标签:10.11 linux网络相关 10.12 firewalld和netfilter 10.13 netfilter5表5链介绍 10.14 iptables语法
10.11 Linux网络相关
10.12 firewalld和netfilter
10.13 netfilter5表5链介绍
10.14 iptables语法
扩展(selinux了解即可)
selinux pdf电子书 http://pan.baidu.com/s/1jGGdExK
-ifconfig 命令在centos7 是没有的,需要安装yum install -y net-tools
[root@aminglinux-01 ~]# ifconfigens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.202.130 netmask 255.255.255.0 broadcast 192.168.202.255 inet6 fe80::a152:bbdf:8b2b:db9b prefixlen 64 scopeid 0x20<link> ether 00:0c:29:55:37:78 txqueuelen 1000 (Ethernet) RX packets 172224 bytes 32478560 (30.9 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 395278 bytes 108140051 (103.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 80 bytes 6544 (6.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 80 bytes 6544 (6.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@aminglinux-01 ~]# -ifconfig -a 当你的网卡down掉的时候或者是没有ip的时候,它是不显示的,加上-a 就可以查看到 ifdown ens33 把网卡停用 关闭 ifup ens33 把网卡启用 启动 [root@aminglinux-01 ~]# ifdown ens33 down了以后远程工具xshell 断开了,只能去虚拟机上ifup ens33 [root@aminglinux-01 ~]# ifdown ens33; ifup ens33^C -不能在本网卡设备上直接 ifdown ens33 这样会导致你在这个远程工具断开,可以使用这个ifdown ens33 && ifup ens33 [root@aminglinux-01 ~]# ifdown ens33 && ifup ens33成功断开设备 ‘ens33‘。 成功激活的连接(D-Bus 激活路径:/org/freedesktop/NetworkManager/ActiveConnection/4) [root@aminglinux-01 ~]# - 设定一个虚拟网卡 [root@aminglinux-01 ~]# ifconfigens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.202.130 netmask 255.255.255.0 broadcast 192.168.202.255 inet6 fe80::a152:bbdf:8b2b:db9b prefixlen 64 scopeid 0x20<link> ether 00:0c:29:55:37:78 txqueuelen 1000 (Ethernet) RX packets 172432 bytes 32499550 (30.9 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 395469 bytes 108164570 (103.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 96 bytes 7904 (7.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 96 bytes 7904 (7.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@aminglinux-01 ~]# cd /etc/sysconfig/network-scripts[root@aminglinux-01 network-scripts]# lsifcfg-ens33 ifdown-isdn ifup ifup-plip ifup-tunnel ifcfg-lo ifdown-post ifup-aliases ifup-plusb ifup-wireless ifdown ifdown-ppp ifup-bnep ifup-post init.ipv6-global ifdown-bnep ifdown-routes ifup-eth ifup-ppp network-functions ifdown-eth ifdown-sit ifup-ib ifup-routes network-functions-ipv6 ifdown-ib ifdown-Team ifup-ippp ifup-sit ifdown-ippp ifdown-TeamPort ifup-ipv6 ifup-Team ifdown-ipv6 ifdown-tunnel ifup-isdn ifup-TeamPort [root@aminglinux-01 network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0[root@aminglinux-01 network-scripts]# vi !$vi ifcfg-ens33\:0 TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens33:0 UUID=8b9a8b20-15a0-45d1-a8db-10ab1d99842d DEVICE=ens33:0 ONBOOT=yes IPADDR=192.168.202.150 NETMASK=255.255.255.0 ~ ~ ~ :wq [root@aminglinux-01 network-scripts]# vi ifcfg-ens33\:0 -这个时候再来看下 [root@aminglinux-01 network-scripts]# ifdown ens33 && ifup ens33成功断开设备 ‘ens33‘。 成功激活的连接(D-Bus 激活路径:/org/freedesktop/NetworkManager/ActiveConnection/5) [root@aminglinux-01 network-scripts]# ifconfigens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.202.130 netmask 255.255.255.0 broadcast 192.168.202.255 inet6 fe80::a152:bbdf:8b2b:db9b prefixlen 64 scopeid 0x20<link> ether 00:0c:29:55:37:78 txqueuelen 1000 (Ethernet) RX packets 172862 bytes 32538182 (31.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 395770 bytes 108203344 (103.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.202.150 netmask 255.255.255.0 broadcast 192.168.202.255 ether 00:0c:29:55:37:78 txqueuelen 1000 (Ethernet) lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 104 bytes 8584 (8.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 104 bytes 8584 (8.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@aminglinux-01 network-scripts]# -用windows 也可以ping下试下能不能ping通
[object Object]
-查看网卡是否连接网线 mii-tool ens33 或者 ethtool ens33
