标签:安全
1、网卡IP
使用ifconfig和ip add命令查看网卡IP。
[root@server01 ~]# ifconfig ##查看网卡IP,如果不支持,需要安装net-tools ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.137.100 netmask 255.255.255.0 broadcast 192.168.137.255 inet6 fe80::c1d7:5856:9856:2bb8 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:0c:4d:a8 txqueuelen 1000 (Ethernet) RX packets 34093 bytes 19129820 (18.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2629771 bytes 3934887034 (3.6 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 76 bytes 6204 (6.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 76 bytes 6204 (6.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@server01 ~]# ifconfig -a ##查看所有网卡IP ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.137.100 netmask 255.255.255.0 broadcast 192.168.137.255 inet6 fe80::c1d7:5856:9856:2bb8 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:0c:4d:a8 txqueuelen 1000 (Ethernet) RX packets 34104 bytes 19130770 (18.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2629778 bytes 3934888746 (3.6 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 76 bytes 6204 (6.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 76 bytes 6204 (6.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@server01 ~]# ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:0c:4d:a8 brd ff:ff:ff:ff:ff:ff inet 192.168.137.100/24 brd 192.168.137.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::c1d7:5856:9856:2bb8/64 scope link valid_lft forever preferred_lft forever
如果要附加一个地址,可以设定虚拟网卡ens33:1。然后使用ifdown ens33/ifup ens33命令重新启动网卡,使配置生效。
[root@server01 ~]# mii-tool ens33 ##查看网卡连接状态 ens33: negotiated 1000baseT-FD flow-control, link ok [root@server01 ~]# ethtool ens33 ##查看网卡连接状态 Settings for ens33: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supported pause frame use: No Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised pause frame use: No Advertised auto-negotiation: Yes Speed: 1000Mb/s Duplex: Full Port: Twisted Pair PHYAD: 0 Transceiver: internal Auto-negotiation: on MDI-X: off (auto) Supports Wake-on: d Wake-on: d Current message level: 0x00000007 (7) drv probe link Link detected: yes ##该行“yes”表示网卡连接正常
2、DNS
[root@server01 ~]# hostnamectl set-hostname juispan ##更改主机名 [root@server01 ~]# bash [root@juispan ~]# [root@server01 ~]# cat /etc/resolv.conf ##DNS的配置文件 # Generated by NetworkManager nameserver 114.114.114.114 ##使用nameserver定义DNS,可以写多个DNS [root@server01 ~]# [root@server01 ~]# cat /etc/hosts ##本地hosts文件,IP和域名映射 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 ##一个IP能对应多个域名,一个域名对应一个IP; ##域名对应IP,以最后的映射为准。
3、防火墙
[root@server01 ~]# setenforce 0 ##临时关闭selinux [root@server01 ~]# getenforce ##查看selinux状态 Permissive [root@server01 ~]# cat /etc/selinux/config ##selinux配置文件 # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing ##改成disabled可以永久关闭 # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
在CentOS 7之前使用netfilter防火墙;CentOS 7开始使用firewalld防火墙。CentOS 7默认采用的是firewalld管理netfilter子系统,底层调用的仍然是iptables命令。不同的防火墙软件相互间存在冲突,使用某个时应禁用其他的。
▎关闭firewalld开启netfilter:
[root@server01 ~]# systemctl stop firewalld [root@server01 ~]# systemctl disable firewalld Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service. [root@server01 ~]# yum install -y iptables-services ...... 已安装: iptables-services.x86_64 0:1.4.21-17.el7 完毕! [root@server01 ~]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@server01 ~]# systemctl start iptables
4、Netfilter
▎Netfilter有5张表:
filter: This is the default table(if no -t option is passed).It contains the built-in chains INPUT(for packets destined to local sockets),FORWARD(for packets being routed through the box),and OUTPUT(for locally-generated packets). ##filter表用于过滤包,是最常用的表,有INPUT、FORWARD、OUTPUT三个链。 nat: This table is consulted when a packet that creates a new connection is encountered.It consists of three built-ins:PREROUTING(for altering packets as soon as they come in),OUTPUT(for altering locally-generated packets before routing),and POSTROUTING(for altering packets as they are about to go out).IPv6 NAT support is available since kernel 3.7. ##nat表用于网络地址转换,有PREROUTING、OUTPUT、POSTROUTING三个链。 mangle: This table is used for specialized packet alteration.Until kernel 2.4.17 it had two built-in chains:PREROUTING(for altering incoming packets before routing) and OUTPUT(for altering locally-generated packets before routing).Since kernel 2.4.18, three other built-in chains are also supported:INPUT(for packets coming into the box itself),FORWARD(for altering packets being routed through the box),and POSTROUTING (for altering packets as they are about to go out). ##managle表用于给数据包做标记,几乎用不到。 raw: This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target.It registers at the net‐filter hooks with higher priority and is thus called before ip_conntrack,or any other IP tables.It provides the following built-in chains:PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes) ##raw表可以实现不追踪某些数据包,几乎用不到。 security: This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets.Mandatory Access Control is implemented by Linux Security Modules such as SELinux.The security table is called after the filter table,allowing any Dis‐cretionary Access Control(DAC) rules in the filter table to take effect before MAC rules.This table provides the following built-in chains:INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated packets before routing), and FORWARD (for altering packets being routed through the box). ##security表在CentOS 6中并没有,用于强制访问控制(MAC)的网络规则,几乎用不到。
本文出自 “乱码时代” 博客,请务必保留此出处http://juispan.blog.51cto.com/943137/1946904
标签:安全
原文地址:http://juispan.blog.51cto.com/943137/1946904