{{ v.name }}
{{ v.cls }}类
{{ v.price }} ¥{{ v.price }}
10.11 Linux网络相关10.12 firewalld和netfilter10.13 netfilter5表5链介绍10.14 iptables语法
阅读:481
2019-03-19 15:04:41
来源:开源中国
ifconfig查看网卡ip这个命令在centos6里面是默认有安装有的在centos7里面只能用ipadd去查看
ifconfig
安装包“net-tools”-a选项,可以查看到所有的网卡,如果不加-a那么有时候宕掉的网卡就不会显示出来ifdown网卡名字关闭网卡关闭网卡以后,使用ifconfig查看网卡是没有ip的ifup网卡名字打开网卡常用于针对单独的网卡使用,比如,我们对一个网卡进行了配置,但是不想重启所以的网络服务,就可以使用ifdown针对这个网卡进行操作如果是在ssh远程登录,就不要用ifdown这个命令,假如你的服务器在美国,你刚好做了ifdown你当前网卡的命令,那么你将再也无法连上你在美国服务器,只能通过联系那边的客服帮忙重新打开,这样就会很繁琐如果一定要重启这个网卡
ifdownens33&&ifupens33
就可以解决这个问题
首先需要进入网卡配置文件目录
[root@localhost~]#cd/etc/sysconfig/network-scripts/[root@localhostnetwork-scripts]#lsifcfg-ens32ifdown-ipppifdown-sitifup-bnepifup-plipifup-teamnetwork-functions-ipv6ifcfg-loifdown-ipv6ifdown-teamifup-ethifup-plusbifup-teamportifdownifdown-isdnifdown-teamportifup-ibifup-postifup-tunnelifdown-bnepifdown-postifdown-tunnelifup-ipppifup-pppifup-wirelessifdown-ethifdown-pppifupifup-ipv6ifup-routesinit.ipv6-globalifdown-ibifdown-routesifup-aliasesifup-isdnifup-sitnetwork-functions创建配置文件[root@localhostnetwork-scripts]#cpifcfg-ens32ifcfg-ens32:0
因为是命令行:是特殊符号,需要用进行脱义编辑ifcftg-ens32配置文件
vimifcfg-ens32:0type=ethernetbootproto=staticdefroute=yespeerdns=yespeerroutes=yesipv4_failure_fatal=noipv6init=yesipv6_autoconf=yesipv6_defroute=yesipv6_peerdns=yesipv6_peerroutes=yesipv6_failure_fatal=noipv6_addr_gen_mode=stable-privacyname=ens32:0uuid=4233625f-9278-4b12-b2cf-02f3dd5ed641device=ens32:0onboot=yesipaddr=192.168.133.160netmask=255.255.255.0
需要改动一下name、devide改成当前的虚拟网卡的名字ens32:0因为是虚拟网卡,共用的是ens32网卡的网关,所以gateway和dns都可以不用写这是就可以用到ifdownens32&&ifupens32这个命令,针对这个网卡进行重启
[root@localhostnetwork-scripts]#ifdownens32&&ifupens32成功断开设备'ens32'。成功激活的连接(d-bus激活路径:/org/freedesktop/networkmanager/activeconnection/3)
查看网卡情况
[root@localhostnetwork-scripts]#ifconfig-aens32:flags=4163
发现多了一个ens32:0,可以在windows桌面ping一下看看是否通
c:usersadministrator>ping192.168.133.160正在ping192.168.133.160具有32字节的数据:来自192.168.133.160的回复:字节=32时间<1msttl=64来自192.168.133.160的回复:字节=32时间<1msttl=64来自192.168.133.160的回复:字节=32时间<1msttl=64来自192.168.133.160的回复:字节=32时间<1msttl=64192.168.133.160的ping统计信息:数据包:已发送=4,已接收=4,丢失=0(0%丢失),往返行程的估计时间(以毫秒为单位):最短=0ms,最长=0ms,平均=0ms
地址的通的,证明也是可用的
查看网卡是否连接着网线mii-tool网卡名字
[root@localhostnetwork-scripts]#mii-toolens32ens32:negotiated1000baset-fdflow-control,linkok
如果是link,ok,就证明网线是连这的如果是没有连接网线,会提示ebs'32:nolink有时这个命令也会出现不支持可以使用ethtool网卡名字
[root@localhostnetwork-scripts]#ethtoolens32settingsforens32:supportedports:[tp]supportedlinkmodes:10baset/half10baset/full100baset/half100baset/full1000baset/fullsupportedpauseframeuse:nosupportsauto-negotiation:yesadvertisedlinkmodes:10baset/half10baset/full100baset/half100baset/full1000baset/fulladvertisedpauseframeuse:noadvertisedauto-negotiation:yesspeed:1000mb/sduplex:fullport:twistedpairphyad:0transceiver:internalauto-negotiation:onmdi-x:off(auto)supportswake-on:dwake-on:dcurrentmessagelevel:0x00000007(7)drvprobelinklinkdetected:yes
