10.11 linux网络相关
ifconfig
查看网卡ip
[root@hyc-01-01 ~]# yum install -y net-tools ifconfig命令相关的包
[root@hyc-01-01 ~]# ifconfig 查看网卡ip等信息
ens33: flags=4163
inet 192.168.31.129 netmask 255.255.255.0 broadcast 192.168.31.255
inet6 fe80::d46b:4589:4da1:2f34 prefixlen 64 scopeid 0x20
ether 00:0c:29:4d:9d:95 txqueuelen 1000 (Ethernet)
RX packets 95240 bytes 46375626 (44.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 110230 bytes 25292152 (24.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
-a ifconfig默认不显示没有ip的网卡,加-a参数会显示所有网卡
Ifdown/ifup
停用/启用指定的网卡
[root@hyc-01-01 ~]# ifdown ens33
[root@hyc-01-01 ~]# ifup ens
[root@hyc-01-01 ~]# ifdown ens33 && ifup ens33 重启指定的网卡
成功断开设备 'ens33'。
连接已成功激活(D-Bus 活动路径:/org/freedesktop/NetworkManager/ActiveConnection/18)
设置虚拟网卡
1 编辑网卡配置文件
[root@hyc-01-01 network-scripts]# cp ifcfg-ens33 ifcfg-ens33-0 复制网卡配置文件
[root@hyc-01-01 network-scripts]# vim ifcfg-ens33-0 编辑新配置文件
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33:0
UUID=810ab965-021f-42f7-9262-73262fa3a097
DEVICE=ens33:0
ONBOOT=yes
IPADDR=192.168.31.151
NETMASK=255.255.255.0
GATEWAY=192.168.31.2
DNS1=119.29.29.29
[root@hyc-01-01 network-scripts]# ifdown ens33 && ifup ens33 重启网卡使虚拟网卡生效
成功断开设备 'ens33'。
连接已成功激活(D-Bus 活动路径:/org/freedesktop/NetworkManager/ActiveConnection/19)
ifconfig查看后发现ens33-0未生效
[root@hyc-01-01 network-scripts]# mv ifcfg-ens33-0 ifcfg-ens:\0 修改文件名为ifcfg-ens:0(\表脱义),虚拟网卡名固定使用 (物理网卡名称:)+数字
[root@hyc-01-01 network-scripts]# ifdown ens33 && ifup ens33
成功断开设备 'ens33'。
连接已成功激活(D-Bus 活动路径:/org/freedesktop/NetworkManager/ActiveConnection/19)
[root@hyc-01-01 network-scripts]# ifconfig 此时虚拟网卡ens33:0出现
ens33: flags=4163
inet 192.168.31.129 netmask 255.255.255.0 broadcast 192.168.31.255
inet6 fe80::d46b:4589:4da1:2f34 prefixlen 64 scopeid 0x20
ether 00:0c:29:4d:9d:95 txqueuelen 1000 (Ethernet)
RX packets 97219 bytes 46552866 (44.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 111732 bytes 25497091 (24.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163
inet 192.168.31.151 netmask 255.255.255.0 broadcast 192.168.31.255
ether 00:0c:29:4d:9d:95 txqueuelen 1000 (Ethernet)
lo: flags=73
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
物理机ping虚拟网卡成功
检查网卡是否连接网络:
[root@hyc-01-01 network-scripts]# mii-tool ens33
ens33: negotiated 1000baseT-FD flow-control, link ok
link-ok则表示连接正常;
部分情况下可能不支持上面的命令,此时可以使用:
[root@hyc-01-01 network-scripts]# mii-tool ens33
ens33: negotiated 1000baseT-FD flow-control, link ok
[root@hyc-01-01 network-scripts]# ethtool ens33
Settings for ens33:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off (auto)
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes yes则说明连接正常
更改主机名:
[root@hyc-01-01 network-scripts]# hostnamectl set-hostname hyclinux
[root@hyc-01-01 network-scripts]# hostname
hyclinux
[root@hyc-01-01 network-scripts]#
修改后的主机名不立即生效;
更改的主机名会在进入子shell或重新登录终端时生效
[root@hyc-01-01 network-scripts]# bash
[root@hyclinux network-scripts]#
查看主机名配置文件:
[root@hyclinux network-scripts]# cat /etc/hostname
Hyclinux
查看DNS配置文件:
[root@hyclinux network-scripts]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 119.29.29.29
添加新DNS:
[root@hyclinux network-scripts]# vim ifcfg-ens33 编辑网卡配置文件,新加一行DNS2
[root@hyclinux network-scripts]# ifdown ens33 && ifup ens33
成功断开设备 'ens33'。
连接已成功激活(D-Bus 活动路径:/org/freedesktop/NetworkManager/ActiveConnection/24)
[root@hyclinux network-scripts]# cat /etc/resolv.conf 查看网卡配置文件
# Generated by NetworkManager
nameserver 119.29.29.29
nameserver 8.8.8.8
一般修改DNS信息会编辑网卡配置文件而不是DNS配置文件;
若编辑resolv.conf(DNS配置文件)则重启网卡后resolv.conf中的DNS信息依然会被网卡配置文件中的DNS覆盖;
/etc/hosts文件
[root@hyclinux network-scripts]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
该文件与DNS解析有关,文件中的内容决定主机如何解析和访问一个域名;
[root@hyclinux network-scripts]# vim !$
vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.31.151 www.qq.com
[root@hyclinux network-scripts]# ping www.qq.com
域名www.qq.com被解析为192.168.31.151
PING www.qq.com (192.168.31.151) 56(84) bytes of data.
