1. Linux网络相关
使用命令“yum install net-tools”安装ifconfig命令;可以通过ifconfig命令查看系统的ip地址:
[root@yuioplvlinux-128 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.30.128 netmask 255.255.255.0 broadcast 192.168.30.255
inet6 fe80::9c36:c384:f224:23f4 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:96:17:9a txqueuelen 1000 (Ethernet)
RX packets 41667 bytes 28312290 (27.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 59745 bytes 14849462 (14.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 72 bytes 5792 (5.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 72 bytes 5792 (5.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
如果Linux系统有多个网卡,可使用命令“ifdown ens33”及“ifup ens33”用来重启网卡;需要注意的是,当使用命令ifdown ens33后,有可能ifup ens33不会执行,这样会导致无法远程连接。
1.1 设定多个ip
复制一份ifcfg-ens33文件,编辑该文件内容;
[root@yuioplvlinux-128 ~]# cd /etc/sysconfig/network-scripts/ [root@yuioplvlinux-128 network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0 [root@yuioplvlinux-128 network-scripts]# vim ifcfg-ens33\:0
修改NAME、DEVICE、IPADDR即可;
TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens33:0 UUID=ad829d78-61fc-4117-8886-b00f8c37bce9 DEVICE=ens33:0 ONBOOT=yes IPADDR=192.168.30.136 NETMASK=255.225.255.0
保存成功后,使用命令“ifdown ens33 && ifup ens33”重启网卡,再去查看网卡ip,多了一个ens33:0;
[root@yuioplvlinux-128 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.30.128 netmask 255.255.255.0 broadcast 192.168.30.255
inet6 fe80::9c36:c384:f224:23f4 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:96:17:9a txqueuelen 1000 (Ethernet)
RX packets 42892 bytes 28442403 (27.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 60819 bytes 15022083 (14.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.30.136 netmask 255.255.255.0 broadcast 192.168.30.255
ether 00:0c:29:96:17:9a txqueuelen 1000 (Ethernet)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 72 bytes 5792 (5.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 72 bytes 5792 (5.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
1.2 查看网卡连接状态
使用命令“mii-tool ens33”,显示‘link ok’说明网卡为连接状态,如果显示‘no link’,说明网卡坏了或者没有连接网线。
[root@yuioplvlinux-128 ~]# mii-tool ens33 ens33: negotiated 1000baseT-FD flow-control, link ok
也可以使用命令“ethtool ens33”来查看;
[root@yuioplvlinux-128 ~]# ethtool ens33 Settings for ens33: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supported pause frame use: No Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised pause frame use: No Advertised auto-negotiation: Yes Speed: 1000Mb/s Duplex: Full Port: Twisted Pair PHYAD: 0 Transceiver: internal Auto-negotiation: on MDI-X: off (auto) Supports Wake-on: d Wake-on: d Current message level: 0x00000007 (7) drv probe link Link detected: yes
如果网卡没有连接,那么最后一行的Link detected显示为no。
1.3 更改主机名
可以使用命令“hostname”查看Linux的主机名;
[root@yuioplvlinux-128 ~]# hostname yuioplvlinux-128
更改主机名可以使用命令“hostname xxxxx”,但系统重启后,就会变为之前的名称,若想永久修改,使用命令“hostnamectl set-hostname xxxxx”来修改。
1.4 设置DNS
Linux系统中,DNS配置文件路径为/etc/resolv.conf;
[root@yuioplvlinux-128 ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 119.29.29.29
如果只是临时修改DNS的IP地址,那么直接修改/etc/resolv.conf;如果是永久生效的话,需要去修改网卡的配置文件。
在Linux写还有一个特殊文件,/etc/hosts也能解析域名,它的作用是临时解析某个域名;
[root@yuioplvlinux-128 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
第一部分是IP,第二部分是域名,需要注意的是:
1)一个IP后面可以跟多个域名,可以是几十个甚至上百个;
2)每一行只能有一个IP,也就是一个域名不能对应多个IP;
3)如果有多行中出现相同的域名,其对应IP不一样,那么会按最前面出现的记录来解析。
编辑该文件,添加一行:192.168.30.136 www.baidu.com,保存之后ping下www.baidu.com就会连接到192.168.30.136。
[root@yuioplvlinux-128 ~]# vim /etc/hosts
[root@yuioplvlinux-128 ~]# ping www.baidu.com
PING www.baidu.com (192.168.30.136) 56(84) bytes of data.