主要关注linkdetected是否是yes如果是yes就是连通着的;no表示未连接
hostnamectlset-hostname在centos7下可用,6不支持
[root@localhost~]#hostnamectlset-hostnameaminglinux-001
查看主机名
hostname[root@localhost~]#hostnameaminglinux-001
需要退出终端重新登录才能显示,当然也可以直接进入一个子shell直接查看
[root@localhost~]#bash[root@aminglinux-001~]#
配置文件所在
cat/etc/hostname
[root@localhost~]#cat/etc/hostnameaminglinux-001
dns配置文件所在
[root@localhost~]#cat/etc/resolv.conf#generatedbynetworkmanagernameserver119.29.29.29nameserver114.114.114.114
这个信息是在网卡配置文件里面的dns行配置的当然也可以临时更改,直接vim编辑,但是这个配置只是临时生效,最终也是会被网卡配置文件里面的配置给更改掉
这个文件在windows上和linux都有,这个是解析一个域名指向ip用的例如:
[root@localhost~]#pingwww.qq123.compingwww.qq123.com(202.91.250.93)56(84)bytesofdata.64bytesfrom202.91.250.93(202.91.250.93):icmp_seq=1ttl=128time=40.9ms64bytesfrom202.91.250.93(202.91.250.93):icmp_seq=2ttl=128time=38.5ms64bytesfrom202.91.250.93(202.91.250.93):icmp_seq=3ttl=128time=37.4ms^c---www.qq123.compingstatistics---3packetstransmitted,3received,0%packetloss,time2026msrttmin/avg/max/mdev=37.431/38.997/40.994/1.503ms
这个域名指向的ip为202.91.250.93这个我们只要修改本机的host以后
[root@localhost~]#vim/etc/hosts127.0.0.1localhostlocalhost.localdomainlocalhost4localhost4.localdomain4::1localhostlocalhost.localdomainlocalhost6localhost6.localdomain6192.168.133.130www.qq123.com
格式化很简单,就是ip之后用空格分割,支持一行有一个ip对多个域名,这个写法以行位单位再pingwww.qq123.com
[root@localhost~]#!pingpingwww.qq123.compingwww.qq123.com(192.168.133.130)56(84)bytesofdata.64bytesfromwww.qq123.com(192.168.133.130):icmp_seq=1ttl=64time=0.173ms64bytesfromwww.qq123.com(192.168.133.130):icmp_seq=2ttl=64time=0.054ms64bytesfromwww.qq123.com(192.168.133.130):icmp_seq=3ttl=64time=0.064ms^c---www.qq123.compingstatistics---3packetstransmitted,3received,0%packetloss,time2001msrttmin/avg/max/mdev=0.054/0.097/0.173/0.053ms
域名指向的ip,就变成我们的ip这个配置,只会在本机生效尝试在windows系统下ping一下就知道结果
c:usersadministrator>pingwww.qq123.com正在pingwww.qq123.com[202.91.250.93]具有32字节的数据:来自202.91.250.93的回复:字节=32时间=35msttl=230来自202.91.250.93的回复:字节=32时间=34msttl=230来自202.91.250.93的回复:字节=32时间=44msttl=230来自202.91.250.93的回复:字节=32时间=35msttl=230202.91.250.93的ping统计信息:数据包:已发送=4,已接收=4,丢失=0(0%丢失),往返行程的估计时间(以毫秒为单位):最短=34ms,最长=44ms,平均=37ms10.12firewalld和netfilterselinux防火墙
selinux防火墙,一般都是关闭的,因为开启的话,会增加运维管理成本,因为很多服务受限于selinux,事实上把selinux关闭,也不会有太大的安全问题配置密钥验证的时候,就用过,如果配置密钥验证的时候不关闭,就没有办法登录临时关闭
setenforce0
永久关闭需要编辑配置文件
vim/etc/selinux/config
#thisfilecontrolsthestateofselinuxonthesystem.#selinux=cantakeoneofthesethreevalues:#enforcing-selinuxsecuritypolicyisenforced.#permissive-selinuxprintswarningsinsteadofenforcing.#disabled-noselinuxpolicyisloaded.selinux=enforcing//更改为disabled将永久关闭selinux防火墙#selinuxtype=cantakeoneofthreetwovalues:#targeted-targetedprocessesareprotected,#minimum-modificationoftargetedpolicy.onlyselectedprocessesareprotected.#mls-multilevelsecurityprotection.selinuxtype=targeted
