Linux日常运维管理技巧(二)
Linux防火墙
selinux临时关闭 setenforce 0
[[email protected] ~]# getenforce ##防火墙状态开启 Enforcing [[email protected] ~]# setenforce 0 ##临时关闭 [[email protected] ~]# getenforce ##临时关闭状态 Permissive
selinux是Linux特有的安全机制,因为配置太麻烦,几乎没有人真正的应用它。安装完系统后我们一般会选择关闭selinux。
selinux永久关闭vi /etc/selinux/config,减少运维管理成本,可以永久关闭它,因为很多服务受限于selinux
[[email protected] ~]# vi /etc/selinux/config ##永久关闭要改配置文件 # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing ##把这行改成这样SELINUX=disabled,重启系统就好。 # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [[email protected] ~]# getenforce ##重启系统后状态 Disabled
centos7之前使用netfilter防火墙
在centos5和6上用的防火墙是netfiler,其配置工具为iptables。centos7则用的是firewalld防火墙,其配置工具也是iptables。但是现在依然有很多企业使用centos6。
firewalld向下兼容netfilter,所以在firewalld里面也可以用netfilter的设置方法。
centos7开始使用firewalld防火墙
关闭firewalld开启netfilter方法
[[email protected] ~]# systemctl disable firewalld ##先停掉,不让它开机启动 Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [[email protected] ~]# systemctl stop firewalld ##关闭服务,让服务停止 [[email protected] ~]# yum install -y iptables-services ##先安装个包,装完后就会产生一个服务。 [[email protected] ~]# systemctl enable iptables ##iptables服务 Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [[email protected] ~]# systemctl start iptables ##把iptables服务开启 [[email protected] ~]# iptables -nvL ##这个命令可以查看默认规则 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 37 2508 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 23 packets, 2028 bytes) pkts bytes target prot opt in out source destination
netfilter
netfilter的5个表
filter表用于过滤包,最常用的表,有INPUT、FORWARD、OUTPUT三个个链
nat表用于网络地址转换,有PREROUTING、OUTPUT、POSTROUTING三个链
managle表用于给数据包做标记,几乎用不到
raw表可以实现不追踪某些数据包,几乎用不到
security表在centos6中并没有,用于强制访问控制(MAC)的网络规则,几乎用不到
数据包流向与netfilter的5个链
PREROUTING:数据包进入路由表之前
INPUT:通过路由表后目的地为本机
FORWARD:通过路由表后,目的地不为本机
OUTPUT:有本机产生,向外发出
POSTROUTING:发送到网卡接口之前
查看iptables规则:iptables -nvL
[[email protected] ~]# iptables -nvL ##查看规则 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 8 576 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 5 packets, 684 bytes) pkts bytes target prot opt in out source destination [[email protected] ~]# cat /etc/sysconfig/iptables ##iptables规则的配置文件 # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
iptables -F 清空规则
[[email protected] ~]# iptables -F ##清空规则 [[email protected] ~]# iptables -nvL ##规则临时清空了 Chain INPUT (policy ACCEPT 16 packets, 1204 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 12 packets, 1928 bytes) pkts bytes target prot opt in out source destination [[email protected] ~]# cat /etc/sysconfig/iptables ##规则仍在配置文件里保存着 # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [[email protected] ~]# service iptables restart ##重启iptables服务或系统后,规则都会加载回来 Redirecting to /bin/systemctl restart iptables.service [[email protected] ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes) pkts bytes target prot opt in out source destination
service iptables save 保存规则
更改了iptables规则仅仅在当前的内存中生效,想要在系统或服务重启后生效必须使用保存的命令。
iptables -t nat //-t指定表
[[email protected] ~]# iptables -t nat -nvL ##指定nat表 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
iptables -Z 可可以把计数器清零,后期脚本会用到
[[email protected] ~]# iptables -t filter -nvL ##这个与iptables -nvL是一样的 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 63 4264 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 36 packets, 4600 bytes) pkts bytes target prot opt in out source destination [[email protected] ~]# iptables -Z;iptables -nvL ##数据包个数和大小被清空了 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
注:如果要用sport和dport,必须用-p tcp,才能用。
[[email protected] ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP [[email protected] ~]# iptables -nvL ##增加的规则加到最后了 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 172 13128 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 1 244 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes) pkts bytes target prot opt in out source destination
iptables -I/-A/-D INPUT -s 1.1.1.1 -j DROP
[[email protected] ~]# iptables -I INPUT -p tcp --dport 80 -j DROP ##-I插队到规则的最前面 [[email protected] ~]# iptables -nvL ##-I插入,-A增加,前面的规则优先过滤,有前后规则相同的元素,经过前面的规则过滤后,后面就没有包含该元素的数据了,后面的过滤规则就过滤不到需求元素了。 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 318 23200 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 2 488 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 [[email protected] ~]# iptables -D INPUT -p tcp --dport 80 -j DROP ##-D删除规则 [[email protected] ~]# iptables -nvL ##第一条规则没了 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 373 28196 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED [[email protected] ~]# [[email protected] ~]# iptables -D INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP ##-D删除最后一条规则
iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
-i etho针对网卡的
iptables -nvL --line-numbers ##时间太久忘记规则,用不了-D去删除规则,可以用该命令直接查看规则的序号,用序号删除规则。
[[email protected] ~]# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 492 39336 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 2 488 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 6 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 101 packets, 11124 bytes) num pkts bytes target prot opt in out source destination [[email protected] ~]# iptables -D INPUT 6 ##针对INPUT连第6条规则进行删除 [[email protected] ~]# iptables -nvL --line-numbers ##INPUT链只剩下5条规则了 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 560 43984 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 2 488 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 14 packets, 2760 bytes) num pkts bytes target prot opt in out source destination
iptables -D INPUT 1
iptables -P INPUT DROP 这个默认策略最好不要动它,保持默认就好
Chain OUTPUT (policy ACCEPT 14 packets, 2760 bytes) ##OUTPUT链没有规则的时候是默认为ACCEPT规则 num pkts bytes target prot opt in out source destination [[email protected] ~]# iptables -P INPUT DROP ##如果你更改这个默认规则为DROP,远程连接就会断开,因为DROP会把数据通通禁止。必须到本地去把这个更改后的默认规则改回更改前的默认规则ACCEPT [[email protected] ~]# iptables -P INPUT ACCEPT ##给它放行就可以了
iptables filter表小案例
iptables小案例
vi /usr/local/sbin/iptables.sh //加入以下内容
#! /bin/bash
ipt="/usr/sbin/iptables" ##定义变量
$ipt -F ##首先把之前的规则清空
$ipt -P INPUT DROP ##把默认策略定义下
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ##加规则
$ipt -A INPUT -s 192.168.106.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
再执行该脚本:sh /usr/local/sbin/iptables.sh
[[email protected] ~]# w 17:24:25 up 5:15, 1 user, load average: 0.00, 0.01, 0.05 USER TTY FROM [email protected] IDLE JCPU PCPU WHAT root pts/0 192.168.106.1 12:09 1.00s 0.18s 0.00s w [[email protected] ~]# vi /usr/local/sbin/iptables.sh ##加入上面代码 [[email protected] ~]# w ##106网段是允许通过的 17:26:10 up 5:17, 2 users, load average: 0.00, 0.01, 0.05 USER TTY FROM [email protected] IDLE JCPU PCPU WHAT root pts/0 192.168.106.1 12:09 2.00s 0.18s 0.00s w root pts/1 192.168.106.1 17:25 26.00s 0.01s 0.01s -bash [[email protected] ~]# sh /usr/local/sbin/iptables.sh ##执行该脚本 [[email protected] ~]# iptables -nvL ##规则增加了 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 32 2112 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 192.168.106.0/24 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17 packets, 1644 bytes) pkts bytes target prot opt in out source destination [[email protected] ~]# iptables -nvL ##数据和大小确实增加了 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 36 2392 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 192.168.106.0/24 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 20 packets, 2832 bytes) pkts bytes target prot opt in out source destination
icmp示例
iptables -I INPUT -p icmp --icmp-type 8 -j DROP 你可以ping别人,别人ping不了你
[[email protected] ~]# service iptables restart ##先把前面的脚本恢复为默认策略 Redirecting to /bin/systemctl restart iptables.service [[email protected] ~]# iptables -nvL ##脚本规则恢复为默认规则 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes) pkts bytes target prot opt in out source destination [[email protected] ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP ##可以ping通外面,但禁止外面ping你。 [[email protected] ~]# ping www.qq.com ##ping外面可以 PING www.qq.com (140.206.160.207) 56(84) bytes of data. 64 bytes from 140.206.160.207 (140.206.160.207): icmp_seq=1 ttl=128 time=59.9 ms 64 bytes from 140.206.160.207 (140.206.160.207): icmp_seq=2 ttl=128 time=52.2 ms 64 bytes from 140.206.160.207 (140.206.160.207): icmp_seq=3 ttl=128 time=54.6 ms ^C --- www.qq.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 52.263/55.614/59.906/3.196 ms
ping到本机不允许。
C:\Users\zhengyushan>ping 192.168.106.128 正在 Ping 192.168.106.128 具有 32 字节的数据: 请求超时。
[[email protected] ~]# service iptables restart ##恢复默认规则 Redirecting to /bin/systemctl restart iptables.service
nat表应用
A机器两块网卡ens33(192.168.133.130)、ens37(192.168.100.1),ens33可以上外网,ens37仅仅是内部网络,B机器只有ens37(192.168.100.100),和A机器ens37可以通信互联。
需求1:可以让B机器连接外网
A机器上打开路由转发 echo "1">/proc/sys/net/ipv4/ip_forward
A上执行 iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
需求1具体步骤
1、A机器增加一块网卡
默认设置
选择LAN区段网络连接
选择LAN区段“网络交换机01”
B机器是A机器克隆的所以原有网卡是配好IP的,需要去掉这块网卡
添加新网卡,也是LAN区段连接“网络交换01”
命令给A机器新网卡ens37附上临时IP:192.168.100.1
