亚洲av色香蕉一区二区三区精品,免费人成再在线观看网站,国内精品伊人久久久久影院对白

安裝包“net-tools ”
-a 選項，可以查看到所有的網卡，如果不加-a 那么有時候宕掉的網卡就不會顯示出來
ifdown 網卡名字關閉網卡
關閉網卡以后，使用ifconfig查看網卡是沒有IP的
ifup 網卡名字打開網卡
常用于針對單獨的網卡使用，比如，我們對一個網卡進行了配置，但是不想重啟所以的網絡服務，就可以使用ifdown針對這個網卡進行操作
如果是在ssh遠程登錄，就不要用ifdown這個命令，假如你的服務器在美國，你剛好做了ifdown 你當前網卡的命令，那么你將再也無法連上你在美國服務器，只能通過聯系那邊的客服幫忙重新打開，這樣就會很繁瑣
如果一定要重啟這個網卡

[root@localhost ~]# cd /etc/sysconfig/network-scripts/ [root@localhost network-scripts]# ls ifcfg-ens32 ifdown-ippp ifdown-sit ifup-bnep ifup-plip ifup-Team network-functions-ipv6 ifcfg-lo ifdown-ipv6 ifdown-Team ifup-eth ifup-plusb ifup-TeamPort ifdown ifdown-isdn ifdown-TeamPort ifup-ib ifup-post ifup-tunnel ifdown-bnep ifdown-post ifdown-tunnel ifup-ippp ifup-ppp ifup-wireless ifdown-eth ifdown-ppp ifup ifup-ipv6 ifup-routes init.ipv6-global ifdown-ib ifdown-routes ifup-aliases ifup-isdn ifup-sit network-functions 創建配置文件 [root@localhost network-scripts]# cp ifcfg-ens32 ifcfg-ens32:0

因為是命令行：是特殊符號，需要用進行脫義編輯ifcftg-ens32配置文件

vim ifcfg-ens32:0 TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens32:0 UUID=4233625f-9278-4b12-b2cf-02f3dd5ed641 DEVICE=ens32:0 ONBOOT=yes IPADDR=192.168.133.160 NETMASK=255.255.255.0

需要改動一下NAME、DEVIDE改成當前的虛擬網卡的名字ens32:0
因為是虛擬網卡，共用的是ens32網卡的網關，所以gateway 和DNS 都可以不用寫
這是就可以用到 ifdown ens32 && ifup ens32 這個命令，針對這個網卡進行重啟

[root@localhost network-scripts]# ifdown ens32 && ifup ens32 成功斷開設備 \\\’ens32\\\’。成功激活的連接（D-Bus 激活路徑：/org/freedesktop/NetworkManager/ActiveConnection/3）

[root@localhost network-scripts]# ifconfig -a ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.133.130 netmask 255.255.255.0 broadcast 192.168.133.255 inet6 fe80::daff:1b44:6a0f:1211 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:7d:ea:88 txqueuelen 1000 (Ethernet) RX packets 1508 bytes 121014 (118.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 681 bytes 93413 (91.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens32:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.133.160 netmask 255.255.255.0 broadcast 192.168.133.255 ether 00:0c:29:7d:ea:88 txqueuelen 1000 (Ethernet) lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 112 bytes 9708 (9.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 112 bytes 9708 (9.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

C:UsersAdministrator>ping 192.168.133.160 正在 Ping 192.168.133.160 具有 32 字節的數據: 來自 192.168.133.160 的回復: 字節=32 時間<1ms TTL=64 來自 192.168.133.160 的回復: 字節=32 時間<1ms TTL=64 來自 192.168.133.160 的回復: 字節=32 時間<1ms TTL=64 來自 192.168.133.160 的回復: 字節=32 時間<1ms TTL=64 192.168.133.160 的 Ping 統計信息: 數據包: 已發送 = 4，已接收 = 4，丟失 = 0 (0% %u4E22失)，往返行程的估計時間(以毫秒為單位): 最短 = 0ms，最長 = 0ms，平均 = 0ms

[root@localhost network-scripts]# mii-tool ens32 ens32: negotiated 1000baseT-FD flow-control, link ok

如果是link，ok ，就證明網線是連這的
如果是沒有連接網線，會提示 ebs\\\’32: no link
有時這個命令也會出現不支持
可以使用ethtool 網卡名字

[root@localhost network-scripts]# ethtool ens32 Settings for ens32: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supported pause frame use: No Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised pause frame use: No Advertised auto-negotiation: Yes Speed: 1000Mb/s Duplex: Full Port: Twisted Pair PHYAD: 0 Transceiver: internal Auto-negotiation: on MDI-X: off (auto) Supports Wake-on: d Wake-on: d Current message level: 0x00000007 (7) drv probe link Link detected: yes

