标签:Linux 学习 2018-03-21
10.11 Linux 网络相关ifconfig //查看网卡ip yum install net-tools
ifup ens33 / ifdown ens33
设定虚拟网卡 ens33:0
mii-tool ens33 //查看网卡是否连接
ethtool ens33 //也可以查看网卡是否连接
更改主机名 hostnamectl set-hostname aminglinux
DNS配置文件 /etc/resolv.conf
/etc/hosts 文件
ifdown ens33 && ifup ens33
ifdown ens33; ifup ens33
设定虚拟网卡 ens33:0
复制 ifcfg-ens33 为 ifcfg-ens33\:0
修改 NAME=ens33:0
删除 DNS 和 GATEWAY
重启网卡,测试网卡ping
[root@aming-01 network-scripts]# cat /etc/hostname
aming-01
[root@aming-01 network-scripts]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 119.29.29.29
[root@aming-01 network-scripts]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
hosts 格式
192.168.133.150 www.qq160.com www.aminglinux.com www.zzz.com10.12 firewalld 和 netfilter
selinux 临时关闭 setenforce 0
selinux 永久关闭 vi /etc/selinux/config
SELINUX=Permissive
centos7 之前使用 netfilter 防火墙
centos7 开始使用 firewalld 防火墙
关闭 firewalld 开启 netfilter 方法
systemctl stop firewalld
systemctl disable firewalld
yum install -y iptables-services
systemctl enable iptables
systemctl start iptables
[root@aming-01 ~]# systemctl disable firewalld
[root@aming-01 ~]# systemctl stop firewalld
[root@aming-01 ~]# yum install -y iptables-services
[root@aming-01 ~]# systemctl enable iptables
[root@aming-01 ~]# systemctl start iptables.service
[root@aming-01 ~]# iptables -nvL //查看防火墙默认开启的机制10.13 netfilter 5表5链介绍
filter:
This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
nat:
This table is consulted when a packet that creates a newconnection is encountered. It consists of three built-ins:PREROUTING (for altering packets as soon as they come in),OUTPUT (for altering locally-generated packets before rout‐ing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since ker‐nel 3.7.
netfilter 的 5个表
filter表示于过滤包,最常用的表,有 INPUT、FORWARD、OUTPUT 三个链
nat表用于网络地址转换,有 PREROUTING、OUTPUT、POSTROUTING 三个链
managle 表用于给数据包做标记,几乎用不到
raw 表可以实现不追踪某些数据包,阿铭从来不用
security 表在centos6中并没有,用于强制访问控制(MAC)的网络规则,阿铭没用过
参考文章 http://www.cnblogs.com/metoy/p/4320813.html10.14 iptables 语法
Linux 防火墙 netfilter
数据包流向与 netfilter 的5个链
PREROUTING:数据包进入路由表之前
INPUT:通过路由表后目的地为本机
FORWARD:通过路由表后,目的地不为本机
OUTPUT:由本机产生,向外发出
POSTROUTING:发送到网卡接口之前
cat /etc/sysconfig/iptables
[root@aming-01 ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
查看 iptables 规则:iptables -nvL
iptables -F 清空规则
service iptables save 保存规则
iptables -t nat //-t 制定表
iptables -Z 可以把计数器清零
iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
iptables -I/-A/-D INPUT -s 1.1.1.1 -j DROP
iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
iptables -nvL --line-numbers
iptables -D INPUT 1
iptables -P INPUT DROP
-A 增加,在最后
-I 插入,到前面
-D 删除
-P 默认的规则
-F 清空
-Z 计数器清零
-s 来源
-p 协议
-d 目标
-i 网卡名称
--sport 来源端口
--dport 目标端口标签:Linux 学习 2018-03-21
原文地址:http://blog.51cto.com/9298822/2089573