需要重启才会生效查看当前selinux防火墙的状态
getenforce
[root@localhost~]#getenforceenforcing//表示打开着
临时关闭
[root@localhost~]#setenforce0[root@localhost~]#getenforcepermissive//宽容的,遇到需要阻断的时候,只会有提醒,并不会真正的去阻断netfilter防火墙
在centos7之前的版本叫netfilter,在7版本的时候,改名为firewalld,这两个机制不太一样,但实际的内部工具iptables工具用法是一样的我们可以在7版本上关闭firewalld,打开netfilter,也就是说在7版本上使用6的防火墙机制也是没有问题的
systemctldisablefirewalld//先停掉服务,不让他开机启动
[root@localhost~]#systemctldisablefirewalldremovedsymlink/etc/systemd/system/dbus-org.fedoraproject.firewalld1.service.removedsymlink/etc/systemd/system/basic.target.wants/firewalld.service.
systemctlstopfirewalld//关闭服务开启netfilter
开启前需要安装一个包
“iptables-services”
[root@localhost~]#yuminstall-yiptables-services
安装完成以后,会产生一个服务
systemctlenableiptables
[root@localhost~]#systemctlenableiptablescreatedsymlinkfrom/etc/systemd/system/basic.target.wants/iptables.serviceto/usr/lib/systemd/system/iptables.service.
开启服务
systemctlstartiptables//开启服务
[root@localhost~]#systemctlstartiptables
查看iptables的默认规则
iptables-nvl
[root@localhost~]#iptables-nvlchaininput(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination5356acceptall--**0.0.0.0/00.0.0.0/0staterelated,established00accepticmp--**0.0.0.0/00.0.0.0/000acceptall--lo*0.0.0.0/00.0.0.0/000accepttcp--**0.0.0.0/00.0.0.0/0statenewtcpdpt:2200rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainforward(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainoutput(policyaccept4packets,416bytes)pktsbytestargetprotoptinoutsourcedestination
==iptables仅仅是firewalld和netfilter这两个防火墙里面的一个工具,并不是防火墙==
通过maniptables,查看到5个表和5个链的相关
filter:thisisthedefaulttable(ifno-toptionispassed).itcontainsthebuilt-inchainsinput(forpacketsdestinedtolocalsockets),forward(forpacketsbeingroutedthroughthebox),andoutput(forlocally-generatedpackets).
这是默认表(如果没有通过-t选项)。它包含内置的链输入(发送到本地套接字的for数据包)、转发(用于通过框路由的数据包)和输出(针对本地生成的数据包)。ps:一个默认的表,包含了3个内置的链input、forward、output;input链,就是数据包进来时需要经过的链;forward链,将到达本机的数据包,转发到其他机器上的操作;output链,本机的包,出去之前做的操作
nat:thistableisconsultedwhenapacketthatcreatesanewconnectionisencountered.itconsistsofthreebuilt-ins:prerouting(foralteringpacketsassoonastheycomein),output(foralteringlocally-generatedpacketsbeforerouting),andpostrouting(foralteringpacketsastheyareabouttogoout).ipv6natsupportisavailablesincekernel3.7.
当遇到创建新连接的包时,就会参考这个表。它包括三个内置的:预发布(在它们进来时就更改数据包)、输出(在路由之前对本地生成的包进行修改)和postrouting(用于在它们即将过时时更改数据包)。ipv6nat支持从内核3.7开始。ps:prerouting链,进来的那一刻进行操作,postrouting链,在出去的那一刻进行操作;nat表常用于共享上网,端口映射
mangle:thistableisusedforspecializedpacketalteration.untilkernel2.4.17ithadtwobuilt-inchains:prerouting(foralteringincomingpacketsbeforerouting)andoutput(foralteringlocally-generatedpacketsbeforerouting).sincekernel2.4.18,threeotherbuilt-inchainsarealsosup‐ported:input(forpacketscomingintotheboxitself),forward(foralteringpacketsbeingroutedthroughthebox),andpostrouting(foralteringpacketsastheyareabouttogoout).
