安装:yum install -y net-tools
·查看网卡ip:ifconfig
[root@localhost~]#ifconfigens33:flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500inet192.168.65.128netmask255.255.255.0broadcast192.168.65.255inet6fe80::7cd2:a780:c114:4d06prefixlen64scopeid0x20<link>ether00:0c:29:7e:8b:1btxqueuelen1000(Ethernet)RXpackets38578bytes19915225(18.9MiB)RXerrors0dropped0overruns0frame0TXpackets88936bytes20130502(19.1MiB)TXerrors0dropped0overruns0carrier0collisions0lo:flags=73<UP,LOOPBACK,RUNNING>mtu65536inet127.0.0.1netmask255.0.0.0inet6::1prefixlen128scopeid0x10<host>looptxqueuelen1(LocalLoopback)RXpackets68bytes5916(5.7KiB)RXerrors0dropped0overruns0frame0TXpackets68bytes5916(5.7KiB)TXerrors0dropped0overruns0carrier0collisions0
·查看所有网卡(包括没有启动的网卡):ifconfig -a
·启动网卡:ifup 网卡名
·关闭网卡:ifdown 网卡名
[root@localhost~]#ifdownens33&&ifupens33成功断开设备'ens33'。连接已成功激活(D-Bus活动路径:/org/freedesktop/NetworkManager/ActiveConnection/2)
·设定虚拟网卡:
[root@localhostnetwork-scripts]#cd/etc/sysconfig/network-scripts/[root@localhostnetwork-scripts]#cpifcfg-ens33ifcfg-ens33\:0[root@localhostnetwork-scripts]#vimifcfg-ens33\:0
保存退出
[root@localhostnetwork-scripts]#ifdownens33&&ifupens33成功断开设备'ens33'。连接已成功激活(D-Bus活动路径:/org/freedesktop/NetworkManager/ActiveConnection/3)[root@localhostnetwork-scripts]#ifconfigens33:flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500inet192.168.65.128netmask255.255.255.0broadcast192.168.65.255inet6fe80::7cd2:a780:c114:4d06prefixlen64scopeid0x20<link>ether00:0c:29:7e:8b:1btxqueuelen1000(Ethernet)RXpackets39173bytes19967129(19.0MiB)RXerrors0dropped0overruns0frame0TXpackets89362bytes20190444(19.2MiB)TXerrors0dropped0overruns0carrier0collisions0ens33:0:flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500inet192.168.65.150netmask255.255.255.0broadcast192.168.65.255ether00:0c:29:7e:8b:1btxqueuelen1000(Ethernet)lo:flags=73<UP,LOOPBACK,RUNNING>mtu65536inet127.0.0.1netmask255.0.0.0inet6::1prefixlen128scopeid0x10<host>looptxqueuelen1(LocalLoopback)RXpackets68bytes5916(5.7KiB)RXerrors0dropped0overruns0frame0TXpackets68bytes5916(5.7KiB)TXerrors0dropped0overruns0carrier0collisions0
(可以看出,已经多了一个虚拟网卡ens33:0)
·查看网卡是否连接:
mii-tool 网卡名
ethtool 网卡名
[root@localhost~]#mii-toolens33ens33:negotiated1000baseT-FDflow-control,linkok##连接正常[root@localhost~]#ethtoolens33Settingsforens33:Supportedports:[TP]Supportedlinkmodes:10baseT/Half10baseT/Full100baseT/Half100baseT/Full1000baseT/FullSupportedpauseframeuse:NoSupportsauto-negotiation:YesAdvertisedlinkmodes:10baseT/Half10baseT/Full100baseT/Half100baseT/Full1000baseT/FullAdvertisedpauseframeuse:NoAdvertisedauto-negotiation:YesSpeed:1000Mb/sDuplex:FullPort:TwistedPairPHYAD:0Transceiver:internalAuto-negotiation:onMDI-X:off(auto)SupportsWake-on:dWake-on:dCurrentmessagelevel:0x00000007(7)drvprobelinkLinkdetected:yes##连接正常
·更改主机名:hostnamectl
[root@localhost~]#hostnamectlset-hostnamealexishostname配置文件:/etc/hostname
·DNS配置文件:/etc/resolv.conf
[root@localhost~]#cat/etc/resolv.conf#GeneratedbyNetworkManagernameserver119.29.29.29
(参数由网卡配置文件所定义,哪怕更改,再重启网卡,依然会被恢复为网卡内的参数)
/etc/hosts文件
