Linux日常运维管理技巧(二)Linux防火墙:你可以ping别人,别人ping不了你、转发、代理
目录
Linux防火墙
netfilter
iptables filter表小案例
nat表应用
Linux防火墙
selinux临时关闭 setenforce 0
[root@zyshanlinux-01 ~]# getenforce ##防火墙状态开启
Enforcing
[root@zyshanlinux-01 ~]# setenforce 0 ##临时关闭
[root@zyshanlinux-01 ~]# getenforce ##临时关闭状态
Permissive
selinux是Linux特有的安全机制,因为配置太麻烦,几乎没有人真正的应用它。安装完系统后我们一般会选择关闭selinux。
selinux永久关闭vi /etc/selinux/config,减少运维管理成本,可以永久关闭它,因为很多服务受限于selinux
[root@zyshanlinux-01 ~]# vi /etc/selinux/config ##永久关闭要改配置文件
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing ##把这行改成这样SELINUX=disabled,重启系统就好。
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@zyshanlinux-001 ~]# getenforce ##重启系统后状态
Disabled
centos7之前使用netfilter防火墙
在centos5和6上用的防火墙是netfiler,其配置工具为iptables。centos7则用的是firewalld防火墙,其配置工具也是iptables。但是现在依然有很多企业使用centos6。
firewalld向下兼容netfilter,所以在firewalld里面也可以用netfilter的设置方法。
centos7开始使用firewalld防火墙
关闭firewalld开启netfilter方法
[root@zyshanlinux-001 ~]# systemctl disable firewalld ##先停掉,不让它开机启动
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@zyshanlinux-001 ~]# systemctl stop firewalld ##关闭服务,让服务停止
[root@zyshanlinux-001 ~]# yum install -y iptables-services ##先安装个包,装完后就会产生一个服务。
[root@zyshanlinux-001 ~]# systemctl enable iptables ##iptables服务
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@zyshanlinux-001 ~]# systemctl start iptables ##把iptables服务开启
[root@zyshanlinux-001 ~]# iptables -nvL ##这个命令可以查看默认规则
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 37 2508 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:220 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 23 packets, 2028 bytes)pkts bytes target prot opt in out source destination
netfilter
netfilter的5个表
filter表用于过滤包,最常用的表,有INPUT、FORWARD、OUTPUT三个个链
nat表用于网络地址转换,有PREROUTING、OUTPUT、POSTROUTING三个链
managle表用于给数据包做标记,几乎用不到
raw表可以实现不追踪某些数据包,几乎用不到
security表在centos6中并没有,用于强制访问控制(MAC)的网络规则,几乎用不到
参考文章http://www.cnblogs.com/metoy/p/4320813.html
数据包流向与netfilter的5个链
PREROUTING:数据包进入路由表之前
INPUT:通过路由表后目的地为本机
FORWARD:通过路由表后,目的地不为本机
OUTPUT:有本机产生,向外发出
POSTROUTING:发送到网卡接口之前
查看iptables规则:iptables -nvL
[root@zyshanlinux-001 ~]# iptables -nvL ##查看规则
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 8 576 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:220 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 5 packets, 684 bytes)pkts bytes target prot opt in out source destination [root@zyshanlinux-001 ~]# cat /etc/sysconfig/iptables ##iptables规则的配置文件
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
iptables -F 清空规则
[root@zyshanlinux-001 ~]# iptables -F ##清空规则
[root@zyshanlinux-001 ~]# iptables -nvL ##规则临时清空了
Chain INPUT (policy ACCEPT 16 packets, 1204 bytes)pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12 packets, 1928 bytes)pkts bytes target prot opt in out source destination
[root@zyshanlinux-001 ~]# cat /etc/sysconfig/iptables ##规则仍在配置文件里保存着
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@zyshanlinux-001 ~]# service iptables restart ##重启iptables服务或系统后,规则都会加载回来
Redirecting to /bin/systemctl restart iptables.service
[root@zyshanlinux-001 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:220 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes)pkts bytes target prot opt in out source destination
service iptables save 保存规则
更改了iptables规则仅仅在当前的内存中生效,想要在系统或服务重启后生效必须使用保存的命令。
iptables -t nat //-t指定表
[root@zyshanlinux-001 ~]# iptables -t nat -nvL ##指定nat表
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
iptables -Z 可可以把计数器清零,后期脚本会用到
[root@zyshanlinux-001 ~]# iptables -t filter -nvL ##这个与iptables -nvL是一样的
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 63 4264 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:220 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 36 packets, 4600 bytes)pkts bytes target prot opt in out source destination[root@zyshanlinux-001 ~]# iptables -Z;iptables -nvL ##数据包个数和大小被清空了
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
注:如果要用sport和dport,必须用-p tcp,才能用。
[root@zyshanlinux-001 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
[root@zyshanlinux-001 ~]# iptables -nvL ##增加的规则加到最后了
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 172 13128 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:221 244 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes)pkts bytes target prot opt in out source destination
iptables -I/-A/-D INPUT -s 1.1.1.1 -j DROP