[root@aminglinux-01 network-scripts]# cd[root@aminglinux-01 ~]# mii-tool ens33ens33: negotiated 1000baseT-FD flow-control, link ok[root@aminglinux-01 ~]# ethtool ens33Settings for ens33: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supported pause frame use: No Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised pause frame use: No Advertised auto-negotiation: Yes Speed: 1000Mb/s Duplex: Full Port: Twisted Pair PHYAD: 0 Transceiver: internal Auto-negotiation: on MDI-X: off (auto) Supports Wake-on: d Wake-on: d Current message level: 0x00000007 (7) drv probe link Link detected: yes[root@aminglinux-01 ~]# 更改主机名 [root@aminglinux-01 ~]# hostnamectl set-hostname aminglinux-001[root@aminglinux-01 ~]# hostnameaminglinux-001[root@aminglinux-01 ~]# bash[root@aminglinux-001 ~]# exitexit[root@aminglinux-01 ~]# cat /etc/hostnameaminglinux-001[root@aminglinux-01 ~]# -DNS配置文件/etc/resolv.conf ,临时更改dns 也可以vim /etc/resolv.conf 更改后,网卡重启后还会覆盖,临时更改没有问题, [root@aminglinux-01 ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 119.29.29.29nameserver 8.8.8.8[root@aminglinux-01 ~]# vim /etc/resolv.conf # Generated by NetworkManager nameserver 119.29.29.29nameserver 8.8.8.8~ ~ ~ ~ ~ ~ ~ ~ ~ ~ "/etc/resolv.conf" 3L, 73C /etc/hosts 文件 [root@aminglinux-01 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@aminglinux-01 ~]# ping www.qq123.comPING www.qq123.com (202.91.250.93) 56(84) bytes of data. 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=1 ttl=128 time=8.66 ms 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=2 ttl=128 time=6.18 ms 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=3 ttl=128 time=5.72 ms 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=4 ttl=128 time=5.61 ms 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=5 ttl=128 time=6.29 ms 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=6 ttl=128 time=5.85 ms ^C --- www.qq123.com ping statistics --- 6 packets transmitted, 6 received, 0% packet loss, time 5010ms rtt min/avg/max/mdev = 5.616/6.388/8.662/1.046 ms [root@aminglinux-01 ~]# [root@aminglinux-01 ~]# vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.169.202.150 www.qq123.com www.13.com www.aming.com ~ ~ ~ ~ ~ ~ ~ ~ ~ :wq [root@aminglinux-01 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.169.202.150 www.qq123.com www.13.com www.aming.com [root@aminglinux-01 ~]# vim /etc/hosts [root@aminglinux-01 ~]# ping www.qq123.comPING www.qq123.com (192.169.202.150) 56(84) bytes of data. 64 bytes from www.qq123.com (192.169.202.150): icmp_seq=1 ttl=128 time=318 ms 64 bytes from www.qq123.com (192.169.202.150): icmp_seq=2 ttl=128 time=313 ms 64 bytes from www.qq123.com (192.169.202.150): icmp_seq=3 ttl=128 time=307 ms ^C --- www.qq123.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 307.321/313.110/318.216/4.497 ms [root@aminglinux-01 ~]# -给一个ip设置多个域名,前面后面都有 它以后面一个ip为主 [root@aminglinux-01 ~]# vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.169.202.150 www.qq123.com www.13.com www.aming.com 127.0.0.1 www.13.com ~ ~ ~ ~ ~ ~ :wq [root@aminglinux-01 ~]# vim /etc/hosts [root@aminglinux-01 ~]# ping www.13.comPING www.qq123.com (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=1.05 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.099 ms 64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.092 ms ^C --- www.qq123.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 0.092/0.414/1.052/0.451 ms [root@aminglinux-01 ~]# -给一个ip设置多个域名 也是可以的 [root@aminglinux-01 ~]# ping www.aming.comPING www.qq123.com (192.169.202.150) 56(84) bytes of data. 64 bytes from www.qq123.com (192.169.202.150): icmp_seq=1 ttl=128 time=269 ms 64 bytes from www.qq123.com (192.169.202.150): icmp_seq=2 ttl=128 time=269 ms ^C --- www.qq123.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 269.071/269.442/269.814/0.638 ms [root@aminglinux-01 ~]#
