详述iptables五链
iptables有4表5链,4表分别为:filter,nat,mangle,raw。5链分别为:INPUT,OUTPUT,FORWARD,PREROUNTING,POSTROUTING。
4表:
filter:默认表,一般的过滤功能,对应的链有:INPUT, OUTPUT, FORWARD.
nat:用于网络功能(地址转换,映射等等),对应的链有:FORWARD, PREROUTING, POSTROUTING.
mangle:用于对特定数据包的修改功能,一般很少使用,对应的链有:INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING.
raw:一般为防止iptables做数据包的连接跟踪处理,以提高性能,对应的链有:OUTPUT, PREROUTING.
5链:
INPUT:通过路由表判断为目的地为本机而进入本机内部资源的
OUTPUT:有本机产生的数据向外部转发的
FORWARD:通过路由表判断目的地不是本机而他国路由器转发到其他地方的
PREROUTING:流入的数据包在进入路由表前
POSTROUTING:传出的数据包到达网卡出口之前
从下图中可以连接的从四表五链的关系图:
iptables的四表五链示意图.png
举例实现iptables多端口匹配、连接追踪、字符串匹配、时间匹配、并发连接限制、速率匹配、报文状态匹配等应用
- iptables的规则格式:
iptables [-t table] COMMAND chain [-m matchname [per-match-options]] -j targetname [per-target-options]
-t table:
raw, mangle, nat, [filter(默认)]
COMMAND:
链管理:(PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING)
-N:new, 自定义一条新的规则链(默认链通过引用来生效自定义链)
-X: delete,删除自定义的规则链,非空自定义链和内置链无法删除
注意:仅能删除 用户自定义的 引用计数为0的 空的 链;
-P:Policy,设置默认策略;无法匹配是做出来的处理机制,对filter表中的链而言,其默认策略有:
ACCEPT:接受
DROP:丢弃
REJECT:拒绝
-E:重命名自定义链;引用计数不为0的自定义链不能够被重命名,也不能被删除;
规则管理:
-A:append,追加;
-I:insert, 插入,要指明位置,省略时表示第一条;
-D:delete,删除;
(1) 指明规则序号;
(2) 指明规则本身;
-R:replace,替换指定链上的指定规则;
-F:flush,清空指定的规则链;
-Z:zero,置零;
iptables的每条规则都有两个计数器:
(1) 匹配到的报文的个数;
(2) 匹配到的所有报文的大小之和;
查看:
-L:list, 列出指定鏈上的所有规则;
-n:numberic,以数字格式显示地址和端口号;
-v:verbose,详细信息;
-vv, -vvv:更详细的信息
-x:exactly,显示计数器结果的精确值;
--line-numbers:显示规则的序号;
chain:
PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
匹配条件:
基本匹配条件:无需加载任何模块,由iptables/netfilter自行提供;
[!] -s, --source address[/mask][,...]:检查报文中的源IP地址是否符合此处指定的地址或范围;
[!] -d, --destination address[/mask][,...]:检查报文中的目标IP地址是否符合此处指定的地址或范围;
所有地址:0.0.0.0/0
[!] -p, --protocol protocol,检查报文中的相关协议
protocol: tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or "all"
{tcp|udp|icmp}
[!] -i, --in-interface name:数据报文流入的接口;只能应用于数据报文流入的环节,只能应用于PREROUTING,INPUT和FORWARD链;
[!] -o, --out-interface name:数据报文流出的接口;只能应用于数据报文流出的环节,只能应用于FORWARD、OUTPUT和POSTROUTING链;
扩展匹配条件:需要加载扩展模块,方可生效
隐式扩展:不需要手动加载扩展模块;因为它们是对协议的扩展,所以,但凡使用-p指明了协议,就表示已经指明了要扩展的模块;
tcp:
[!] --source-port, --sport port[:port]:匹配报文的源端口;可以是端口范围;
[!] --destination-port,--dport port[:port]:匹配报文的目标端口;可以是端口范围;
[!] --tcp-flags mask comp