64 bytes from www.qq.com (192.168.31.151): icmp_seq=1 ttl=64 time=0.373 ms
64 bytes from www.qq.com (192.168.31.151): icmp_seq=2 ttl=64 time=0.057 ms
64 bytes from www.qq.com (192.168.31.151): icmp_seq=3 ttl=64 time=0.062 ms
64 bytes from www.qq.com (192.168.31.151): icmp_seq=4 ttl=64 time=0.089 ms
问题:
[root@hyclinux network-scripts]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.31.151 www.qq.com
192.168.31.2 www.qq.com www.com.com
修改后测试所有地址均能ping通,但www.qq.com解析192.168.31.2不生效,但www.com.com对应192.168.31.2生效?
[root@hyclinux network-scripts]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.31.151 www.qq.com
127.0.0.1 www.qq.com
hosts文件最后一行31.2改为127.0.0.1后127.0.0.1生效
/etc/hosts文件中有多个ip指向同一域名,则优先执行靠后行的域名解析;
一个ip可以对应多个域名;
10.12 firewalld和netfilter
配置密钥认证时selinux必须关闭,否则无法通过密钥认证登录
关闭selinux
临时关闭:
[root@hyclinux network-scripts]# setenforce 0
永久关闭:
[root@hyclinux network-scripts]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
当出现需要阻断的情况时直接阻断
# permissive - SELinux prints warnings instead of enforcing.
出现需要阻断的情况时不阻断,但会给出提示(系统会记录但不会在屏幕上看到)
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted 若将此处修改为disabled可能导致系统无法启动
然后重启系统即可
[root@hyclinux ~]# getenforce
Disabled
Centos6及更早版本的防火墙是netfilter;
Centos7的防火墙是firewalld;
目前所有centos的防火墙工具iptables用法相同;
用户可以用iptables添加规则;
彻底关闭firewalld:
[root@hyclinux ~]# systemctl disable firewalld 停止firewalld服务(禁止开机启动)
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@hyclinux ~]# systemctl stop firewalld 关闭firewalld服务
[root@hyclinux ~]#
开启netfilter:
[root@hyclinux ~]# yum install -y iptables-services 安装完成后产生iptables服务
[root@hyclinux ~]# systemctl enable iptables 开启iptables服务
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@hyclinux ~]# systemctl start iptables
netfilter才是防火墙,iptables仅是防火墙的工具
[root@hyclinux ~]# iptables –nvL 查看iptables的默认规则
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
35 2448 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 26 packets, 2172 bytes)
pkts bytes target prot opt in out source destination
10.13 netfilter5表5链介绍
Centos6中仅有4个表,没有security表
filter 一个内置的表,包括三个链(input、output、forward)
input:数据包进入本机时经过的链
forward:
进入机器的数据包不一定给本机处理,不给本机处理的数据包不会进入内核;
经过判断目标地址,若数据包不是本机处理则可能会经过forward链;
Forward常见操作:更改目标地址、转发数据包等;
output
本机产生的数据包在离开本机之前经过的链;
可以禁止目标为某一ip的数据包;
nat 内置表,包括三个链(prerouting、postrouting、output)
output 同filter的output
prerouting 在数据包进入的那一刻更改数据包
postrouting 在数据包出去的那一刻更改数据包
其他表:mangle、raw、security
表和链的关系
数据包进入网卡时首先进入prerouting链:
判断目标ip
不是本机->prerouting链->forward链->postrouting链
是本机->prerouting链->input链->本机内核处理->output链->postrouting链
10.14 iptables语法
查看iptables规则
[root@hyclinux ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
331 27321 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
24 4257 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 335 packets, 26159 bytes)
pkts bytes target prot opt in out source destination
默认规则保存路径
[root@hyclinux ~]# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
清空所有规则
[root@hyclinux ~]# iptables -F
[root@hyclinux ~]# iptables -nvL
Chain INPUT (policy ACCEPT 7 packets, 488 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 588 bytes)
pkts bytes target prot opt in out source destination
规则被清空后依然被保存在/etc/sysconfig/iptables文件中;
[root@hyclinux ~]# service iptables save 此时执行该命令则配置文件中的默认规则也会被清空
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]
若不执行上述命令,则重启iptables服务后默认规则会被加载回来;
以上操作在不加-t参数时默认针对filter表
查看nat表的规则
[root@hyc-01-01 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 2 packets, 292 bytes)
pkts bytes target prot opt in out source destination
23 2826 PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
23 2826 PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
23 2826 PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 1 packets, 48 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12 packets, 912 bytes)
pkts bytes target prot opt in out source destination
124 9843 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 12 packets, 912 bytes)
pkts bytes target prot opt in out source destination
124 9843 POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
124 9843 POSTROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
124 9843 POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
12 912 POST_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
4 292 POST_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public (2 references)
pkts bytes target prot opt in out source destination