[root@zyshanlinux-001 ~]# iptables -I INPUT -p tcp --dport 80 -j DROP ##-I插队到规则的最前面
[root@zyshanlinux-001 ~]# iptables -nvL ##-I插入,-A增加,前面的规则优先过滤,有前后规则相同的元素,经过前面的规则过滤后,后面就没有包含该元素的数据了,后面的过滤规则就过滤不到需求元素了。
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80318 23200 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:222 488 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
[root@zyshanlinux-001 ~]# iptables -D INPUT -p tcp --dport 80 -j DROP ##-D删除规则
[root@zyshanlinux-001 ~]# iptables -nvL ##第一条规则没了
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 373 28196 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[root@zyshanlinux-001 ~]#
[root@zyshanlinux-001 ~]# iptables -D INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP ##-D删除最后一条规则
iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
-i etho针对网卡的
iptables -nvL --line-numbers ##时间太久忘记规则,用不了-D去删除规则,可以用该命令直接查看规则的序号,用序号删除规则。
[root@zyshanlinux-001 ~]# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 492 39336 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 2 488 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 101 packets, 11124 bytes)
num pkts bytes target prot opt in out source destination
[root@zyshanlinux-001 ~]# iptables -D INPUT 6 ##针对INPUT连第6条规则进行删除
[root@zyshanlinux-001 ~]# iptables -nvL --line-numbers ##INPUT链只剩下5条规则了
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 560 43984 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 2 488 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 14 packets, 2760 bytes)
num pkts bytes target prot opt in out source destination
iptables -D INPUT 1
iptables -P INPUT DROP 这个默认策略最好不要动它,保持默认就好
Chain OUTPUT (policy ACCEPT 14 packets, 2760 bytes) ##OUTPUT链没有规则的时候是默认为ACCEPT规则
num pkts bytes target prot opt in out source destination
[root@zyshanlinux-001 ~]# iptables -P INPUT DROP ##如果你更改这个默认规则为DROP,远程连接就会断开,因为DROP会把数据通通禁止。必须到本地去把这个更改后的默认规则改回更改前的默认规则ACCEPT
[root@zyshanlinux-001 ~]# iptables -P INPUT ACCEPT ##给它放行就可以了
iptables filter表小案例
iptables小案例
vi /usr/local/sbin/iptables.sh //加入以下内容
#! /bin/bashipt="/usr/sbin/iptables" ##定义变量$ipt -F ##首先把之前的规则清空$ipt -P INPUT DROP ##把默认策略定义下$ipt -P OUTPUT ACCEPT$ipt -P FORWARD ACCEPT$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ##加规则$ipt -A INPUT -s 192.168.106.0/24 -p tcp --dport 22 -j ACCEPT$ipt -A INPUT -p tcp --dport 80 -j ACCEPT$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
再执行该脚本:sh /usr/local/sbin/iptables.sh
[root@zyshanlinux-001 ~]# w17:24:25 up 5:15, 1 user, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.106.1 12:09 1.00s 0.18s 0.00s w
[root@zyshanlinux-001 ~]# vi /usr/local/sbin/iptables.sh ##加入上面代码
[root@zyshanlinux-001 ~]# w ##106网段是允许通过的17:26:10 up 5:17, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.106.1 12:09 2.00s 0.18s 0.00s w
root pts/1 192.168.106.1 17:25 26.00s 0.01s 0.01s -bash
[root@zyshanlinux-001 ~]# sh /usr/local/sbin/iptables.sh ##执行该脚本
[root@zyshanlinux-001 ~]# iptables -nvL ##规则增加了
Chain INPUT (policy DROP 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 32 2112 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT tcp -- * * 192.168.106.0/24 0.0.0.0/0 tcp dpt:220 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:800 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1644 bytes)pkts bytes target prot opt in out source destination
[root@zyshanlinux-001 ~]# iptables -nvL ##数据和大小确实增加了
Chain INPUT (policy DROP 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 36 2392 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT tcp -- * * 192.168.106.0/24 0.0.0.0/0 tcp dpt:220 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:800 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 20 packets, 2832 bytes)pkts bytes target prot opt in out source destination
icmp示例
iptables -I INPUT -p icmp --icmp-type 8 -j DROP 你可以ping别人,别人ping不了你
[root@zyshanlinux-001 ~]# service iptables restart ##先把前面的脚本恢复为默认策略
Redirecting to /bin/systemctl restart iptables.service
[root@zyshanlinux-001 ~]# iptables -nvL ##脚本规则恢复为默认规则
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:220 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes)pkts bytes target prot opt in out source destination
[root@zyshanlinux-001 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP ##可以ping通外面,但禁止外面ping你。
[root@zyshanlinux-001 ~]# ping www.qq.com ##ping外面可以
PING www.qq.com (140.206.160.207) 56(84) bytes of data.