mask is the flags which we should examine, written as a comma-separated list,例如 SYN,ACK,FIN,RST
comp is a comma-separated list of flags which must be set,例如SYN
例如:“--tcp-flags SYN,ACK,FIN,RST SYN”表示,要检查的标志位为SYN,ACK,FIN,RST四个,其中SYN必须为1,余下的必须为0;
[!] --syn:用于匹配第一次握手,相当于”--tcp-flags SYN,ACK,FIN,RST SYN“;
udp
[!] --source-port, --sport port[:port]:匹配报文的源端口;可以是端口范围;
[!] --destination-port,--dport port[:port]:匹配报文的目标端口;可以是端口范围;
icmp
[!] --icmp-type {type[/code]|typename}
echo-request:8
echo-reply:0
显式扩展:必须要手动加载扩展模块, [-m matchname [per-match-options]];
显式扩展:必须使用-m选项指明要调用的扩展模块的扩展机制;
1、multiport扩展:以离散或连续的 方式定义多端口匹配条件,最多15个;
[!] --source-ports,--sports port[,port|,port:port]...:指定多个源端口;
[!] --destination-ports,--dports port[,port|,port:port]...:指定多个目标端口;
[!] --ports port[,port|,port:port]...:指明多个端口
2、iprange扩展:以连续地址块的方式来指明多IP地址范围(但一般不覆盖整个网络)
[!] --src-range from[-to]:源IP地址
[!] --dst-range from[-to]:目标IP地址
3、time扩展:根据将报文到达的时间与指定的时间范围进行匹配
--timestart hh:mm[:ss]
--timestop hh:mm[:ss]
[!] --weekdays day[,day...]
[!] --monthdays day[,day...]
--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
--kerneltz:使用内核配置的时区而非默认的UTC;
4、string根据:对报文中的应用层数据做字符串模式匹配检测
--algo {bm|kmp}:字符串匹配检测算法,bm|kmp是两种字符串检测算法
[!] --string pattern:要检测的字符串模式
[!] --hex-string pattern:以16进制格式检测的字符串模式
--from offset
--to offset
5、connlimit扩展:根据每客户端IP做并发连接数数量匹配
--connlimit-upto n:匹配连接的数量小于等于n的
--connlimit-above n:匹配连接的数量大于n的
6、limit扩展:基于收发报文的速率做匹配
--limit rate[/second|/minute|/hour|/day]:速率
--limit-burst number:限制连接的数量
限制本机某tcp服务接收新请求的速率:--syn, -m limit
7、state:根据“连接追踪机制”去检查连接的状态
[!] --state state
INVALID, ESTABLISHED, NEW, RELATED or UNTRACKED.
conntrack机制:追踪本机上的请求和响应之间的关系;状态有如下几种:
NEW: 新连接请求;连接追踪模板中不存在此连接的相关信息而将其识别为第一次发出的请求
ESTABLISHED:NEW状态之后,连接追踪模板中为其建立的条目失效之前期间内所进行的通信状态
INVALID:无法识别的连接;
RELATED:相关联的连接,当前连接是一个新请求,但附属于某个已存在的连接;
UNTRACKED:未追踪的连接;
state扩展:
内核模块装载:
nf_conntrack
nf_conntrack_ipv4
手动装载:
~]# modprobe nf_conntrack_ftp
追踪到的连接:
/proc/net/nf_conntrack
调整可记录的连接数量最大值:
/proc/sys/net/nf_conntrack_max
超时时长:
/proc/sys/net/netfilter/*timeout*
处理动作: -j targetname [per-target-options]
ACCEPT:接受
DROP:丢弃,不返回数据
REJECT:拒绝,返回相应数据
RETURN:返回调用链
REDIRECT:端口重定向
LOG:记录日志
MARK:做防火墙标记
DNAT:目标地址转换
SNAT:源地址转换
MASQUERADE:地址伪装
...