此表用于专门的包更改。在内核2.4.17之前,它有两个内置链:预发布(用于在路由之前改变传入包)和输出(在路由之前改变本地生成的包)。由于内核2.4.18,其他三个内置链也都是sup-端口:输入(用于包进入盒子本身的包),向前(用于修改包被从盒子中打开)和postr郊游(当它们将要出去的时候改变数据包)。ps:少用
raw:thistableisusedmainlyforconfiguringexemptionsfromconnectiontrackingincombinationwiththenotracktarget.itregistersatthenetfilterhookswithhigherpriorityandisthuscalledbeforeip_conntrack,oranyotheriptables.itprovidesthefollowingbuilt-inchains:prerouting(forpacketsarrivingviaanynetworkinterface)output(forpacketsgeneratedbylocalprocesses)
此表主要用于配置与notrack目标相结合的连接跟踪的豁免。它在netfilter钩子上注册更高的优先级,因此被称为ip_conntrack或任何其他ip表。它提供了以下内置的链:预发布(用于通过任何网络接口到达的包)输出(由本地流程生成的包)ps:少用
security:thistableisusedformandatoryaccesscontrol(mac)networkingrules,suchasthoseenabledbythesecmarkandconnsecmarktargets.mandatoryaccesscontrolisimplementedbylinuxsecuritymodulessuchasselinux.thesecuritytableiscalledafterthefiltertable,allowinganydiscre‐tionaryaccesscontrol(dac)rulesinthefiltertabletotakeeffectbeforemacrules.thistableprovidesthefollowingbuilt-inchains:input(forpacketscomingintotheboxitself),output(foralteringlocally-generatedpacketsbeforerouting),andforward(foralteringpacketsbeingroutedthroughthebox).
此表用于强制访问控制(mac)网络规则,例如由secmark和connsecmark目标启用的网络规则。强制访问控制是由linuxsecuritymodule(如selinux)实现的。安全表是在过滤表之后调用的,允许在过滤表中任何不一致的访问控制(dac)规则在mac规则之前生效。这个表提供了以下内置的链:输入(用于进入盒子本身的包)、输出(在路由前修改本地生成的包)和转发(用于修改通过该框被唤醒的数据包)。ps:少用
iptables-nvl
[root@localhost~]#iptables-nvlchaininput(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination5356acceptall--**0.0.0.0/00.0.0.0/0staterelated,established00accepticmp--**0.0.0.0/00.0.0.0/000acceptall--lo*0.0.0.0/00.0.0.0/000accepttcp--**0.0.0.0/00.0.0.0/0statenewtcpdpt:2200rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainforward(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainoutput(policyaccept4packets,416bytes)pktsbytestargetprotoptinoutsourcedestination[root@localhost~]#maniptables[root@localhost~]#iptables-nvlchaininput(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination70571728acceptall--**0.0.0.0/00.0.0.0/0staterelated,established00accepticmp--**0.0.0.0/00.0.0.0/000acceptall--lo*0.0.0.0/00.0.0.0/000accepttcp--**0.0.0.0/00.0.0.0/0statenewtcpdpt:22384673rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainforward(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainoutput(policyaccept668packets,181kbytes)pktsbytestargetprotoptinoutsourcedestination规则保存路径
cat/etc/sysconfig/iptables
[root@localhost~]#cat/etc/sysconfig/iptables#sampleconfigurationforiptablesservice#youcaneditthismanuallyorusesystem-config-firewall#pleasedonotaskustoaddadditionalports/servicestothisdefaultconfiguration*filter:inputaccept[0:0]:forwardaccept[0:0]:outputaccept[0:0]-ainput-mstate--staterelated,established-jaccept-ainput-picmp-jaccept-ainput-ilo-jaccept-ainput-ptcp-mstate--statenew-mtcp--dport22-jaccept-ainput-jreject--reject-withicmp-host-prohibited-aforward-jreject--reject-withicmp-host-prohibitedcommit清空规则
iptables-f
[root@localhost~]#iptables-f[root@localhost~]#iptables-nvlchaininput(policyaccept4packets,280bytes)pktsbytestargetprotoptinoutsourcedestinationchainforward(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestinationchainoutput(policyaccept3packets,340bytes)pktsbytestargetprotoptinoutsourcedestination
清空规则之后,文件内的规则还是存在的
