selinux臨時關閉 setenforce 0
[root@zyshanlinux-01 ~]# getenforce ##防火牆狀態開啓 Enforcing [root@zyshanlinux-01 ~]# setenforce 0 ##臨時關閉 [root@zyshanlinux-01 ~]# getenforce ##臨時關閉狀態 Permissive
selinux是Linux特有的安全機制,因爲配置太麻煩,幾乎沒有人真正的應用它。安裝完系統後我們一般會選擇關閉selinux。
selinux永久關閉vi /etc/selinux/config,減少運維管理成本,可以永久關閉它,因爲很多服務受限於selinux
[root@zyshanlinux-01 ~]# vi /etc/selinux/config ##永久關閉要改配置文件 # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing ##把這行改成這樣SELINUX=disabled,重啓系統就好。 # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root@zyshanlinux-001 ~]# getenforce ##重啓系統後狀態 Disabled
centos7之前使用netfilter防火牆
在centos5和6上用的防火牆是netfiler,其配置工具爲iptables。centos7則用的是firewalld防火牆,其配置工具也是iptables。但是現在依然有很多企業使用centos6。
firewalld向下兼容netfilter,所以在firewalld裏面也可以用netfilter的設置方法。
centos7開始使用firewalld防火牆
關閉firewalld開啓netfilter方法
[root@zyshanlinux-001 ~]# systemctl disable firewalld ##先停掉,不讓它開機啓動 Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@zyshanlinux-001 ~]# systemctl stop firewalld ##關閉服務,讓服務停止 [root@zyshanlinux-001 ~]# yum install -y iptables-services ##先安裝個包,裝完後就會產生一個服務。 [root@zyshanlinux-001 ~]# systemctl enable iptables ##iptables服務 Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@zyshanlinux-001 ~]# systemctl start iptables ##把iptables服務開啓 [root@zyshanlinux-001 ~]# iptables -nvL ##這個命令可以查看默認規則 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 37 2508 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 23 packets, 2028 bytes) pkts bytes target prot opt in out source destination
netfilter
netfilter的5個表
filter表用於過濾包,最常用的表,有INPUT、FORWARD、OUTPUT三個個鏈
nat表用於網絡地址轉換,有PREROUTING、OUTPUT、POSTROUTING三個鏈
managle表用於給數據包做標記,幾乎用不到
raw表可以實現不追蹤某些數據包,幾乎用不到
security表在centos6中並沒有,用於強制訪問控制(MAC)的網絡規則,幾乎用不到
數據包流向與netfilter的5個鏈
PREROUTING:數據包進入路由表之前
INPUT:通過路由表後目的地爲本機
FORWARD:通過路由表後,目的地不爲本機
OUTPUT:有本機產生,向外發出
POSTROUTING:發送到網卡接口之前
查看iptables規則:iptables -nvL
[root@zyshanlinux-001 ~]# iptables -nvL ##查看規則 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 8 576 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 5 packets, 684 bytes) pkts bytes target prot opt in out source destination [root@zyshanlinux-001 ~]# cat /etc/sysconfig/iptables ##iptables規則的配置文件 # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
iptables -F 清空規則
[root@zyshanlinux-001 ~]# iptables -F ##清空規則 [root@zyshanlinux-001 ~]# iptables -nvL ##規則臨時清空了 Chain INPUT (policy ACCEPT 16 packets, 1204 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 12 packets, 1928 bytes) pkts bytes target prot opt in out source destination [root@zyshanlinux-001 ~]# cat /etc/sysconfig/iptables ##規則仍在配置文件裏保存着 # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT [root@zyshanlinux-001 ~]# service iptables restart ##重啓iptables服務或系統後,規則都會加載回來 Redirecting to /bin/systemctl restart iptables.service [root@zyshanlinux-001 ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes) pkts bytes target prot opt in out source destination
service iptables save 保存規則
更改了iptables規則僅僅在當前的內存中生效,想要在系統或服務重啓後生效必須使用保存的命令。
iptables -t nat //-t指定表
[root@zyshanlinux-001 ~]# iptables -t nat -nvL ##指定nat表 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
iptables -Z 可可以把計數器清零,後期腳本會用到
[root@zyshanlinux-001 ~]# iptables -t filter -nvL ##這個與iptables -nvL是一樣的 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 63 4264 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 36 packets, 4600 bytes) pkts bytes target prot opt in out source destination [root@zyshanlinux-001 ~]# iptables -Z;iptables -nvL ##數據包個數和大小被清空了 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