自定义链:
在进行匹配之前先看看系统默认的iptables配置
[root@zcy520ooooo ~]# iptables -vnL
Chain INPUT (policy ACCEPT 8 packets, 622 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 448 bytes)
pkts bytes target prot opt in out source destination
- 多端口匹配:
[root@zcy520ooooo ~]# iptables -I INPUT 1 -d 192.168.80.4 -p tcp -m multiport --dports 21,22,80,443 -j ACCEPT
[root@zcy520ooooo ~]# iptables -vnL
Chain INPUT (policy ACCEPT 15 packets, 1150 bytes)
pkts bytes target prot opt in out source destination
26 1872 ACCEPT tcp -- * * 0.0.0.0/0 192.168.80.4 multiport dports 21,22,80,443
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1628 bytes)
pkts bytes target prot opt in out source destination
#在INPUT链中第一条位置插入一条规则:
目标地址为192.168.80.4的协议为tcp
并且目标端口号分别为:21,22,80,443选择接受
- 连接追踪:
[root@zcy520ooooo ~]# iptables -A INPUT -d 192.168.80.4 -p tcp -m multiport --dports 21,22,80 -m state --state INVALID -j REJECT
[root@zcy520ooooo ~]# iptables -vnL
Chain INPUT (policy ACCEPT 29 packets, 2268 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.80.4 multiport dports 21,22,80,443
0 0 REJECT tcp -- * * 0.0.0.0/0 192.168.80.4 multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
#在INPUT链中新增一条规则:
目标IP为192.168.80.4,tcp协议,端口为21,22,80
连接状态为无效的连接时选择拒绝
- 字符串匹配:
[root@zcy520ooooo ~]# iptables -A OUTPUT -s 192.168.80.4 -d 192.168.80.0/24 -p tcp --sport 80 -m string --algo bm --string "sex" -j REJECT
[root@zcy520ooooo ~]# iptables -vnL
Chain INPUT (policy ACCEPT 44 packets, 3358 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.80.4 multiport dports 21,22,80,443
0 0 REJECT tcp -- * * 0.0.0.0/0 192.168.80.4 multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 27 packets, 2628 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 192.168.80.4 192.168.80.0/24 tcp spt:80 STRING match "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable
#在OUTPUT链中新增一条规则:
来源IP为192.168.80.4,目标为192.168.80.0/24网段,tcp协议,80端口
匹配的字符串包含“sex”则选择拒绝
- 时间匹配:
[root@zcy520ooooo ~]# iptables -A INPUT -s 192.168.80.0/24 -d 192.168.80.4 -p tcp --dport 80 -m time --timestart 00:30 --timestop 12:30 --weekdays Mon,Sum -j DROP
[root@zcy520ooooo ~]# iptables -vnL
Chain INPUT (policy ACCEPT 8 packets, 622 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.80.4 multiport dports 21,22,80,443
0 0 REJECT tcp -- * * 0.0.0.0/0 192.168.80.4 multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable
0 0 DROP tcp -- * * 192.168.80.0/24 192.168.80.4 tcp dpt:80 TIME from 00:30:00 to 12:30:00 on Mon,Sun UTC
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 704 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 192.168.80.4 192.168.80.0/24 tcp spt:80 STRING match "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable
#在INPUT链中新增一条规则:
来源IP为192.168.80.0/24网段,目标IP为192.168.80.4,tcp协议80端口
星期一和星期日的00:30-12:30时间段内选择丢弃
- 并发连接限制:
[root@zcy520ooooo ~]# iptables -A INPUT -d 192.168.80.4 -p tcp --dport 21 -m connlimit --connlimit-above 2 -j REJECT
[root@zcy520ooooo ~]# iptables -vnL
Chain INPUT (policy ACCEPT 20 packets, 1566 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.80.4 multiport dports 21,22,80,443
0 0 REJECT tcp -- * * 0.0.0.0/0 192.168.80.4 multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable
0 0 DROP tcp -- * * 192.168.80.0/24 192.168.80.4 tcp dpt:80 TIME from 00:30:00 to 12:30:00 on Mon,Sun UTC
