粉嫩少妇内射浓精videos ,久久综合久中文字幕青草,亚洲欧美中文日韩v在线97

安裝包“net-tools ”
-a 選項(xiàng)，可以查看到所有的網(wǎng)卡，如果不加-a 那么有時(shí)候宕掉的網(wǎng)卡就不會(huì)顯示出來(lái)
ifdown 網(wǎng)卡名字關(guān)閉網(wǎng)卡
關(guān)閉網(wǎng)卡以后，使用ifconfig查看網(wǎng)卡是沒(méi)有IP的
ifup 網(wǎng)卡名字打開(kāi)網(wǎng)卡
常用于針對(duì)單獨(dú)的網(wǎng)卡使用，比如，我們對(duì)一個(gè)網(wǎng)卡進(jìn)行了配置，但是不想重啟所以的網(wǎng)絡(luò)服務(wù)，就可以使用ifdown針對(duì)這個(gè)網(wǎng)卡進(jìn)行操作
如果是在ssh遠(yuǎn)程登錄，就不要用ifdown這個(gè)命令，假如你的服務(wù)器在美國(guó)，你剛好做了ifdown 你當(dāng)前網(wǎng)卡的命令，那么你將再也無(wú)法連上你在美國(guó)服務(wù)器，只能通過(guò)聯(lián)系那邊的客服幫忙重新打開(kāi)，這樣就會(huì)很繁瑣
如果一定要重啟這個(gè)網(wǎng)卡

[root@localhost ~]# cd /etc/sysconfig/network-scripts/ [root@localhost network-scripts]# ls ifcfg-ens32 ifdown-ippp ifdown-sit ifup-bnep ifup-plip ifup-Team network-functions-ipv6 ifcfg-lo ifdown-ipv6 ifdown-Team ifup-eth ifup-plusb ifup-TeamPort ifdown ifdown-isdn ifdown-TeamPort ifup-ib ifup-post ifup-tunnel ifdown-bnep ifdown-post ifdown-tunnel ifup-ippp ifup-ppp ifup-wireless ifdown-eth ifdown-ppp ifup ifup-ipv6 ifup-routes init.ipv6-global ifdown-ib ifdown-routes ifup-aliases ifup-isdn ifup-sit network-functions 創(chuàng)建配置文件 [root@localhost network-scripts]# cp ifcfg-ens32 ifcfg-ens32:0

因?yàn)槭敲钚?：是特殊符號(hào)，需要用進(jìn)行脫義編輯ifcftg-ens32配置文件

vim ifcfg-ens32:0 TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens32:0 UUID=4233625f-9278-4b12-b2cf-02f3dd5ed641 DEVICE=ens32:0 ONBOOT=yes IPADDR=192.168.133.160 NETMASK=255.255.255.0

需要改動(dòng)一下NAME、DEVIDE改成當(dāng)前的虛擬網(wǎng)卡的名字ens32:0
因?yàn)槭翘摂M網(wǎng)卡，共用的是ens32網(wǎng)卡的網(wǎng)關(guān)，所以gateway 和DNS 都可以不用寫(xiě)
這是就可以用到 ifdown ens32 && ifup ens32 這個(gè)命令，針對(duì)這個(gè)網(wǎng)卡進(jìn)行重啟

[root@localhost network-scripts]# ifdown ens32 && ifup ens32 成功斷開(kāi)設(shè)備 \\\’ens32\\\’。成功激活的連接（D-Bus 激活路徑：/org/freedesktop/NetworkManager/ActiveConnection/3）

[root@localhost network-scripts]# ifconfig -a ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.133.130 netmask 255.255.255.0 broadcast 192.168.133.255 inet6 fe80::daff:1b44:6a0f:1211 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:7d:ea:88 txqueuelen 1000 (Ethernet) RX packets 1508 bytes 121014 (118.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 681 bytes 93413 (91.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens32:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.133.160 netmask 255.255.255.0 broadcast 192.168.133.255 ether 00:0c:29:7d:ea:88 txqueuelen 1000 (Ethernet) lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 112 bytes 9708 (9.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 112 bytes 9708 (9.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