注:如果要用sport和dport,必須用-p tcp,才能用。
[root@zyshanlinux-001 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP [root@zyshanlinux-001 ~]# iptables -nvL ##增加的規則加到最後了 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 172 13128 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 1 244 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes) pkts bytes target prot opt in out source destination
iptables -I/-A/-D INPUT -s 1.1.1.1 -j DROP
[root@zyshanlinux-001 ~]# iptables -I INPUT -p tcp --dport 80 -j DROP ##-I插隊到規則的最前面 [root@zyshanlinux-001 ~]# iptables -nvL ##-I插入,-A增加,前面的規則優先過濾,有前後規則相同的元素,經過前面的規則過濾後,後面就沒有包含該元素的數據了,後面的過濾規則就過濾不到需求元素了。 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 318 23200 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 2 488 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 [root@zyshanlinux-001 ~]# iptables -D INPUT -p tcp --dport 80 -j DROP ##-D刪除規則 [root@zyshanlinux-001 ~]# iptables -nvL ##第一條規則沒了 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 373 28196 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED [root@zyshanlinux-001 ~]# [root@zyshanlinux-001 ~]# iptables -D INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP ##-D刪除最後一條規則
iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
-i etho針對網卡的
iptables -nvL --line-numbers ##時間太久忘記規則,用不了-D去刪除規則,可以用該命令直接查看規則的序號,用序號刪除規則。
[root@zyshanlinux-001 ~]# iptables -nvL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 492 39336 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 2 488 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 6 0 0 DROP tcp -- * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 101 packets, 11124 bytes) num pkts bytes target prot opt in out source destination [root@zyshanlinux-001 ~]# iptables -D INPUT 6 ##針對INPUT連第6條規則進行刪除 [root@zyshanlinux-001 ~]# iptables -nvL --line-numbers ##INPUT鏈只剩下5條規則了 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 560 43984 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 2 488 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 14 packets, 2760 bytes) num pkts bytes target prot opt in out source destination
iptables -D INPUT 1
iptables -P INPUT DROP 這個默認策略最好不要動它,保持默認就好
Chain OUTPUT (policy ACCEPT 14 packets, 2760 bytes) ##OUTPUT鏈沒有規則的時候是默認爲ACCEPT規則 num pkts bytes target prot opt in out source destination [root@zyshanlinux-001 ~]# iptables -P INPUT DROP ##如果你更改這個默認規則爲DROP,遠程連接就會斷開,因爲DROP會把數據通通禁止。必須到本地去把這個更改後的默認規則改回更改前的默認規則ACCEPT [root@zyshanlinux-001 ~]# iptables -P INPUT ACCEPT ##給它放行就可以了
iptables filter表小案例
iptables小案例
vi /usr/local/sbin/iptables.sh //加入以下內容
#! /bin/bash
ipt="/usr/sbin/iptables" ##定義變量
$ipt -F ##首先把之前的規則清空
$ipt -P INPUT DROP ##把默認策略定義下
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ##加規則
$ipt -A INPUT -s 192.168.106.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
再執行該腳本:sh /usr/local/sbin/iptables.sh