0 0 REJECT tcp -- * * 0.0.0.0/0 192.168.80.4 tcp dpt:21 #conn src/32 > 2 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15 packets, 1428 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 192.168.80.4 192.168.80.0/24 tcp spt:80 STRING match "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable
#在INPUT新增一条规则:
目标IP为192.168.80.4,tcp协议,端口为21
并发连接数大于2时选择拒绝
- 速率匹配:
[root@zcy520ooooo ~]# iptables -I INPUT -d 192.168.80.4 -p icmp --icmp-type 8 -m limit --limit 5/minute --limit-burst 3 -j ACCEPT
[root@zcy520ooooo ~]# iptables -vnL
Chain INPUT (policy ACCEPT 29 packets, 2526 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.80.4 icmptype 8 limit: avg 5/min burst 3
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.80.4 multiport dports 21,22,80,443
0 0 REJECT tcp -- * * 0.0.0.0/0 192.168.80.4 multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable
0 0 DROP tcp -- * * 192.168.80.0/24 192.168.80.4 tcp dpt:80 TIME from 00:30:00 to 12:30:00 on Mon,Sun UTC
0 0 REJECT tcp -- * * 0.0.0.0/0 192.168.80.4 tcp dpt:21 #conn src/32 > 2 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1628 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 192.168.80.4 192.168.80.0/24 tcp spt:80 STRING match "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable
#在INPUT链插入一条规则:
目标IP为192.168.80.4 ICMP协议,类型是8,
链接速率5/min,最大连接数(在5/min速率下的连接数)为3,选择接受
- 报文状态匹配:
[root@zcy520ooooo ~]# iptables -I INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,ACK,FIN,RST,URG,PSH SYN -j REJECT
[root@zcy520ooooo ~]# iptables -vnL
Chain INPUT (policy ACCEPT 24 packets, 1906 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x3F/0x02 reject-with icmp-port-unreachable
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.80.4 icmptype 8 limit: avg 5/min burst 3
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.80.4 multiport dports 21,22,80,443
0 0 REJECT tcp -- * * 0.0.0.0/0 192.168.80.4 multiport dports 21,22,80 state INVALID reject-with icmp-port-unreachable
0 0 DROP tcp -- * * 192.168.80.0/24 192.168.80.4 tcp dpt:80 TIME from 00:30:00 to 12:30:00 on Mon,Sun UTC
0 0 REJECT tcp -- * * 0.0.0.0/0 192.168.80.4 tcp dpt:21 #conn src/32 > 2 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 1628 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 192.168.80.4 192.168.80.0/24 tcp spt:80 STRING match "sex" ALGO name bm TO 65535 reject-with icmp-port-unreachable
# -m tcp使用tcp扩展模块
--tcp-flags:要匹配的报文
SYN,ACK,FIN,RST,URG,PSH:报文状态的列表,可以写ALL
SYN:列表中的SYN标志必须为1其余的必须全部为0
举例实现iptables之SNAT源地址修改及DNAT目标地址修改和PNAT端口修改等应用
要实现nat,要打开内核的路由功能。将文件/proc/sys/net/ipv4/ip_forward内的值改为1,(默认是0)
[root@zcy520ooooo ~]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
- SNAT:主要实现内网客户端访问外网主机,在POSTROUTING和OUTPUT上使用
[root@zcy520ooooo ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 2 packets, 280 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 2 packets, 280 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 214 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 214 bytes)
pkts bytes target prot opt in out source destination
------------------------分割线----------------------------------------
[root@zcy520ooooo ~]# iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -j SNAT --to-source 172.16.0.2
[root@zcy520ooooo ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 1 packets, 78 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1 packets, 78 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.80.0/24 0.0.0.0/0 to:172.16.0.2