發(fā)現(xiàn)多了一個(gè)ens32:0 ，可以在Windows桌面ping 一下看看是否通

C:UsersAdministrator>ping 192.168.133.160 正在 Ping 192.168.133.160 具有 32 字節(jié)的數(shù)據(jù): 來(lái)自 192.168.133.160 的回復(fù): 字節(jié)=32 時(shí)間<1ms TTL=64 來(lái)自 192.168.133.160 的回復(fù): 字節(jié)=32 時(shí)間<1ms TTL=64 來(lái)自 192.168.133.160 的回復(fù): 字節(jié)=32 時(shí)間<1ms TTL=64 來(lái)自 192.168.133.160 的回復(fù): 字節(jié)=32 時(shí)間<1ms TTL=64 192.168.133.160 的 Ping 統(tǒng)計(jì)信息: 數(shù)據(jù)包: 已發(fā)送 = 4，已接收 = 4，丟失 = 0 (0% %u4E22失)，往返行程的估計(jì)時(shí)間(以毫秒為單位): 最短 = 0ms，最長(zhǎng) = 0ms，平均 = 0ms

[root@localhost network-scripts]# mii-tool ens32 ens32: negotiated 1000baseT-FD flow-control, link ok

如果是link，ok ，就證明網(wǎng)線是連這的
如果是沒(méi)有連接網(wǎng)線，會(huì)提示 ebs\\\’32: no link
有時(shí)這個(gè)命令也會(huì)出現(xiàn)不支持
可以使用ethtool 網(wǎng)卡名字

[root@localhost network-scripts]# ethtool ens32 Settings for ens32: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supported pause frame use: No Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised pause frame use: No Advertised auto-negotiation: Yes Speed: 1000Mb/s Duplex: Full Port: Twisted Pair PHYAD: 0 Transceiver: internal Auto-negotiation: on MDI-X: off (auto) Supports Wake-on: d Wake-on: d Current message level: 0x00000007 (7) drv probe link Link detected: yes

主要關(guān)注Link detected 是否是yes 如果是yes 就是連通著的；no表示未連接

需要退出終端重新登錄才能顯示，當(dāng)然也可以直接進(jìn)入一個(gè)子shell 直接查看

[root@localhost ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 119.29.29.29 nameserver 114.114.114.114

這個(gè)信息是在網(wǎng)卡配置文件里面的DNS行配置的
當(dāng)然也可以臨時(shí)更改，直接vim 編輯，但是這個(gè)配置只是臨時(shí)生效，最終也是會(huì)被網(wǎng)卡配置文件里面的配置給更改掉

這個(gè)文件在Windows上和Linux都有，這個(gè)是解析一個(gè)域名指向IP用的
例如：

[root@localhost ~]# ping www.qq123.com PING www.qq123.com (202.91.250.93) 56(84) bytes of data. 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=1 ttl=128 time=40.9 ms 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=2 ttl=128 time=38.5 ms 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=3 ttl=128 time=37.4 ms ^C — www.qq123.com ping statistics — 3 packets transmitted, 3 received, 0% packet loss, time 2026ms rtt min/avg/max/mdev = 37.431/38.997/40.994/1.503 ms

這個(gè)域名指向的IP為 202.91.250.93 這個(gè)
我們只要修改本機(jī)的host以后

[root@localhost ~]# vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.133.130 www.qq123.com

格式化很簡(jiǎn)單，就是IP之后用空格分割，支持一行有一個(gè)IP對(duì)多個(gè)域名，這個(gè)寫(xiě)法以行位單位
再ping www.qq123.com

[root@localhost ~]# !ping ping www.qq123.com PING www.qq123.com (192.168.133.130) 56(84) bytes of data. 64 bytes from www.qq123.com (192.168.133.130): icmp_seq=1 ttl=64 time=0.173 ms 64 bytes from www.qq123.com (192.168.133.130): icmp_seq=2 ttl=64 time=0.054 ms 64 bytes from www.qq123.com (192.168.133.130): icmp_seq=3 ttl=64 time=0.064 ms ^C — www.qq123.com ping statistics — 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 0.054/0.097/0.173/0.053 ms

域名指向的IP，就變成我們的IP
這個(gè)配置，只會(huì)在本機(jī)生效
嘗試在Windows系統(tǒng)下ping一下就知道結(jié)果

C:UsersAdministrator>ping www.qq123.com 正在 Ping www.qq123.com [202.91.250.93] 具有 32 字節(jié)的數(shù)據(jù): 來(lái)自 202.91.250.93 的回復(fù): 字節(jié)=32 時(shí)間=35ms TTL=230 來(lái)自 202.91.250.93 的回復(fù): 字節(jié)=32 時(shí)間=34ms TTL=230 來(lái)自 202.91.250.93 的回復(fù): 字節(jié)=32 時(shí)間=44ms TTL=230 來(lái)自 202.91.250.93 的回復(fù): 字節(jié)=32 時(shí)間=35ms TTL=230 202.91.250.93 的 Ping 統(tǒng)計(jì)信息: 數(shù)據(jù)包: 已發(fā)送 = 4，已接收 = 4，丟失 = 0 (0% %u4E22失)，往返行程的估計(jì)時(shí)間(以毫秒為單位): 最短 = 34ms，最長(zhǎng) = 44ms，平均 = 37ms 10.12 firewalld和netfilter SELINUX防火墻