64 bytes from www.baidu.com (192.168.30.136): icmp_seq=1 ttl=64 time=0.097 ms
64 bytes from www.baidu.com (192.168.30.136): icmp_seq=2 ttl=64 time=0.105 ms
64 bytes from www.baidu.com (192.168.30.136): icmp_seq=3 ttl=64 time=0.057 ms
64 bytes from www.baidu.com (192.168.30.136): icmp_seq=4 ttl=64 time=0.106 ms
64 bytes from www.baidu.com (192.168.30.136): icmp_seq=5 ttl=64 time=0.100 ms
64 bytes from www.baidu.com (192.168.30.136): icmp_seq=6 ttl=64 time=0.106 ms
64 bytes from www.baidu.com (192.168.30.136): icmp_seq=7 ttl=64 time=0.101 ms
^C
--- www.baidu.com ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6012ms
rtt min/avg/max/mdev = 0.057/0.096/0.106/0.016 ms
2. Linux防火墙
2.1 启动iptables服务
在之前的CentOS版本(比如5和6)的防火墙为netfilter,CentOS7的防火墙为firewalld。许多人把Linux的防火墙叫做iptables,这样是不合理的,iptables仅仅是一个工具。
先将firewalld关闭,然后开启之前版本的iptables:
[root@yuioplvlinux-128 ~]# systemctl disable firewalld #禁止firewalld服务开机启动 Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@yuioplvlinux-128 ~]# systemctl stop firewalld #关闭firewalld服务
使用命令“yum install -y iptables-services”安装iptables-services,这样就可以使用之前版本的iptables-services了;
[root@yuioplvlinux-128 ~]# systemctl enable iptables #允许iptables开机启动
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@yuioplvlinux-128 ~]# systemctl start iptables #启动iptables服务
[root@yuioplvlinux-128 ~]# iptables -nvL #查看iptables规则
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
16 1160 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 11 packets, 1092 bytes)
pkts bytes target prot opt in out source destination
2.2 netfilter的5个表和5个链
5个表:
filter:主要用于过滤包,是系统预设的表,该表内建3个链:INPUT、OUTPUT以及FORWARD,INPUT链作用于进入本机的包,OUTPUT链作用于本机送出的包,FORWARD链作用于那些跟本机无关的包;
nat:主要用于网络地址转换,它也有三个链,PREROUTING链的作用是在包刚刚到达防火墙时改变它的目的地址,OUTPUT链的作用是改变本地产生的包的目的地址,POSTROUTING链的作用是抱在即将离开防火墙时改变其源地址;
mangle:主要用于给数据包做标记,然后根据标记去操作相应的包;
raw:可以实现不追踪某些数据包,默认系统的数据包都会被追踪,但追踪势必消耗一定的资源,所以可以用raw表来指定某些端口的包不被追踪;
security:用于轻质访问控制(MAC)的网络规则。
5个链:分别为PEREOUTING、INPUT、FORWARD、OUTPUT、POSTROUTING。
PEREOUTING:数据包进入路由表之前;
INPUT:通过路由表后目的地为本机;
FORWARD:通过路由表后,目的地不为本机;
OUTPUT:由本机产生,向外转发;
POSTROUTING:发送到网卡接口之前。
2.3 iptables基本语法
默认的iptables规则放在/etc/sysconfig/iptables文件中;
[root@yuioplvlinux-128 ~]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
1)查看规则和清除规则
[root@yuioplvlinux-128 ~]# iptables -nvL #默认为filter表的相关信息
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
234 19236 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
212 16446 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 209 packets, 14148 bytes)
pkts bytes target prot opt in out source destination
[root@yuioplvlinux-128 ~]# iptables -t nat -nvL #查看nat表的相关信息 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
-t选项后面跟表名,-nvL表示查看该表的规则,其中,-n表示不针对IP反解析主机名,-L表示列出,-v表示列出的信息更加详细。
[root@yuioplvlinux-128 ~]# iptables -Z #把包以及流量计数器置零(pkts、bytes)
[root@yuioplvlinux-128 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 428 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 464 bytes)
pkts bytes target prot opt in out source destination
[root@yuioplvlinux-128 ~]# iptables -F #将所有规则全部删除
[root@yuioplvlinux-128 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 464 bytes)
pkts bytes target prot opt in out source destination
[root@yuioplvlinux-128 ~]# service iptables restart #重启iptables服务
Redirecting to /bin/systemctl restart iptables.service
[root@yuioplvlinux-128 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 428 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 512 bytes)
pkts bytes target prot opt in out source destination使用-F选项删除全部规则后(不加-t选项默认为filter表),在/etc/sysconfig/iptables文件还保存规则,重启iptables服务,即可恢复。若想要永久删除,使用命令“
service iptables save”保存即可,但
一般不建议这么去做。
2)增加/删除一条规则
[root@yuioplvlinux-128 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@yuioplvlinux-128 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
297 21544 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
24 1872 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 10 packets, 1120 bytes)
pkts bytes target prot opt in out source destination
这里没有加-t选项,针对的是filter表;
各个选项作用如下:
-A/-D:表示增加/删除一条规则;
-I:表示插入一条规则,其实效果与-A一样;
-p:表示指定协议,可以是tcp、udp或者icmp;
--dport:跟-p一起使用,表示指定目标端口;
--sport:跟-p一起使用,表示指定源端口;
-s:表示指定源IP(可以是IP段);
-d:表示指定目的IP(可以是IP段);
-j:后面跟动作,其中ACCEPT表示允许包,DPOP表示丢掉包,REJECT表示拒绝包;
-P:预设策略;
-i:表示指定网卡。
删除规则之前,可以先使用命令“iptables -nvL --line-numbers”显示行号,根据行号去删除规则,如下:
[root@yuioplvlinux-128 ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 339 24576 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 42 3276 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 39 packets, 4652 bytes)
num pkts bytes target prot opt in out source destination
[root@yuioplvlinux-128 ~]# iptables -D INPUT 6 #删除第6行
[root@yuioplvlinux-128 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
392 28512 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
42 3276 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 5 packets, 604 bytes)
pkts bytes target prot opt in out source destination
插入一条规则,把来自1.1.12.1的所有数据包丢掉,并删除;
[root@yuioplvlinux-128 ~]# iptables -I INPUT -s 1.1.12.1 -j DROP
[root@yuioplvlinux-128 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 1.1.12.1 0.0.0.0/0
476 34384 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
42 3276 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 4 packets, 512 bytes)
pkts bytes target prot opt in out source destination
[root@yuioplvlinux-128 ~]# iptables -D INPUT -s 1.1.12.1 -j DROP
把来自192.168.14.0/24这个网段且作用在eth0的包放行。
[root@yuioplvlinux-128 ~]# iptables -A INPUT -s 192.168.14.0/24 -i eth0 -j ACCEPT
[root@yuioplvlinux-128 ~]# iptables -nvL | grep '192.168.14.0/24'
0 0 ACCEPT all -- eth0 * 192.168.14.0/24 0.0.0.0/0