[[email protected] ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.106.128 netmask 255.255.255.0 broadcast 192.168.106.255 inet6 fe80::8fc3:bbdf:ba89:22a7 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:a1:d4:eb txqueuelen 1000 (Ethernet) RX packets 76 bytes 8349 (8.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 90 bytes 12925 (12.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.106.150 netmask 255.255.255.0 broadcast 192.168.106.255 ether 00:0c:29:a1:d4:eb txqueuelen 1000 (Ethernet) ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::7285:a690:d34:bb0c prefixlen 64 scopeid 0x20<link> ether 00:0c:29:a1:d4:f5 txqueuelen 1000 (Ethernet) RX packets 8 bytes 2736 (2.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 25 bytes 4326 (4.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 40 bytes 3192 (3.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 40 bytes 3192 (3.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [[email protected] ~]# ifconfig ens37 192.168.100.1/24 ##命令行手动设置IP,这个只是临时重启就没了,永久的需要在配置文件中改,ens37没有配置文件,需要复制ens33网卡的配置文件,更改各个参数。 [[email protected] ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.106.128 netmask 255.255.255.0 broadcast 192.168.106.255 inet6 fe80::8fc3:bbdf:ba89:22a7 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:a1:d4:eb txqueuelen 1000 (Ethernet) RX packets 242 bytes 20623 (20.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 156 bytes 25683 (25.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.106.150 netmask 255.255.255.0 broadcast 192.168.106.255 ether 00:0c:29:a1:d4:eb txqueuelen 1000 (Ethernet) ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255 inet6 fe80::20c:29ff:fea1:d4f5 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:a1:d4:f5 txqueuelen 1000 (Ethernet) RX packets 20 bytes 6840 (6.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 58 bytes 9320 (9.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 40 bytes 3192 (3.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 40 bytes 3192 (3.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
B机器无法远程连接需要接入本地操作,物理上已经将把ens33断开,谨慎起见还是断开网卡命令:ifdown ens33
仍然是手动命令给B机器附上临时IP:192.168.100.100
给B机器附上A机器的网关命令route add default gw 192.168.100.1
B机器设置DNS:vi /etc/resolv.conf
在配置文件里加上:nameserver 119.29.29.29
以A机器为内核转发,必须打开端口转发才能实现NAT的应用
[[email protected] ~]# cat /proc/sys/net/ipv4/ip_forward ##默认是0,没有开启内核转发 0 [[email protected] ~]# echo "1" > !$ echo "1" > /proc/sys/net/ipv4/ip_forward [[email protected] ~]# !cat cat /proc/sys/net/ipv4/ip_forward ##打开端口转发,要想实现NAT的应用必须打开端口转发 1 [[email protected] ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE ##要增加条规则,欺骗,令192.168.100.0这个网段能够上网 [[email protected] ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0 ##增加的规则在这
结果:
A机器可以ping外网,可以pingB机器192.168.100.100,一切都可以ping 。
B机器只能pingA机器的ens37网卡(网关),外网、公网、DNS都ping不了。
命令赋予的临时ip100.1和100.100很容易丢失,在不注销当前用户的前提下。
B上设置网关为192.168.100.1
需求2:C机器只能和A通信,让C机器可以直接连通B机器的22端口
A上打开路由转发echo "1">/ proc/sys/net/ipv4/ip_forward
A上执行iptables -t nat -A PREROUTING -d 192.168.133.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
A上执行iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.133.130
B上设置网关为192.168.100.1
需求2实验步骤
A机器操作
[[email protected] ~]# cat /proc/sys/net/ipv4/ip_forward ##打开端口转发,上面做了只是确认下 1 ##删除上条测试的规则,增加2条规则 [[email protected] ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE [[email protected] ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 152 bytes) pkts bytes target prot opt in out source destination [[email protected] ~]# iptables -t nat -A PREROUTING -d 192.168.43.32 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22 [[email protected] ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.43.32 tcp dpt:1122 to:192.168.100.100:22 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [[email protected] ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.43.32 [[email protected] ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.43.32 tcp dpt:1122 to:192.168.100.100:22 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.43.32
B机器操作,设置网关
[[email protected] ~]# route add default gw 192.168.100.1 [[email protected] ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.100.1 0.0.0.0 UG 0 0 0 ens37 192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 ens37
远程连接
需求2失败
扩展(selinux了解即可)
selinux教程 http://os.51cto.com/art/201209/355490.htm
selinux pdf电子书 http://pan.baidu.com/s/1jGGdExK
iptables应用在一个网段 http://www.aminglinux.com/bbs/thread-177-1-1.html
sant,dnat,masquerade http://www.aminglinux.com/bbs/thread-7255-1-1.html
iptables限制syn速率 http://www.aminglinux.com/bbs/thread-985-1-1.html http://jamyy.us.to/blog/2006/03/206.html