selinux防火墻，一般都是關(guān)閉的，因?yàn)殚_(kāi)啟的話，會(huì)增加運(yùn)維管理成本，因?yàn)楹芏喾?wù)受限于selinux，事實(shí)上把selinux關(guān)閉，也不會(huì)有太大的安全問(wèn)題
配置密鑰驗(yàn)證的時(shí)候，就用過(guò)，如果配置密鑰驗(yàn)證的時(shí)候不關(guān)閉，就沒(méi)有辦法登錄
臨時(shí)關(guān)閉

# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing – SELinux security policy is enforced. # permissive – SELinux prints warnings instead of enforcing. # disabled – No SELinux policy is loaded. SELINUX=enforcing //更改為 disabled 將永久關(guān)閉selinux防火墻 # SELINUXTYPE= can take one of three two values: # targeted – Targeted processes are protected, # minimum – Modification of targeted policy. Only selected processes are protected. # mls – Multi Level Security protection. SELINUXTYPE=targeted

需要重啟才會(huì)生效
查看當(dāng)前selinux防火墻的狀態(tài)

[root@localhost ~]# setenforce 0 [root@localhost ~]# getenforce Permissive //寬容的，遇到需要阻斷的時(shí)候，只會(huì)有提醒，并不會(huì)真正的去阻斷 netfilter防火墻

在centos 7 之前的版本叫netfilter，在7版本的時(shí)候，改名為firewalld ，這兩個(gè)機(jī)制不太一樣，但實(shí)際的內(nèi)部工具iptables工具用法是一樣的
我們可以在 7 版本上關(guān)閉firewalld，打開(kāi)netfilter，也就是說(shuō)在7版本上使用6的防火墻機(jī)制也是沒(méi)有問(wèn)題的

systemctl disable firewalld //先停掉服務(wù)，不讓他開(kāi)機(jī)啟動(dòng)

[root@localhost ~]# systemctl disable firewalld Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.

[root@localhost ~]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.

==iptables 僅僅是 firewalld和netfilter 這兩個(gè)防火墻里面的一個(gè)工具，并不是防火墻==

filter: This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).

這是默認(rèn)表(如果沒(méi)有通過(guò)- t選項(xiàng))。它包含內(nèi)置的鏈輸入(發(fā)送到本地套接字的for數(shù)據(jù)包)、轉(zhuǎn)發(fā)(用于通過(guò)框路由的數(shù)據(jù)包)和輸出(針對(duì)本地生成的數(shù)據(jù)包)。 PS：一個(gè)默認(rèn)的表，包含了3個(gè)內(nèi)置的鏈INPUT、FORWARD、OUTPUT；INPUT鏈，就是數(shù)據(jù)包進(jìn)來(lái)時(shí)需要經(jīng)過(guò)的鏈；FORWARD鏈，將到達(dá)本機(jī)的數(shù)據(jù)包，轉(zhuǎn)發(fā)到其他機(jī)器上的操作；OUTPUT鏈，本機(jī)的包，出去之前做的操作

nat: This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7.

當(dāng)遇到創(chuàng)建新連接的包時(shí)，就會(huì)參考這個(gè)表。它包括三個(gè)內(nèi)置的:預(yù)發(fā)布(在它們進(jìn)來(lái)時(shí)就更改數(shù)據(jù)包)、輸出(在路由之前對(duì)本地生成的包進(jìn)行修改)和POSTROUTING(用于在它們即將過(guò)時(shí)時(shí)更改數(shù)據(jù)包)。IPv6 NAT支持從內(nèi)核3.7開(kāi)始。 PS：PREROUTING鏈，進(jìn)來(lái)的那一刻進(jìn)行操作，POSTROUTING鏈，在出去的那一刻進(jìn)行操作；nat表常用于共享上網(wǎng)，端口映射

mangle: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally- generated packets before routing). Since kernel 2.4.18, three other built-in chains are also sup‐ ported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).