[root@zyshanlinux-001 ~]# w 17:24:25 up 5:15, 1 user, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 192.168.106.1 12:09 1.00s 0.18s 0.00s w [root@zyshanlinux-001 ~]# vi /usr/local/sbin/iptables.sh ##加入上面代碼 [root@zyshanlinux-001 ~]# w ##106網段是允許通過的 17:26:10 up 5:17, 2 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 192.168.106.1 12:09 2.00s 0.18s 0.00s w root pts/1 192.168.106.1 17:25 26.00s 0.01s 0.01s -bash [root@zyshanlinux-001 ~]# sh /usr/local/sbin/iptables.sh ##執行該腳本 [root@zyshanlinux-001 ~]# iptables -nvL ##規則增加了 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 32 2112 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 192.168.106.0/24 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17 packets, 1644 bytes) pkts bytes target prot opt in out source destination [root@zyshanlinux-001 ~]# iptables -nvL ##數據和大小確實增加了 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 36 2392 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 192.168.106.0/24 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 20 packets, 2832 bytes) pkts bytes target prot opt in out source destination
icmp示例
iptables -I INPUT -p icmp --icmp-type 8 -j DROP 你可以ping別人,別人ping不了你
[root@zyshanlinux-001 ~]# service iptables restart ##先把前面的腳本恢復爲默認策略 Redirecting to /bin/systemctl restart iptables.service [root@zyshanlinux-001 ~]# iptables -nvL ##腳本規則恢復爲默認規則 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 15 packets, 1444 bytes) pkts bytes target prot opt in out source destination [root@zyshanlinux-001 ~]# iptables -I INPUT -p icmp --icmp-type 8 -j DROP ##可以ping通外面,但禁止外面ping你。 [root@zyshanlinux-001 ~]# ping www.qq.com ##ping外面可以 PING www.qq.com (140.206.160.207) 56(84) bytes of data. 64 bytes from 140.206.160.207 (140.206.160.207): icmp_seq=1 ttl=128 time=59.9 ms 64 bytes from 140.206.160.207 (140.206.160.207): icmp_seq=2 ttl=128 time=52.2 ms 64 bytes from 140.206.160.207 (140.206.160.207): icmp_seq=3 ttl=128 time=54.6 ms ^C --- www.qq.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 52.263/55.614/59.906/3.196 ms
ping到本機不允許。
C:\Users\zhengyushan>ping 192.168.106.128 正在 Ping 192.168.106.128 具有 32 字節的數據: 請求超時。
[root@zyshanlinux-001 ~]# service iptables restart ##恢復默認規則 Redirecting to /bin/systemctl restart iptables.service
nat表應用
A機器兩塊網卡ens33(192.168.133.130)、ens37(192.168.100.1),ens33可以上外網,ens37僅僅是內部網絡,B機器只有ens37(192.168.100.100),和A機器ens37可以通信互聯。
需求1:可以讓B機器連接外網
A機器上打開路由轉發 echo "1">/proc/sys/net/ipv4/ip_forward
A上執行 iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
需求1具體步驟
1、A機器增加一塊網卡
默認設置
選擇LAN區段網絡連接
選擇LAN區段“網絡交換機01”
B機器是A機器克隆的所以原有網卡是配好IP的,需要去掉這塊網卡
添加新網卡,也是LAN區段連接“網絡交換01”
命令給A機器新網卡ens37附上臨時IP:192.168.100.1
[root@zyshanlinux-001 ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.106.128 netmask 255.255.255.0 broadcast 192.168.106.255 inet6 fe80::8fc3:bbdf:ba89:22a7 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:a1:d4:eb txqueuelen 1000 (Ethernet) RX packets 76 bytes 8349 (8.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 90 bytes 12925 (12.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.106.150 netmask 255.255.255.0 broadcast 192.168.106.255 ether 00:0c:29:a1:d4:eb txqueuelen 1000 (Ethernet) ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::7285:a690:d34:bb0c prefixlen 64 scopeid 0x20<link> ether 00:0c:29:a1:d4:f5 txqueuelen 1000 (Ethernet) RX packets 8 bytes 2736 (2.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 25 bytes 4326 (4.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 40 bytes 3192 (3.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 40 bytes 3192 (3.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@zyshanlinux-001 ~]# ifconfig ens37 192.168.100.1/24 ##命令行手動設置IP,這個只是臨時重啓就沒了,永久的需要在配置文件中改,ens37沒有配置文件,需要複製ens33網卡的配置文件,更改各個參數。 [root@zyshanlinux-001 ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.106.128 netmask 255.255.255.0 broadcast 192.168.106.255 inet6 fe80::8fc3:bbdf:ba89:22a7 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:a1:d4:eb txqueuelen 1000 (Ethernet) RX packets 242 bytes 20623 (20.