#在nat表的POSTROUTING链中添加一条规则:
将内网的192.168.80.0/24这个网段的数据包源地址改为172.16.0.2这个IP地址
- DNAT:主要实现内网中的服务器能被外网客户端访问到,定义在PREROUTING链上
[root@zcy520ooooo ~]# iptables -t nat -A PREROUTING -d 172.16.0.2 -p tcp --dport 80 -j DNAT --to-destination 192.168.80.4
[root@zcy520ooooo ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 6 packets, 383 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 172.16.0.2 tcp dpt:80 to:192.168.80.4
Chain INPUT (policy ACCEPT 6 packets, 383 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 240 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 620 SNAT all -- * * 192.168.80.0/24 0.0.0.0/0 to:172.16.0.2
#在nat表PREROUTING链中添加一条规则:
将目标IP为172.16.0.2的协议为tcp,端口为80的数据都发送到192.168.80.4这个内网服务器上
- PNAT:将封包重新导向到另一个端口(PNAT),这个功能可以用来实作透明代理或用来保护web服务器
[root@zcy520ooooo ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
[root@zcy520ooooo ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 2 packets, 136 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 172.16.0.2 tcp dpt:80 to:192.168.80.4
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
Chain INPUT (policy ACCEPT 2 packets, 136 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 620 SNAT all -- * * 192.168.80.0/24 0.0.0.0/0 to:172.16.0.2
#在nat表PREROUTING链中添加一条规则:
将tcp协议80端口的数据重导向到8080这个端口上
简述sudo安全切换工具,及详细讲解visudoer
- sudo:能够让获得授权的用户以另外一个用户的身份运行指定的命令,成功认证默认时长为5分钟,5分钟内再次操作不需要再输入用户密码确认身份,这样可以限制root的
sudo [options] COMMAND
-l[l] command 列出用户能执行的命令
-k 清除此前缓存用户成功认证结果
[testsudo@zcy520ooooo ~]$ sudo -l
我们信任您已经从系统管理员那里了解了日常注意事项。
总结起来无外乎这三点:
#1) 尊重别人的隐私。
#2) 输入前要先考虑(后果和风险)。
#3) 权力越大,责任越大。
[sudo] testsudo 的密码:
对不起,用户 testsudo 不能在 zcy520ooooo 上运行 sudo
#查看用户能执行的sudo命令,这里没有指定
授权机制:授权文件 /etc/sudoers
root ALL=(ALL) ALL
允许root用户执行任意路径下的任意命令
%wheel ALL=(ALL) ALL
允许wheel用户组中的用户执行所有命令
授权项:
who where=(whom) commands
哪个用户(who)在哪个来源主机上(where)以认证的身份(whom) 可以执行哪些命令(commands)
- 注意:
- 代表所有的ALL必须大写
- 后面的命令必须是绝对路径,如果不想执行某个命令则为!commands
- 用户可以是一个组,当时组表示为:%GROUP_NAME
- 如果不想执行sudo时输入密码则用:NOPASSWD: COMMAND,强制用密码验证时则用:PASSWD: COMMAND
users hosts=(runas) commands
users:
username 用户名
#uid uid号
%groupname 用户组
%#gid gid号
user_alias 用户别名
支持将多个用户定义为一组用户,称之为用户别名,即user_alias;
hosts:
ip IP地址
hostname 主机名
NetAddr 网络地址
host_alias 主机别名
runas:
...
runas_alias 用来定义runas别名,即sudo允许切换至的用户
commands:
command 命令
directory 目录
sudoedit:特殊权限,可用于向其它用户授予sudo权限;
cmnd_alias 命令别名
定义别名的方法:
ALIAS_TYPE NAME=item1, item2, item3, ...
NAME:别名名称,必须使用全大写字符;
ALIAS_TYPE:
User_Alias
Host_Alias
Runas_Alias
Cmnd_Alias
User_Alias NETADMIN=jeck, magedu
#用NETADMIN来表示jeck,magedu这些用户
----------------分割线---------------
Cmnd_Alias NETCMND=/usr/sbin/ip, /usr/sbin/ifconfig, /usr/sbin/route
#用NETCMND这个别名去代表ip ,ifconfig,route 并且必须用绝对路径
----------------分割线---------------
NETADMIN localhost=(root) NETCMND
#这个NETADMIN用户别名里的用户在本地主机中可以root的身份执行NETCMND这个命令别名里面的命令
因为sudo配置文件很重要,配置格式出错时将无法使用sudo命令,所以禁止所有用户包括root使用vim对该文件进行编辑,而用专用命令visudo来配置/etc/sudoers文件格式如下:
[root@zcy520ooooo ~]# visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Refuse to run if unable to disable echo on the tty.
#
Defaults !visiblepw
#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home
Defaults match_group_by_gid
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults env_keep += "HOME"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
hello ALL=(ALL) /usr/sbin/useradd
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d