此表用于專(zhuān)門(mén)的包更改。在內(nèi)核2.4.17之前，它有兩個(gè)內(nèi)置鏈:預(yù)發(fā)布(用于在路由之前改變傳入包)和輸出(在路由之前改變本地生成的包)。由于內(nèi)核2.4.18，其他三個(gè)內(nèi)置鏈也都是sup -端口:輸入(用于包進(jìn)入盒子本身的包)，向前(用于修改包被從盒子中打開(kāi))和postr郊游(當(dāng)它們將要出去的時(shí)候改變數(shù)據(jù)包)。 PS：少用

raw: This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)

此表主要用于配置與NOTRACK目標(biāo)相結(jié)合的連接跟蹤的豁免。它在netfilter鉤子上注冊(cè)更高的優(yōu)先級(jí)，因此被稱為ip_conntrack或任何其他IP表。它提供了以下內(nèi)置的鏈:預(yù)發(fā)布(用于通過(guò)任何網(wǎng)絡(luò)接口到達(dá)的包)輸出(由本地流程生成的包) PS：少用

security: This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The security table is called after the filter table, allowing any Discre‐ tionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated packets before routing), and FORWARD (for altering packets being routed through the box).

此表用于強(qiáng)制訪問(wèn)控制(MAC)網(wǎng)絡(luò)規(guī)則，例如由SECMARK和CONNSECMARK目標(biāo)啟用的網(wǎng)絡(luò)規(guī)則。強(qiáng)制訪問(wèn)控制是由Linux securitymodule(如SELinux)實(shí)現(xiàn)的。安全表是在過(guò)濾表之后調(diào)用的，允許在過(guò)濾表中任何不一致的訪問(wèn)控制(DAC)規(guī)則在MAC規(guī)則之前生效。這個(gè)表提供了以下內(nèi)置的鏈:輸入(用于進(jìn)入盒子本身的包)、輸出(在路由前修改本地生成的包)和轉(zhuǎn)發(fā)(用于修改通過(guò)該框被喚醒的數(shù)據(jù)包)。 PS：少用

iptables傳輸數(shù)據(jù)包的過(guò)程根據(jù)下圖，總結(jié)得出三個(gè)概念當(dāng)一個(gè)數(shù)據(jù)包進(jìn)入網(wǎng)卡時(shí)，它首先進(jìn)入PREROUTING鏈，內(nèi)核根據(jù)數(shù)據(jù)包目的IP判斷是否需要轉(zhuǎn)送出去。如果數(shù)據(jù)包就是進(jìn)入本機(jī)的，它就會(huì)沿著圖向下移動(dòng)，到達(dá)INPUT鏈。數(shù)據(jù)包到了INPUT鏈后，任何進(jìn)程都會(huì)收到它。本機(jī)上運(yùn)行的程序可以發(fā)送數(shù)據(jù)包，這些數(shù)據(jù)包會(huì)經(jīng)過(guò)OUTPUT鏈，然后到達(dá)POSTROUTING鏈輸出。如果數(shù)據(jù)包是要轉(zhuǎn)發(fā)出去的，且內(nèi)核允許轉(zhuǎn)發(fā)，數(shù)據(jù)包就會(huì)如圖所示向右移動(dòng)，經(jīng)過(guò)FORWARD鏈，然后到達(dá)POSTROUTING鏈輸出。 10.14 iptables語(yǔ)法查看規(guī)則

[root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 5 356 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes) pkts bytes target prot opt in out source destination [root@localhost ~]# man iptables [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 705 71728 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 38 4673 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 668 packets, 181K bytes) pkts bytes target prot opt in out source destination 規(guī)則保存路徑

[root@localhost ~]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT -A INPUT -j REJECT –reject-with icmp-host-prohibited -A FORWARD -j REJECT –reject-with icmp-host-prohibited COMMIT 清空規(guī)則

[root@localhost ~]# iptables -F [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 4 packets, 280 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3 packets, 340 bytes) pkts bytes target prot opt in out source destination [root@localhost ~]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT -A INPUT -j REJECT –reject-with icmp-host-prohibited -A FORWARD -j REJECT –reject-with icmp-host-prohibited COMMIT

想要讓當(dāng)前執(zhí)行的規(guī)則保存到文件里需要執(zhí)行以下命令

如果不做規(guī)則保存，重啟iptables之后，規(guī)則將會(huì)從配置文件里重新加載

systemctl restart iptables.service [root@localhost ~]# systemctl restart iptables.service [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 280 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 3 packets, 340 bytes) pkts bytes target prot opt in out source destination iptables的選項(xiàng)