[root@localhost ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
前面为IP,后面为域名
一行可以有多个域名
多个相同的域名不同的IP,默认使用最后一个IP
10.12 firewalld和netfilter
·临时关闭selinux:setenforce 0
[root@localhost~]#getenforcePermissive
·永久关闭selinux:编辑/etc/selinux/config
[root@localhost~]#vim/etc/selinux/config
·CentOS7之前使用netfilter防火墙,CentOS7开始使用firewalld防火墙
·关闭firewalld,开启netfilter
[root@localhost~]#systemctldisablefirewalld##禁用firewalldRemovedsymlink/etc/systemd/system/multi-user.target.wants/firewalld.service.Removedsymlink/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.[root@localhost~]#systemctlstopfirewalld##停止firewalld[root@localhost~]#yuminstall-yiptables-services(过程省略)[root@localhost~]#systemctlenableiptables##允许iptablesCreatedsymlinkfrom/etc/systemd/system/basic.target.wants/iptables.serviceto/usr/lib/systemd/system/iptables.service.[root@localhost~]#systemctlstartiptables##开启iptables[root@localhost~]#iptables-nvLChainINPUT(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination261716ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED00ACCEPTicmp--**0.0.0.0/00.0.0.0/000ACCEPTall--lo*0.0.0.0/00.0.0.0/000ACCEPTtcp--**0.0.0.0/00.0.0.0/0stateNEWtcpdpt:2200REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedChainFORWARD(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedChainOUTPUT(policyACCEPT14packets,1320bytes)pktsbytestargetprotoptinoutsourcedestination
(netfilter防火墙的名字而iptables是工具)
10.13 netfilter5表5链介绍
netfilter的5个表:(1)filter(2)nat(3)managle(4)raw(5)security
netfilter的5个链:(1)INPUT(2)OUTPUT(3)FORWARD(4)PREROUTING(5)POSTROUTING
managle,raw,security表基本用不到,因此不用关注,只需要关注filter和nat即可
·iptables传输数据包的过程:
数据包进入本机:PREROUTING—>INPUT—>OUTPUT—>POSTROUTING
数据包不经过本机,而是转发出去:PREROUTING—>FORWARD—>POSTROUTING
参考:http://www.cnblogs.com/metoy/p/4320813.html
10.14 iptables语法
·查看iptables规则:iptables -nvL
[root@localhost~]#iptables-nvLChainINPUT(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination261716ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED00ACCEPTicmp--**0.0.0.0/00.0.0.0/000ACCEPTall--lo*0.0.0.0/00.0.0.0/000ACCEPTtcp--**0.0.0.0/00.0.0.0/0stateNEWtcpdpt:2200REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedChainFORWARD(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedChainOUTPUT(policyACCEPT14packets,1320bytes)pktsbytestargetprotoptinoutsourcedestination
·iptables规则保存在 /etc/sysconfig/iptables 中
[root@localhost~]#cat/etc/sysconfig/iptables#sampleconfigurationforiptablesservice#youcaneditthismanuallyorusesystem-config-firewall#pleasedonotaskustoaddadditionalports/servicestothisdefaultconfiguration*filter:INPUTACCEPT[0:0]:FORWARDACCEPT[0:0]:OUTPUTACCEPT[0:0]-AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT-AINPUT-picmp-jACCEPT-AINPUT-ilo-jACCEPT-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-jACCEPT-AINPUT-jREJECT--reject-withicmp-host-prohibited-AFORWARD-jREJECT--reject-withicmp-host-prohibitedCOMMIT
·清空iptables规则:iptables -F
[root@localhost~]#iptables-F[root@localhost~]#iptables-nvL##清空规则后,实际配置文件并没有变化ChainINPUT(policyACCEPT12packets,792bytes)pktsbytestargetprotoptinoutsourcedestinationChainFORWARD(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestinationChainOUTPUT(policyACCEPT7packets,900bytes)pktsbytestargetprotoptinoutsourcedestination