64 bytes from 140.206.160.207 (140.206.160.207): icmp_seq=1 ttl=128 time=59.9 ms
64 bytes from 140.206.160.207 (140.206.160.207): icmp_seq=2 ttl=128 time=52.2 ms
64 bytes from 140.206.160.207 (140.206.160.207): icmp_seq=3 ttl=128 time=54.6 ms
^C
--- www.qq.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 52.263/55.614/59.906/3.196 ms
ping到本机不允许。
C:\Users\zhengyushan>ping 192.168.106.128
正在 Ping 192.168.106.128 具有 32 字节的数据:
请求超时。
[root@zyshanlinux-001 ~]# service iptables restart ##恢复默认规则
Redirecting to /bin/systemctl restart iptables.service
nat表应用
A机器两块网卡ens33(192.168.133.130)、ens37(192.168.100.1),ens33可以上外网,ens37仅仅是内部网络,B机器只有ens37(192.168.100.100),和A机器ens37可以通信互联。
需求1:可以让B机器连接外网
A机器上打开路由转发 echo "1">/proc/sys/net/ipv4/ip_forward
A上执行 iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
需求1具体步骤
- A机器增加一块网卡
- 默认设置
- 选择LAN区段网络连接
- 选择LAN区段“网络交换机01”
- B机器是A机器克隆的所以原有网卡是配好IP的,需要去掉这块网卡
- 添加新网卡,也是LAN区段连接“网络交换01”
- 命令给A机器新网卡ens37附上临时IP:192.168.100.1
[root@zyshanlinux-001 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.106.128 netmask 255.255.255.0 broadcast 192.168.106.255inet6 fe80::8fc3:bbdf:ba89:22a7 prefixlen 64 scopeid 0x20<link>ether 00:0c:29:a1:d4:eb txqueuelen 1000 (Ethernet)RX packets 76 bytes 8349 (8.1 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 90 bytes 12925 (12.6 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.106.150 netmask 255.255.255.0 broadcast 192.168.106.255ether 00:0c:29:a1:d4:eb txqueuelen 1000 (Ethernet)
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet6 fe80::7285:a690:d34:bb0c prefixlen 64 scopeid 0x20<link>ether 00:0c:29:a1:d4:f5 txqueuelen 1000 (Ethernet)RX packets 8 bytes 2736 (2.6 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 25 bytes 4326 (4.2 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1 (Local Loopback)RX packets 40 bytes 3192 (3.1 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 40 bytes 3192 (3.1 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@zyshanlinux-001 ~]# ifconfig ens37 192.168.100.1/24 ##命令行手动设置IP,这个只是临时重启就没了,永久的需要在配置文件中改,ens37没有配置文件,需要复制ens33网卡的配置文件,更改各个参数。
[root@zyshanlinux-001 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.106.128 netmask 255.255.255.0 broadcast 192.168.106.255inet6 fe80::8fc3:bbdf:ba89:22a7 prefixlen 64 scopeid 0x20<link>ether 00:0c:29:a1:d4:eb txqueuelen 1000 (Ethernet)RX packets 242 bytes 20623 (20.1 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 156 bytes 25683 (25.0 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.106.150 netmask 255.255.255.0 broadcast 192.168.106.255ether 00:0c:29:a1:d4:eb txqueuelen 1000 (Ethernet)
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255inet6 fe80::20c:29ff:fea1:d4f5 prefixlen 64 scopeid 0x20<link>ether 00:0c:29:a1:d4:f5 txqueuelen 1000 (Ethernet)RX packets 20 bytes 6840 (6.6 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 58 bytes 9320 (9.1 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1 (Local Loopback)RX packets 40 bytes 3192 (3.1 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 40 bytes 3192 (3.1 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