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 156 bytes 25683 (25.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.106.150 netmask 255.255.255.0 broadcast 192.168.106.255 ether 00:0c:29:a1:d4:eb txqueuelen 1000 (Ethernet) ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255 inet6 fe80::20c:29ff:fea1:d4f5 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:a1:d4:f5 txqueuelen 1000 (Ethernet) RX packets 20 bytes 6840 (6.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 58 bytes 9320 (9.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 40 bytes 3192 (3.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 40 bytes 3192 (3.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
B機器無法遠程連接需要接入本地操作,物理上已經將把ens33斷開,謹慎起見還是斷開網卡命令:ifdown ens33
仍然是手動命令給B機器附上臨時IP:192.168.100.100
給B機器附上A機器的網關命令route add default gw 192.168.100.1
B機器設置DNS:vi /etc/resolv.conf
在配置文件里加上:nameserver 119.29.29.29
以A機器爲內核轉發,必須打開端口轉發才能實現NAT的應用
[root@zyshanlinux-001 ~]# cat /proc/sys/net/ipv4/ip_forward ##默認是0,沒有開啓內核轉發 0 [root@zyshanlinux-001 ~]# echo "1" > !$ echo "1" > /proc/sys/net/ipv4/ip_forward [root@zyshanlinux-001 ~]# !cat cat /proc/sys/net/ipv4/ip_forward ##打開端口轉發,要想實現NAT的應用必須打開端口轉發 1 [root@zyshanlinux-001 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE ##要增加條規則,欺騙,令192.168.100.0這個網段能夠上網 [root@zyshanlinux-001 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0 ##增加的規則在這
結果:
A機器可以ping外網,可以pingB機器192.168.100.100,一切都可以ping 。
B機器只能pingA機器的ens37網卡(網關),外網、公網、DNS都ping不了。
命令賦予的臨時ip100.1和100.100很容易丟失,在不註銷當前用戶的前提下。
B上設置網關爲192.168.100.1
需求2:C機器只能和A通信,讓C機器可以直接連通B機器的22端口
A上打開路由轉發echo "1">/ proc/sys/net/ipv4/ip_forward
A上執行iptables -t nat -A PREROUTING -d 192.168.133.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
A上執行iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.133.130
B上設置網關爲192.168.100.1
需求2實驗步驟
A機器操作
[root@zyshanlinux-001 ~]# cat /proc/sys/net/ipv4/ip_forward ##打開端口轉發,上面做了只是確認下 1 ##刪除上條測試的規則,增加2條規則 [root@zyshanlinux-001 ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE [root@zyshanlinux-001 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2 packets, 152 bytes) pkts bytes target prot opt in out source destination [root@zyshanlinux-001 ~]# iptables -t nat -A PREROUTING -d 192.168.43.32 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22 [root@zyshanlinux-001 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.43.32 tcp dpt:1122 to:192.168.100.100:22 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination [root@zyshanlinux-001 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.43.32 [root@zyshanlinux-001 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.43.32 tcp dpt:1122 to:192.168.100.100:22 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.43.32
B機器操作,設置網關
[root@zyshanlinux-001 ~]# route add default gw 192.168.100.1 [root@zyshanlinux-001 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.100.1 0.0.0.0 UG 0 0 0 ens37 192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 ens37
遠程連接
需求2失敗
擴展(selinux瞭解即可)
selinux教程 http://os.51cto.com/art/201209/355490.htm
selinux pdf電子書 http://pan.baidu.com/s/1jGGdExK
iptables應用在一個網段 http://www.aminglinux.com/bbs/thread-177-1-1.html
sant,dnat,masquerade http://www.aminglinux.com/bbs/thread-7255-1-1.html
iptables限制syn速率 http://www.aminglinux.com/bbs/thread-985-1-1.html http://jamyy.us.to/blog/2006/03/206.html