-selinux防火墙selinux,临时关闭防火墙 setenforce 0 -查看防火墙状态getenforce 1.Permissive 和 Enforcing的区别在于,permissive 虽然说selinux 也开启了,仅仅是遇到这种需要发生阻断的时候,它不需要真正的阻断,仅仅是有一个提醒,虽然没有在屏幕上看到,但是它有一个地方会记录这个信息,这时候重启就生效了 [root@aminglinux-01 ~]# vi /etc/selinux/config[root@aminglinux-01 ~]# getenforceEnforcing [root@aminglinux-01 ~]# setenforce 0[root@aminglinux-01 ~]# getenforcePermissive [root@aminglinux-01 ~]# -selinux翻火墙 永久关闭,编辑配置文件 vim /etc/selinux/config [root@aminglinux-01 ~]# vim /etc/selinux/config# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - No SELinux policy is loaded.SELINUX=enforcing# SELINUXTYPE= can take one of three two values:# targeted - Targeted processes are protected,# minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection.SELINUXTYPE=targeted ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ "/etc/selinux/config" 14L, 547C 1,0-1 全部 -把 SELINUX=enforcing 改成 SELINUX=disableed [root@aminglinux-01 ~]# vim /etc/selinux/config# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - No SELinux policy is loaded.SELINUX=disabled# SELINUXTYPE= can take one of three two values:# targeted - Targeted processes are protected,# minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection.SELINUXTYPE=targeted ~ ~ ~ :wq [root@aminglinux-01 ~]# vi /etc/selinux/config[root@aminglinux-01 ~]# getenforce Enforcing [root@aminglinux-01 ~]# setenforce 0 [root@aminglinux-01 ~]# getenforce Permissive [root@aminglinux-01 ~]# vim /etc/selinux/config[root@aminglinux-01 ~]# getenforce Permissive 防火墙 netfilter、 firewald -->iptables 80 22 8080 1.先把firewalld 关闭 close / disable + stop 停止服务 2.把netfilter 开启 open 需要yum 安装一个包 iptables-service,然后在enable iptables 服务,再 start iptables 1.先把firewalld 停掉,不让它开机启动 [root@aminglinux-001 ~]# systemctl disable firewalldRemoved symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service. 2.再把它服务给关掉 [root@aminglinux-001 ~]# systemctl disable firewalld 3.再把netfilter 翻火墙开启,开启之前需要安装一个包 yum install -y iptables-services [root@aminglinux-001 ~]# yum install -y iptables-services 已加载插件:fastestmirror base | 3.6 kB 00:00:00 epel/x86_64/metalink | 6.3 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 Determining fastest mirrors * epel: mirror01.idc.hinet.net 正在解决依赖关系 --> 正在检查事务 ---> 软件包 iptables-services.x86_64.0.1.4.21-17.el7 将被 安装 --> 解决依赖关系完成 依赖关系解决 ============================================================================================ Package 架构 版本 源 大小 ============================================================================================ 正在安装: iptables-services x86_64 1.4.21-17.el7 base 50 k事务概要 ============================================================================================安装 1 软件包 总下载量:50 k 安装大小:24 k Downloading packages: iptables-services-1.4.21-17.el7.x86_64.rpm | 50 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction 正在安装 : iptables-services-1.4.21-17.el7.x86_64 1/1 验证中 : iptables-services-1.4.21-17.el7.x86_64 1/1 已安装: iptables-services.x86_64 0:1.4.21-17.el7 完毕! 4.安装完之后它就产生了一个服务 iptables 服务 ,把iptables服务开启 [root@aminglinux-001 ~]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@aminglinux-001 ~]# systemctl start iptables [root@aminglinux-001 ~]# [root@aminglinux-001 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 46 3264 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1 40 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 13 1165 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 29 packets, 2796 bytes) pkts bytes target prot opt in out source destination [root@aminglinux-001 ~]# 整个过程 1.firewalld --> close / disable + stop 2.netfilter --> open --> iptables-services --> anble iptables /start iptables
-首先man iptables
filter: This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally- generated packets). nat: This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-gener‐ ated packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7. mangle: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out). raw: This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_con‐...skipping...