B机器无法远程连接需要接入本地操作,物理上已经将把ens33断开,谨慎起见还是断开网卡命令:ifdown ens33
仍然是手动命令给B机器附上临时IP:192.168.100.100
给B机器附上A机器的网关命令route add default gw 192.168.100.1
B机器设置DNS:vi /etc/resolv.conf
在配置文件里加上:nameserver 119.29.29.29
以A机器为内核转发,必须打开端口转发才能实现NAT的应用
[root@zyshanlinux-001 ~]# cat /proc/sys/net/ipv4/ip_forward ##默认是0,没有开启内核转发
0
[root@zyshanlinux-001 ~]# echo "1" > !$
echo "1" > /proc/sys/net/ipv4/ip_forward
[root@zyshanlinux-001 ~]# !cat
cat /proc/sys/net/ipv4/ip_forward ##打开端口转发,要想实现NAT的应用必须打开端口转发
1
[root@zyshanlinux-001 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE ##要增加条规则,欺骗,令192.168.100.0这个网段能够上网
[root@zyshanlinux-001 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0 ##增加的规则在这
结果:
A机器可以ping外网,可以pingB机器192.168.100.100,一切都可以ping 。
B机器只能pingA机器的ens37网卡(网关),外网、公网、DNS都ping不了。
命令赋予的临时ip100.1和100.100很容易丢失,在不注销当前用户的前提下。
B上设置网关为192.168.100.1
需求2:C机器只能和A通信,让C机器可以直接连通B机器的22端口
A上打开路由转发echo "1">/ proc/sys/net/ipv4/ip_forward
A上执行iptables -t nat -A PREROUTING -d 192.168.133.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
A上执行iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.133.130
B上设置网关为192.168.100.1
需求2实验步骤
A机器操作
[root@zyshanlinux-001 ~]# cat /proc/sys/net/ipv4/ip_forward ##打开端口转发,上面做了只是确认下 1 ##删除上条测试的规则,增加2条规则 [root@zyshanlinux-001 ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE [root@zyshanlinux-001 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 152 bytes)pkts bytes target prot opt in out source destination [root@zyshanlinux-001 ~]# iptables -t nat -A PREROUTING -d 192.168.43.32 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22 [root@zyshanlinux-001 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.43.32 tcp dpt:1122 to:192.168.100.100:22 Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination [root@zyshanlinux-001 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.43.32 [root@zyshanlinux-001 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.43.32 tcp dpt:1122 to:192.168.100.100:22 Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.43.32
B机器操作,设置网关
[root@zyshanlinux-001 ~]# route add default gw 192.168.100.1 [root@zyshanlinux-001 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.100.1 0.0.0.0 UG 0 0 0 ens37 192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 ens37
远程连接
需求2失败
扩展(selinux了解即可)
selinux教程 http://os.51cto.com/art/201209/355490.htm
selinux pdf电子书 http://pan.baidu.com/s/1jGGdExK
iptables应用在一个网段 http://www.aminglinux.com/bbs/thread-177-1-1.html
sant,dnat,masquerade http://www.aminglinux.com/bbs/thread-7255-1-1.html
iptables限制syn速率 http://www.aminglinux.com/bbs/thread-985-1-1.html http://jamyy.us.to/blog/2006/03/206.html
Linux日常运维管理技巧(二)Linux防火墙:你可以ping别人,别人ping不了你、转发、代理相关推荐
- Linux日常运维管理技巧
Linux日常运维管理技巧 监控系统状态 1.w/uptime查看系统状态, 执行这个命令可得知目前登入系统的用户有那些人,以及他们正在执行的程序,以及当前负载的情况. 2.cat /proc/cpu ...
- Linux日常运维管理技巧(二)
Linux防火墙 selinux临时关闭 setenforce 0 [root@zyshanlinux-01 ~]# getenforce ##防火墙状态开启 Enforcing [root@zysh ...
