yum install net-tools
[root@localhost ~]# cd /etc/sysconfig/network-scripts/
[root@localhost network-scripts]# ls
ifcfg-ens33 ifdown-ib ifdown-ppp ifdown-tunnel ifup-ib ifup-plusb ifup-Team network-functions
ifcfg-lo ifdown-ippp ifdown-routes ifup ifup-ippp ifup-post ifup-TeamPort network-functions-ipv6
ifdown ifdown-ipv6 ifdown-sit ifup-aliases ifup-ipv6 ifup-ppp ifup-tunnel
ifdown-bnep ifdown-isdn ifdown-Team ifup-bnep ifup-isdn ifup-routes ifup-wireless
ifdown-eth ifdown-post ifdown-TeamPort ifup-eth ifup-plip ifup-sit init.ipv6-global
[root@localhost network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0
[root@localhost network-scripts]# vi !$
vi ifcfg-ens33\:0
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=c6ff01b6-78d5-462c-b288-7acfafa4f5b5
DEVICE=ens33:
ONBOOT=yes
IPADDR=192.168.245.130
NETMASK=255.255.255.0
~
[root@localhost network-scripts]# ifdown ens33 && ifup ens33
成功断开设备 ‘ens33‘。
成功激活的连接(D-Bus 激活路径:/org/freedesktop/NetworkManager/ActiveConnection/1)
[root@localhost network-scripts]#
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.245.128 netmask 255.255.255.0 broadcast 192.168.245.255
inet6 fe80::dbd:48aa:6994:bf39 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:d6:6f:fa txqueuelen 1000 (Ethernet)
RX packets 4396 bytes 330121 (322.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1291 bytes 122535 (119.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.245.130 netmask 255.255.255.0 broadcast 192.168.245.255
ether 00:0c:29:d6:6f:fa txqueuelen 1000 (Ethernet)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 80 bytes 6940 (6.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 80 bytes 6940 (6.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
虚拟网卡能ping通
[root@localhost network-scripts]# mii-tool ens33
ens33: negotiated 1000baseT-FD flow-control, link ok
[root@localhost network-scripts]#
link ok 代表连接,no link 代表未连接
或者使用ethtool ens33也能查看。
[root@localhost network-scripts]# hostnamectl set-hostname aminglinux-01
[root@localhost network-scripts]# hostname
aminglinux-01
[root@localhost network-scripts]# bash
[root@aminglinux-01 network-scripts]#
[root@aminglinux-01 network-scripts]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 119.29.29.29
[root@aminglinux-01 network-scripts]#
selinux 临时关闭 setenforce 0
selinux 永久关闭 vi /etc/selinux/config
在centOS 7之前还有个防火墙是netfilter ,contos7以后改用 firewalld
关闭firewalld : systemctl disable firewalld
[root@aminglinux-01 network-scripts]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[root@aminglinux-01 network-scripts]#
开启netfilter
yum install -y iptables-services
[root@aminglinux-01 network-scripts]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@aminglinux-01 network-scripts]# systemctl start iptables
[root@aminglinux-01 network-scripts]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8 576 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 468 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 8 packets, 928 bytes)
pkts bytes target prot opt in out source destination
[root@aminglinux-01 network-scripts]#
filter 主要用于过滤包,是系统预设的表,该表内建3个链:INPUT,OUTPUT,FORWARD。INPUT链作用于进入本机的包,OUTPUT链作用于本机送出去的包,FORWARD链作用于那些跟本机无关的包。
nat表 主要用于网络地址转换,它也有三个链。PREROUTING链的作用是在包刚刚到达防火墙时改变它的目的地址(如果需要的话),OUTPUT链的作用是改变本地产生的包的目的地址,POSTROUTING链的作用是在包即将离开防火墙时改变其源地址。
mangle表主要用于给数据包做标记,然后根据标记去操作相应的包。这个表几乎不怎么用,除非像称为一个高级网络工程师。
raw表 可以实现不追踪某些数据包,默认系统的数据包都会被追踪,但追踪势必消耗一定的资源,所以可以用raw表来指定某些端口的包不被追踪。
security表,在centos6中是没有的,他用于强制访问控制(MAC)的网络规则。
PREROUTING: 数据包进入路由表之前。
INPUT:通过路由表后目的地为本机。
FORWARDING: 通过路由表后,目的地不为本机。
OUTPUT: 由本机产生,向外转发。
POSTROUTONG: 发送到网卡接口之前。
iptables规则的储存位置
[root@aminglinux-01 network-scripts]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@aminglinux-01 network-scripts]#
清空iptables所有规则iptables -F ,清空之后规则储存文件里面还是有配置的。-t 后面可以跟表名字。如果不加-t选项,则打印的是filter表。
[root@aminglinux-01 ~]# iptables -F
[root@aminglinux-01 ~]# ^C
[root@aminglinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 13 packets, 948 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12 packets, 1208 bytes)
pkts bytes target prot opt in out source destination
[root@aminglinux-01 ~]#
iptables -nvL --line-number 显示规则编号
清除包及流量计数器置零:iptables -Z 。
保存规则:service iptables save
-A/-D:表示增加/删除一条规则
-I: 表示插入一条规则,其实效果跟-A一样
-p:表示指定协议,可以是tcp,udp,或者icmp
--dport: 跟-p 一起使用,表示指定目标端口。
--sport: 跟-p 一起使用,表示指定端口。
-s:表示指定源IP(可以是一个IP段)。
-j:后面跟动作,其中ACCEPT表示允许包,DROP表示丢掉包,REJECT 表示拒绝包。
-i:指定网卡(不常用:但是偶尔能用到)。
[root@aminglinux-01 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@aminglinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
440 36272 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
21 1472 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
71 7269 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1288 bytes)
pkts bytes target prot opt in out source destination
[root@aminglinux-01 ~]#
按照编号删除规则
[root@aminglinux-01 ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 531 42528 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 21 1472 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 2 104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 73 7737 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 69 packets, 7276 bytes)
num pkts bytes target prot opt in out source destination
[root@aminglinux-01 ~]# iptables -D INPUT 6
[root@aminglinux-01 ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 585 46272 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 21 1472 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 2 104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 73 7737 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 480 bytes)
num pkts bytes target prot opt in out source destination
[root@aminglinux-01 ~]#
原文地址:http://blog.51cto.com/11751505/2114271