[root@localhost~]#iptables-f[root@localhost~]#iptables-nvlchaininput(policyaccept4packets,280bytes)pktsbytestargetprotoptinoutsourcedestinationchainforward(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestinationchainoutput(policyaccept3packets,340bytes)pktsbytestargetprotoptinoutsourcedestination[root@localhost~]#cat/etc/sysconfig/iptables#sampleconfigurationforiptablesservice#youcaneditthismanuallyorusesystem-config-firewall#pleasedonotaskustoaddadditionalports/servicestothisdefaultconfiguration*filter:inputaccept[0:0]:forwardaccept[0:0]:outputaccept[0:0]-ainput-mstate--staterelated,established-jaccept-ainput-picmp-jaccept-ainput-ilo-jaccept-ainput-ptcp-mstate--statenew-mtcp--dport22-jaccept-ainput-jreject--reject-withicmp-host-prohibited-aforward-jreject--reject-withicmp-host-prohibitedcommit
想要让当前执行的规则保存到文件里需要执行以下命令
serviceiptablessave
如果不做规则保存,重启iptables之后,规则将会从配置文件里重新加载
systemctlrestartiptables.service[root@localhost~]#systemctlrestartiptables.service[root@localhost~]#iptables-nvlchaininput(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination4280acceptall--**0.0.0.0/00.0.0.0/0staterelated,established00accepticmp--**0.0.0.0/00.0.0.0/000acceptall--lo*0.0.0.0/00.0.0.0/000accepttcp--**0.0.0.0/00.0.0.0/0statenewtcpdpt:2200rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainforward(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainoutput(policyaccept3packets,340bytes)pktsbytestargetprotoptinoutsourcedestinationiptables的选项
iptables默认是对filter表进行配置
[root@localhost~]#iptables-tfilter-nvlchaininput(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination513528acceptall--**0.0.0.0/00.0.0.0/0staterelated,established00accepticmp--**0.0.0.0/00.0.0.0/000acceptall--lo*0.0.0.0/00.0.0.0/000accepttcp--**0.0.0.0/00.0.0.0/0statenewtcpdpt:224562rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainforward(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainoutput(policyaccept32packets,4232bytes)pktsbytestargetprotoptinoutsourcedestination[root@localhost~]#iptables-tnat-nvlchainprerouting(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestinationchaininput(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestinationchainoutput(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestinationchainpostrouting(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination-z选项清空计数器
[root@localhost~]#iptables-nvlchaininput(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination1077916acceptall--**0.0.0.0/00.0.0.0/0staterelated,established00accepticmp--**0.0.0.0/00.0.0.0/000acceptall--lo*0.0.0.0/00.0.0.0/000accepttcp--**0.0.0.0/00.0.0.0/0statenewtcpdpt:225791rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainforward(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainoutput(policyaccept72packets,9804bytes)pktsbytestargetprotoptinoutsourcedestination[root@localhost~]#iptables-z;iptables-nvlchaininput(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00acceptall--**0.0.0.0/00.0.0.0/0staterelated,established00accepticmp--**0.0.0.0/00.0.0.0/000acceptall--lo*0.0.0.0/00.0.0.0/000accepttcp--**0.0.0.0/00.0.0.0/0statenewtcpdpt:2200rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainforward(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainoutput(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination
这是可以看到pkts、bytes已经没有数据了,但是重新执行iptables-nvl,又会有新的数据,因为每时每刻都在进行通信,所以这个数值是一直有变化的命令写法
iptables-ainput-ptcp--dport80-jdrop
写命令的时候就算是简写,也要指定链,指定协议,不然会报错命令理解:
iptables-ainput-s192.168.188.1-ptcp--sport1234-d192.168.188.128--dport80-jdrop
默认对filter表进行操作,-a增加一条规则,input针对这个链进行操作,-s指定一个来源ip为192.168.188.1,-p指定针对tcp协议,--sport针对来源的端口位1234,-d指定目标ip位192.168.188.128,---dport指定目标端口为80,-j指定数据处理办法为drop丢掉、或者reject拒绝。drop和reject的区别是reject拒绝会看一遍数据,才告诉你我不允许你来,这是一种比较有礼貌的做法;drop丢掉是不管来的是什么东西只要是这个规则不允许的直接丢不管里面是什么东西(一般常用drop比较多)
-a是在规则的最下方新增一个规则;