124 9843 POST_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
124 9843 POST_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
124 9843 POST_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POST_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
2 292 PRE_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public (2 references)
pkts bytes target prot opt in out source destination
23 2826 PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
23 2826 PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
23 2826 PRE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_log (1 references)
pkts bytes target prot opt in out source destination
规则生效
[root@hyclinux ~]# service iptables save
规则修改完后仅在当前内存中生效,若要规则在重启服务后依然生效则需要执行上述save操作
-Z 计数器清零
[root@hyc-01-01 ~]# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
480 45085 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4 292 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
16 1919 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
16 1919 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
16 1919 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
…
Pkts:表示有多少个包
Bytes: 表示有多少字节数据
[root@hyc-01-01 ~]# iptables -Z
[root@hyc-01-01 ~]# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 776 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 244 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
1 244 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
1 244 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
…
给filter表增加一条规则
[root@hyc-01-01 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
不加-t指定表则默认添加filter表规则;
-A 即add,增加一条规则,此时会把新规则加在所有规则的最后;
INPUT 该规则添加到INPUT链;
-s 指定源ip;
-p 指定协议(tcp、udp等)
--sport 来源端口1234;
-d 指定目标ip;
-dport 指定目标端口80;
-j 执行的操作;
DROP和REJECT的区别:
DROP 确定匹配规则后执行DROP,不查看数据包,不给源地址报告,直接丢弃
REJECT 确定匹配规则后执行REJECT,查看数据包,向源地址报告再丢弃
-I
[root@hyc-01-01 ~]# iptables -I INPUT -p tcp --dport 80 -j DROP
[root@hyc-01-01 ~]# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
354 25066 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7 1633 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
7 1633 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7 1633 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 1633 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
…
-I将规则插入到队列的最前面,-A将规则添加到队列的最后;
某个数据包一旦匹配了前面的规则就立即执行,不会再看后面的规则;
删除规则
-D 删除某条规则
[root@hyc-01-01 ~]# iptables -D INPUT -p tcp --dport 80 -j DROP
[root@hyc-01-01 ~]# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
567 41342 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
10 2335 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
10 2335 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
10 2335 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
10 2335 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
…
tcp 80端口的规则已不存在
使每条规则带编号显示
[root@hyc-01-01 ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 668 48978 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 11 2579 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
5 11 2579 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
6 11 2579 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
7 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
8 11 2579 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
9 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80
…
按编号删除规则
[root@hyc-01-01 ~]# iptables -D INPUT 9
[root@hyc-01-01 ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 739 54106 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 11 2579 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
5 11 2579 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
6 11 2579 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
7 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
8 11 2579 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
…
编号9的规则被删除
-I 针对指定网卡的流量
[root@hyc-01-01 ~]# iptables -I INPUT -s 192.168.31.0/30 -i ens33 -j DROP
默认规则
[root@hyc-01-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
913 68751 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
13 2860 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
13 2860 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
13 2860 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
12 2808 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
…
括号内的policy ACCEPT即为默认规则;
当数据包没有规则匹配时将被执行默认规则;
指定output链的默认规则:
[root@hyc-01-01 ~]# iptables -P OUTPUT ACCEPT