopeid 0x10<host>
loop  txqueuelen 1  (Local Loopback)
RX packets 68  bytes 5916 (5.7 KiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 68  bytes 5916 (5.7 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

（可以看出，已经多了一个虚拟网卡ens33:0）

·查看网卡是否连接：
mii-tool 网卡名
ethtool 网卡名

[root@localhost ~]# mii-tool ens33
ens33: negotiated 1000baseT-FD flow-control, link ok      ##连接正常
[root@localhost ~]# ethtool ens33
Settings for ens33:
Supported ports: [ TP ]
Supported link modes:   10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes:  10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off (auto)
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes                                ##连接正常

·更改主机名：hostnamectl

[root@localhost ~]# hostnamectl set-hostname alexis
hostname配置文件：/etc/hostname

·DNS配置文件：/etc/resolv.conf

[root@localhost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 119.29.29.29

（参数由网卡配置文件所定义，哪怕更改，再重启网卡，依然会被恢复为网卡内的参数）

/etc/hosts文件
[root@localhost ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
前面为IP，后面为域名
一行可以有多个域名
多个相同的域名不同的IP，默认使用最后一个IP

10.12 firewalld和netfilter

·临时关闭selinux：setenforce 0

[root@localhost ~]# getenforce
Permissive

·永久关闭selinux：编辑/etc/selinux/config

[root@localhost ~]# vim /etc/selinux/config

·CentOS7之前使用netfilter防火墙，CentOS7开始使用firewalld防火墙

·关闭firewalld，开启netfilter

[root@localhost ~]# systemctl disable firewalld                ##禁用firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@localhost ~]# systemctl stop firewalld##停止firewalld
[root@localhost ~]# yum install -y iptables-services
（过程省略）
[root@localhost ~]# systemctl enable iptables                ##允许iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@localhost ~]# systemctl start iptables                    ##开启iptables
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
26  1716 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 14 packets, 1320 bytes)
pkts bytes target     prot opt in     out     source               destination

（netfilter防火墙的名字而iptables是工具）

10.13 netfilter5表5链介绍

netfilter的5个表：（1）filter （2）nat （3）managle （4）raw （5）security
netfilter的5个链：（1）INPUT（2）OUTPUT（3）FORWARD（4）PREROUTING（5）POSTROUTING

managle，raw，security表基本用不到，因此不用关注，只需要关注filter和nat即可

·iptables传输数据包的过程：

数据包进入本机：PREROUTING—>INPUT—>OUTPUT—>POSTROUTING
数据包不经过本机，而是转发出去：PREROUTING—>FORWARD—>POSTROUTING

参考：http://www.cnblogs.com/metoy/p/4320813.html

10.14 iptables语法

·查看iptables规则：iptables -nvL

[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
26  1716 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 14 packets, 1320 bytes)
pkts bytes target     prot opt in     out     source               destination

·iptables规则保存在 /etc/sysconfig/iptables 中

[root@localhost ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

·清空iptables规则：iptables -F

[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -nvL                ##清空规则后，实际配置文件并没有变化
Chain INPUT (policy ACCEPT 12 packets, 792 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 7 packets, 900 bytes)
pkts bytes target     prot opt in     out     source               destination

·保存iptables规则：service iptables save

[root@localhost ~]# service iptables save

·加载iptables规则：重启服务器或者重新启动服务service iptables restart

[root@localhost ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
12   792 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 7 packets, 884 bytes)
pkts bytes target     prot opt in     out     source               destination

（重启服务器或者重启iptables规则，都会去加载配置文件 /etc/sysconfig/iptables 中的规则）

·默认iptables查看的时netfilter表的规则 iptables -t netfilter -nvL（不加 -t 就是filter表）
·查看nat表的规则：iptables -t nat -nvL

[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

·计数器清零：iptables -Z

[root@localhost ~]# iptables -Z;iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

·iptables：
-A 增加一条规则 INPUT：针对的链
-s 指定来源ip
-p 指定协议（tcp、udp、icmp）
--sport 来源端口
-d 目标ip
--dport 目标端口
-j 操作（DROP扔掉 / REJECT 拒绝）
-I 插入
-i 指定网卡

·增加规则：iptables -A

[root@localhost ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP

·插入规则：iptables -I

iptables -I INPUT -p tcp --dport 80 -j DROP## -I 直接插队到最前面，-A只是添加
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
128 10156 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
2   470 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 5 packets, 636 bytes)
pkts bytes target     prot opt in     out     source               destination

·删除规则：iptables -D

[root@localhost ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
201 15908 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
3   705 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 4 packets, 528 bytes)
pkts bytes target     prot opt in     out     source               destination

·删除规则（简便方法）：
1，先给规则一个规则号；2，再删除规则号对应的规则

[root@localhost ~]# iptables -nvL --line-number            ##指定规则号
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
2      337 25080 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
4        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
5        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
6        3   705 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
7        0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 67 packets, 6092 bytes)
num   pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]# iptables -D INPUT 1                ##删除第一个规则
[root@localhost ~]# iptables -nvL                        ##之前的第一条规则已经被删除
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
477 34948 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
4   940 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
0     0 DROP       tcp  --  *      *       192.168.188.1        192.168.188.128      tcp spt:1234 dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 55 packets, 6900 bytes)
pkts bytes target     prot opt in     out     source               destination

·指定网卡：iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
·默认规则：（数据包如果没有具体规则来匹配，那么就走默认的策略 policy）
更改默认策略：iptables -P OUTPUT DROP（运行的话，远程连接就会被禁掉，只能到主机去修改规则）
改回策略：iptables -P OUTPUT ACCEPT （放行）、
DROP / REJECT / ACCEPT

内容来自用户分享和网络整理，不保证内容的准确性，如有侵权内容，可联系管理员处理

标签： 网络 firewalld netfilter

相关文章推荐

新的分享

章节导航

2018-1-24 7周3次课 网络、firewalld、netfilter、iptables语法

2018-1-24 7周3次课网络、firewalld、netfilter、iptables语法