-iptables netfilter 有5个表 
- filter 表 就是一个默认的表,包含内建的三个链,input、output 以及forward
1.input作用于进入本机的包,进入到本机了,进入到本机需要做一些操作,比如访问80端口的数据包,发现可疑ip禁掉
forward 作用于那些跟本机无关的包 ,数据包到了怎么咱们的机器,但是不会到内核里,数据包不是给你处理,而是给另外一台机器处理,需要判断一下目标是不是本机,不是本机,可能经过forward ,经过forward时候,把目标点做一个更改、转发
output作用于本机产生的一些包,出去之前要做的一些操作,比如我这个包发给某一个ip ,这个ip我要禁掉,我不让这个ip过去,只要是到这个ip的包都给禁掉
-剩下三个mangle、raw、security表很少用,基本上不用
iptables -nvL 查看默认的规则
[root@aminglinux-001 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1556 127K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 33 2224 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 66 8772 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 1295 packets, 266K bytes) pkts bytes target prot opt in out source destination [root@aminglinux-001 ~]# 重启默认规则 service iptables restart [root@aminglinux-001 ~]# service iptables restart Redirecting to /bin/systemctl restart iptables.service [root@aminglinux-001 ~]# -重启完了再看,还是没变 [root@aminglinux-001 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 5 388 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 512 bytes) pkts bytes target prot opt in out source destination [root@aminglinux-001 ~]# -那默认规则在那里保存着呢? /etc/sysconfig/iptables [root@aminglinux-001 ~]# cat /etc/sysconfig/iptables# sample configuration for iptables service# you can edit this manually or use system-config-firewall# please do not ask us to add additional ports/services to this default configuration*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [root@aminglinux-001 ~]# -有时候 觉得规则不合适了,想清空,把所有的规则都删掉 iptables -F [root@aminglinux-001 ~]# iptables -F[root@aminglinux-001 ~]# iptables -nvLChain INPUT (policy ACCEPT 24 packets, 1688 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes) pkts bytes target prot opt in out source destination [root@aminglinux-001 ~]# 清空规则之后 文件里依然保存着这些规则, [root@aminglinux-001 ~]# cat /etc/sysconfig/iptables# sample configuration for iptables service# you can edit this manually or use system-config-firewall# please do not ask us to add additional ports/services to this default configuration*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [root@aminglinux-001 ~]# -保存规则service iptables save ,如果想要清空后的规则保存到默认规则里,需要执行一个命令service iptables save,但是现在已经是空的规则了,没必要保存一个空规则,所以先重启下 把之前的默认的规则恢复回来 [root@aminglinux-001 ~]# service iptables restart Redirecting to /bin/systemctl restart iptables.service [root@aminglinux-001 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 23 1648 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes) pkts bytes target prot opt in out source destination [root@aminglinux-001 ~]# 重启服务器,或者重启iptables规则,它都会去加载配置文件里面/etc/sysconfig/iptables的规则 做这些操作都是针对 默认的表 filter表 不加-t 就是默认的filter表 iptables -t nat 加 -t 指定表 -iptables -Z 把计数器清零 -在iptables -nvL 的时候 ,这些规则里都会有数据 的 多少个包,多少字节 想要把这些数字清空可以iptables -Z [root@aminglinux-001 ~]# iptables -Z; iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [root@aminglinux-001 ~]# -过一会儿就增加了,因为每时刻每刻数据包都在通信 -增加一条规则,把来源ip 访问我们端口的 -执行下这条命令iptables -A INPUT -s 192.168.202.1 -p tcp --sport 1234 -d 192.168.202.128 --dport 80 -j DROP 或者 REJECT -DROP 和 REJECT 的区别 DROP 直接看都不看直接踢掉,REJECT 先看下,再告诉你不能进,一般直接用DROP [root@aminglinux-001 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 40 2996 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 1 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp -- * * 192.168.202.1 192.168.202.128 tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 23 packets, 2244 bytes) pkts bytes