[root@localhost~]#iptables-ainput-s192.168.188.1-ptcp--sport1234-d192.168.188.128--dport80-jdrop[root@localhost~]#iptables-nvlchaininput(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination615040acceptall--**0.0.0.0/00.0.0.0/0staterelated,established00accepticmp--**0.0.0.0/00.0.0.0/000acceptall--lo*0.0.0.0/00.0.0.0/000accepttcp--**0.0.0.0/00.0.0.0/0statenewtcpdpt:22122070rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited00droptcp--**192.168.188.1192.168.188.128tcpspt:1234dpt:80//-a,在所有规则的最后进行排队chainforward(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainoutput(policyaccept14packets,1248bytes)pktsbytestargetprotoptinoutsourcedestination-i选项
-i是插入的意思,直接插入在最上方执行;
[root@localhost~]#iptables-iinput-ptcp--dport80-jdrop[root@localhost~]#iptables-nvlchaininput(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00droptcp--**0.0.0.0/00.0.0.0/0tcpdpt:80//-i规则直接插入到最前13011252acceptall--**0.0.0.0/00.0.0.0/0staterelated,established00accepticmp--**0.0.0.0/00.0.0.0/000acceptall--lo*0.0.0.0/00.0.0.0/000accepttcp--**0.0.0.0/00.0.0.0/0statenewtcpdpt:22424897rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited00droptcp--**192.168.188.1192.168.188.128tcpspt:1234dpt:8000droptcp--**0.0.0.0/00.0.0.0/0tcpdpt:80chainforward(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainoutput(policyaccept4packets,560bytes)pktsbytestargetprotoptinoutsourcedestination
规则过滤的时候,会从上往下的一条一条的匹配,在最上面的自然会最先使用到,
[root@localhost~]#iptables-dinput-ptcp--dport80-jdrop[root@localhost~]#iptables-nvlchaininput(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination19517204acceptall--**0.0.0.0/00.0.0.0/0staterelated,established00accepticmp--**0.0.0.0/00.0.0.0/000acceptall--lo*0.0.0.0/00.0.0.0/000accepttcp--**0.0.0.0/00.0.0.0/0statenewtcpdpt:22536072rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited00droptcp--**192.168.188.1192.168.188.128tcpspt:1234dpt:8000droptcp--**0.0.0.0/00.0.0.0/0tcpdpt:80chainforward(policyaccept0packets,0bytes)pktsbytestargetprotoptinoutsourcedestination00rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainoutput(policyaccept4packets,560bytes)pktsbytestargetprotoptinoutsourcedestination
规则删除了
直接更改-i或者-a为-d这样做,的确比较快,但是如果命令历史里不存在或者说记不清定义规则的命令了呢。
iptables-nvl--line-number
显示规则的序列号
[root@localhost~]#iptables-nvl--line-numberchaininput(policyaccept0packets,0bytes)numpktsbytestargetprotoptinoutsourcedestination120217760acceptall--**0.0.0.0/00.0.0.0/0staterelated,established200accepticmp--**0.0.0.0/00.0.0.0/0300acceptall--lo*0.0.0.0/00.0.0.0/0400accepttcp--**0.0.0.0/00.0.0.0/0statenewtcpdpt:225536072rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited600droptcp--**192.168.188.1192.168.188.128tcpspt:1234dpt:80700droptcp--**0.0.0.0/00.0.0.0/0tcpdpt:80chainforward(policyaccept0packets,0bytes)numpktsbytestargetprotoptinoutsourcedestination100rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainoutput(policyaccept12packets,2468bytes)numpktsbytestargetprotoptinoutsourcedestination
根据序列号删除规则
[root@localhost~]#iptables-dinput7[root@localhost~]#iptables-nvl--line-numberchaininput(policyaccept0packets,0bytes)numpktsbytestargetprotoptinoutsourcedestination126622396acceptall--**0.0.0.0/00.0.0.0/0staterelated,established200accepticmp--**0.0.0.0/00.0.0.0/0300acceptall--lo*0.0.0.0/00.0.0.0/0400accepttcp--**0.0.0.0/00.0.0.0/0statenewtcpdpt:225536072rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited600droptcp--**192.168.188.1192.168.188.128tcpspt:1234dpt:80chainforward(policyaccept0packets,0bytes)numpktsbytestargetprotoptinoutsourcedestination100rejectall--**0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibitedchainoutput(policyaccept19packets,3108bytes)numpktsbytestargetprotoptinoutsourcedestination-p选项默认策略
iptables-poutputdrop
上一篇:
Apache 配置https 支持ssl
{{ v.title }}