[root@localhost ~]# iptables -t filter -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 51 3528 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 4 562 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 32 packets, 4232 bytes) pkts bytes target prot opt in out source destination [root@localhost ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination -Z 選項(xiàng) 清空計(jì)數(shù)器

[root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 107 7916 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 791 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 72 packets, 9804 bytes) pkts bytes target prot opt in out source destination [root@localhost ~]# iptables -Z ; iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

這是可以看到 pkts、bytes已經(jīng)沒(méi)有數(shù)據(jù)了，但是重新執(zhí)行 iptables -nvL，又會(huì)有新的數(shù)據(jù)，因?yàn)槊繒r(shí)每刻都在進(jìn)行通信，所以這個(gè)數(shù)值是一直有變化的命令寫(xiě)法

寫(xiě)命令的時(shí)候就算是簡(jiǎn)寫(xiě)，也要指定鏈，指定協(xié)議，不然會(huì)報(bào)錯(cuò)
命令理解：

iptables -A INPUT -s 192.168.188.1 -p tcp –sport 1234 -d 192.168.188.128 –dport 80 -j DROP

默認(rèn)對(duì)filter表進(jìn)行操作，-A 增加一條規(guī)則， INPUT 針對(duì)這個(gè)鏈進(jìn)行操作，-s 指定一個(gè)來(lái)源IP為192.168.188.1，-p 指定針對(duì)TCP協(xié)議，–sport針對(duì)來(lái)源的端口位1234，-d 指定目標(biāo)IP位192.168.188.128 ，—dport 指定目標(biāo)端口為80，-j指定數(shù)據(jù)處理辦法為DROP丟掉、或者REJECT拒絕。
DROP和REJECT的區(qū)別是 REJECT拒絕會(huì)看一遍數(shù)據(jù)，才告訴你我不允許你來(lái)，這是一種比較有禮貌的做法；DROP丟掉是不管來(lái)的是什么東西只要是這個(gè)規(guī)則不允許的直接丟不管里面是什么東西（一般常用DROP比較多）

[root@localhost ~]# iptables -A INPUT -s 192.168.188.1 -p tcp –sport 1234 -d 192.168.188.128 –dport 80 -j DROP [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 61 5040 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 12 2070 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 //-A ，在所有規(guī)則的最后進(jìn)行排隊(duì) Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 14 packets, 1248 bytes) pkts bytes target prot opt in out source destination -I選項(xiàng)

[root@localhost ~]# iptables -I INPUT -p tcp –dport 80 -j DROP [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 // -I 規(guī)則直接插入到最前 130 11252 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 42 4897 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes) pkts bytes target prot opt in out source destination

規(guī)則過(guò)濾的時(shí)候，會(huì)從上往下的一條一條的匹配，在最上面的自然會(huì)最先使用到，

[root@localhost ~]# iptables -D INPUT -p tcp –dport 80 -j DROP [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 195 17204 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 53 6072 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes) pkts bytes target prot opt in out source destination

直接更改-I或者-A為-D這樣做，的確比較快，但是如果命令歷史里不存在或者說(shuō)記不清定義規(guī)則的命令了呢。

[root@localhost ~]# iptables -nvL –line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 202 17760 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 53 6072 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 6 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 7 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 12 packets, 2468 bytes) num pkts bytes target prot opt in out source destination

[root@localhost ~]# iptables -D INPUT 7 [root@localhost ~]# iptables -nvL –line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 266 22396 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 53 6072 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 6 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 19 packets, 3108 bytes) num pkts bytes target prot opt in out source destination -P選項(xiàng) 默認(rèn)策略

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以原創(chuàng)、轉(zhuǎn)載和分享網(wǎng)絡(luò)內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。郵箱：3140448839@qq.com。本站原創(chuàng)內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明出處：三五互聯(lián)知識(shí)庫(kù) » 10.11 Linux網(wǎng)絡(luò)相關(guān)10.12 firewalld和netfilter10.13 netfilter5表5鏈介紹10.14 iptables語(yǔ)法

熱門(mén)搶注

熱門(mén)競(jìng)價(jià)

推薦一口價(jià)

猜你還會(huì)喜歡下面的內(nèi)容

熱門(mén)標(biāo)簽

切換注冊(cè)登錄

切換登錄注冊(cè)