·保存iptables规则:service iptables save
[root@localhost~]#serviceiptablessave
·加载iptables规则:重启服务器或者重新启动服务service iptables restart
[root@localhost~]#serviceiptablesrestartRedirectingto/bin/systemctlrestartiptables.service[root@localhost~]#iptables-nvLChainINPUT(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination12792ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED00ACCEPTicmp--**0.0.0.0/00.0.0.0/000ACCEPTall--lo*0.0.0.0/00.0.0.0/000ACCEPTtcp--**0.0.0.0/00.0.0.0/0stateNEWtcpdpt:2200REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedChainFORWARD(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedChainOUTPUT(policyACCEPT7packets,884bytes)pktsbytestargetprotoptinoutsourcedestination
(重启服务器或者重启iptables规则,都会去加载配置文件 /etc/sysconfig/iptables 中的规则)
·默认iptables查看的时netfilter表的规则 iptables -t netfilter -nvL(不加 -t 就是filter表)
·查看nat表的规则:iptables -t nat -nvL
[root@localhost~]#iptables-tnat-nvLChainPREROUTING(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestinationChainINPUT(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestinationChainOUTPUT(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestinationChainPOSTROUTING(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination
·计数器清零:iptables -Z
[root@localhost~]#iptables-Z;iptables-nvLChainINPUT(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED00ACCEPTicmp--**0.0.0.0/00.0.0.0/000ACCEPTall--lo*0.0.0.0/00.0.0.0/000ACCEPTtcp--**0.0.0.0/00.0.0.0/0stateNEWtcpdpt:2200REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedChainFORWARD(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedChainOUTPUT(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination
·iptables:
-A 增加一条规则 INPUT:针对的链
-s 指定来源ip
-p 指定协议(tcp、udp、icmp)
--sport 来源端口
-d 目标ip
--dport 目标端口
-j 操作 (DROP扔掉 / REJECT 拒绝)
-I 插入
-i 指定网卡
·增加规则:iptables -A
[root@localhost~]#iptables-AINPUT-s192.168.188.1-ptcp--sport1234-d192.168.188.128--dport80-jDROP
·插入规则:iptables -I
iptables-IINPUT-ptcp--dport80-jDROP##-I直接插队到最前面,-A只是添加[root@localhost~]#iptables-nvLChainINPUT(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00DROPtcp--**0.0.0.0/00.0.0.0/0tcpdpt:8012810156ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED00ACCEPTicmp--**0.0.0.0/00.0.0.0/000ACCEPTall--lo*0.0.0.0/00.0.0.0/000ACCEPTtcp--**0.0.0.0/00.0.0.0/0stateNEWtcpdpt:222470REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited00DROPtcp--**192.168.188.1192.168.188.128tcpspt:1234dpt:80ChainFORWARD(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00REJECTall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedChainOUTPUT(policyACCEPT5packets,636bytes)pktsbytestargetprotoptinoutsourcedestination
·删除规则:iptables -D
[root@localhost~]#iptables-DINPUT-ptcp--dport80-jDROP[root@localhost~]#iptables-nvLChainINPUT(policyACCEPT0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination20115908ACCEPTall--**0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED00ACCEPTicmp--**&nbs