- Linux日常运维管理技巧(一)监控系统状态、监控网卡流量、监控IO性能、查看系统进程、查看网络状态、Linux下抓包tcpdump、Linux网络相关、DNS配置
目录 监控系统状态 监控网卡流量 监控IO性能 查看系统进程 查看网络状态 Linux下抓包 Linux网络相关 监控系统状态 w/uptime查看系统负载 [root@zyshanlinux-01 ...
- Linux日常运维管理技巧(四)文件同步工具-rsync、Linux系统日志、dmesg命令、lastb命令查看登录失败的用户、screen工具虚拟屏幕
目录 Linux文件同步工具-rsync Linux系统日志 dmesg命令 lastb命令 screen工具 Linux文件同步工具-rsync rsync命令是一个远程数据同步工具,可通过LAN/ ...
- Linux日常运维管理技巧(三)iptables规则备份和恢复、firewalld的9个zone、任务计划cron、chkconfig系统服务管理、添加服务命令、systemctl管理服务
目录 Linux防火墙-netfilter iptables规则备份和恢复 Linux防火墙-firewalled firewalld的9个zone firewalld关于zone的操作 firewa ...
- Linux服务器运维管理 项目二 管理与维护Linux系统
任务一 安装与维护Linux系统 系统已安装,略. 任务二 认识Linux的文件系统 子任务一 熟悉Linux系统的目录结构 第一步:理解Linux系统目录的结构树 第二 ...
- 日常运维管理技巧十七(Nethogs进程流量监控工具)(转载)
有很多适用于Linux系统的开源网络监视工具.比如说,你可以用命令iftop来检查带宽使用情况.netstat用来查看接口统计报告,还有top监控系统当前运行进程.但是如果你想要找一个能够按进程实时统 ...
- 日常运维管理技巧十五(htop使用说明top增强版)(转载)
htop 官网:http://htop.sourceforge.net/ Linux top命令的用法详细详解:https://www.cnblogs.com/zhoug2020/p/6336453. ...
- 日常运维管理技巧十六(iftop网卡流量监控工具)(转载)
iftop是类似于top的实时流量监控工具. 官方网站:http://www.ex-parrot.com/~pdw/iftop/ 1.iftop的作用 iftop可以用来监控网卡的实时流量(可以指定网 ...
最新文章
- c语言fread无法存储,【求助】C语言fread读取二进制文件时,读取结果全都是零
- 基于DSP的数字振荡器C语言编程,基于DSP的数字振荡器的设计与实现.pdf
- RxPermission原理解析
- Metrics.NET源码阅读笔记
- RxJava 2.0的基本使用
- Spark Mllib里的如何对单个数据集用斯皮尔曼计算相关系数
- 测试用例集-9.QQ登录功能测试用例
- Pocket通证POKT锁仓总价值超2.1947亿美元
- flex中list或Combox中的子项上移下移操作
- Solidity语言基础 和 Etherum ERC20合约基础
- c语言规定学号长度,c语言第1-9章基本概念练习题ans(最全).docx
- 读zac老哥《网络营销实战密码》一章有感
- 十四岁如花少女与养父共宿一床
- HDU 6080 度度熊保护村庄(计算几何+floyd)
- landesk 卸载_LANDesk软件分发在项目中的深入探索(续2)—客户端已安装应用程序的远程卸载...
- EXCEL 快捷键集合
- matlab 图片叠加
- 下载整个网站 有什么工具可以下载整个网站的内容吗?
- How to find block sql from dba_waiters v$session v$sql
- vue-router路由重复点击时报错的解决方案
热门文章
- Tuxera NTFS使用教程:关于Tuxera NTFS mac还有你不知道的用法
- matlab 多 带阻,matlab程序之——滤波器(带通-带阻
- python编辑器_资深程序员:学Python我推荐你用这几款编辑器
- Qt笔记-QxOrm基本使用(对SQLLite进行增删改查)
- 前端笔记-vue cli中使用router-link进行路由跳转
- C++笔记-const与mutable、static_cast与reinterpret_cast
- Qt文档阅读笔记-Visual Parent的初步理解(获取QML中的根节点及其子结点)
- python输出矩阵的行数_python查看矩阵的行列号以及维数方式
- chararray遍历_数组常用的遍历方法 ——总结
- mysql 索引原理_MySQL InnoDB索引原理和算法