target prot opt in out source destination [root@aminglinux-001 ~]# -还有一种用法iptables -I INPUT -p tcp --dport 80 -j DROP iptables -A 和 iptables -I 的区别,I 是insert 插入进去,插队直接进入到行首,-A 是指在队列最后加入进去,增加到最后面去 如果俩个规则同时满足,它如果匹配到了第一条规则,直接DROP掉了,就不用匹配最后面那条规则了 [root@aminglinux-001 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 148 10680 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 1 229 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp -- * * 192.168.202.1 192.168.202.128 tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes) pkts bytes target prot opt in out source destination [root@aminglinux-001 ~]# -删除规则iptables -D delete 后面的加的俩条规则都没了 [root@aminglinux-001 ~]# iptables -D INPUT -s 192.168.202.1 -p tcp --sport 1234 -d 192.168.202.128 --dport 80 -j DROP [root@aminglinux-001 ~]# iptables -D INPUT -p tcp --dport 80 -j DROP [root@aminglinux-001 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 254 19728 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 2 458 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes) pkts bytes target prot opt in out source destination [root@aminglinux-001 ~]# -有时候规则是很久之前的,所有有时候会忘记之前的规则的 -先把之前俩条规则都加上 [root@aminglinux-001 ~]# iptables -A INPUT -s 192.168.202.1 -p tcp --sport 1234 -d 192.168.202.128 --dport 80 -j DROP [root@aminglinux-001 ~]# iptables -I INPUT -p tcp --dport 80 -j DROP [root@aminglinux-001 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 335 26972 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 2 458 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp -- * * 192.168.202.1 192.168.202.128 tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 5 packets, 860 bytes) pkts bytes target prot opt in out source destination [root@aminglinux-001 ~]# -还有一种办法可以,删除规则,先标记下行号码 [root@aminglinux-001 ~]# iptables -nvL --line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:802 424 34012 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:226 2 458 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited7 0 0 DROP tcp -- * * 192.168.202.1 192.168.202.128 tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 68 packets, 8320 bytes) num pkts bytes target prot opt in out source destination [root@aminglinux-001 ~]# -再根据编号来删,也可以根据网卡来 -eth0 指定一个网卡为eth0的 [root@aminglinux-001 ~]# iptables -D INPUT 7[root@aminglinux-001 ~]# iptables -nvL --line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:802 460 36680 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:226 2 458 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 496 bytes) num pkts bytes target prot opt in out source destination [root@aminglinux-001 ~]# -iptables -P OUTPUT DROP 默认的规则 -这个链 有个默认的策略 policy ACCEPT 对于OUTPUT数据包来讲,只要是没有具体的规则来匹配就走默认的策略,可 这个默认的策略可以更改,但是不要随便乱改 -规则Chain OUTPUT (policy ACCEPT 19 packets, 3156 bytes) [root@aminglinux-001 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 482 38288 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 2 458 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 19 packets, 3156 bytes) pkts bytes target prot opt in out source destination [root@aminglinux-001 ~]# -iptables -P OUTPUT DROP 千万不要执行,一旦执行就会禁掉 xshell远程,默认的规则一旦被DROP 掉,我们远程就会断开,默认策略被DROP 数据包就到达不了我们xshell ,就断开了连接了,这时候只能到虚拟机上去 把默认策略改成 iptables -P OUTPUT ACCEPT 放行就好了
10.11 Linux网络相关 10.12 firewalld和netfilter 10.13 netfilter5表5链介绍 10.14 iptables语法
标签:10.11 linux网络相关 10.12 firewalld和netfilter 10.13 netfilter5表5链介绍 10.14 iptables语法
原文地址:http://ch71smas.blog.51cto.com/13090095/1965048