主要關注Link detected 是否是yes 如果是yes 就是連通著的；no表示未連接

需要退出終端重新登錄才能顯示，當然也可以直接進入一個子shell 直接查看

[root@localhost ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 119.29.29.29 nameserver 114.114.114.114

這個信息是在網卡配置文件里面的DNS行配置的
當然也可以臨時更改，直接vim 編輯，但是這個配置只是臨時生效，最終也是會被網卡配置文件里面的配置給更改掉

這個文件在Windows上和Linux都有，這個是解析一個域名指向IP用的
例如：

[root@localhost ~]# ping www.qq123.com PING www.qq123.com (202.91.250.93) 56(84) bytes of data. 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=1 ttl=128 time=40.9 ms 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=2 ttl=128 time=38.5 ms 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=3 ttl=128 time=37.4 ms ^C — www.qq123.com ping statistics — 3 packets transmitted, 3 received, 0% packet loss, time 2026ms rtt min/avg/max/mdev = 37.431/38.997/40.994/1.503 ms

這個域名指向的IP為 202.91.250.93 這個
我們只要修改本機的host以后

[root@localhost ~]# vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.133.130 www.qq123.com

格式化很簡單，就是IP之后用空格分割，支持一行有一個IP對多個域名，這個寫法以行位單位
再ping www.qq123.com

[root@localhost ~]# !ping ping www.qq123.com PING www.qq123.com (192.168.133.130) 56(84) bytes of data. 64 bytes from www.qq123.com (192.168.133.130): icmp_seq=1 ttl=64 time=0.173 ms 64 bytes from www.qq123.com (192.168.133.130): icmp_seq=2 ttl=64 time=0.054 ms 64 bytes from www.qq123.com (192.168.133.130): icmp_seq=3 ttl=64 time=0.064 ms ^C — www.qq123.com ping statistics — 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 0.054/0.097/0.173/0.053 ms

域名指向的IP，就變成我們的IP
這個配置，只會在本機生效
嘗試在Windows系統下ping一下就知道結果

C:UsersAdministrator>ping www.qq123.com 正在 Ping www.qq123.com [202.91.250.93] 具有 32 字節的數據: 來自 202.91.250.93 的回復: 字節=32 時間=35ms TTL=230 來自 202.91.250.93 的回復: 字節=32 時間=34ms TTL=230 來自 202.91.250.93 的回復: 字節=32 時間=44ms TTL=230 來自 202.91.250.93 的回復: 字節=32 時間=35ms TTL=230 202.91.250.93 的 Ping 統計信息: 數據包: 已發送 = 4，已接收 = 4，丟失 = 0 (0% %u4E22失)，往返行程的估計時間(以毫秒為單位): 最短 = 34ms，最長 = 44ms，平均 = 37ms 10.12 firewalld和netfilter SELINUX防火墻

selinux防火墻，一般都是關閉的，因為開啟的話，會增加運維管理成本，因為很多服務受限于selinux，事實上把selinux關閉，也不會有太大的安全問題
配置密鑰驗證的時候，就用過，如果配置密鑰驗證的時候不關閉，就沒有辦法登錄
臨時關閉

# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing – SELinux security policy is enforced. # permissive – SELinux prints warnings instead of enforcing. # disabled – No SELinux policy is loaded. SELINUX=enforcing //更改為 disabled 將永久關閉selinux防火墻 # SELINUXTYPE= can take one of three two values: # targeted – Targeted processes are protected, # minimum – Modification of targeted policy. Only selected processes are protected. # mls – Multi Level Security protection. SELINUXTYPE=targeted

[root@localhost ~]# setenforce 0 [root@localhost ~]# getenforce Permissive //寬容的，遇到需要阻斷的時候，只會有提醒，并不會真正的去阻斷 netfilter防火墻

在centos 7 之前的版本叫netfilter，在7版本的時候，改名為firewalld ，這兩個機制不太一樣，但實際的內部工具iptables工具用法是一樣的
我們可以在 7 版本上關閉firewalld，打開netfilter，也就是說在7版本上使用6的防火墻機制也是沒有問題的

[root@localhost ~]# systemctl disable firewalld Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.

[root@localhost ~]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.

==iptables 僅僅是 firewalld和netfilter 這兩個防火墻里面的一個工具，并不是防火墻==

filter: This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).

這是默認表(如果沒有通過- t選項)。它包含內置的鏈輸入(發送到本地套接字的for數據包)、轉發(用于通過框路由的數據包)和輸出(針對本地生成的數據包)。 PS：一個默認的表，包含了3個內置的鏈INPUT、FORWARD、OUTPUT；INPUT鏈，就是數據包進來時需要經過的鏈；FORWARD鏈，將到達本機的數據包，轉發到其他機器上的操作；OUTPUT鏈，本機的包，出去之前做的操作

nat: This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7.

當遇到創建新連接的包時，就會參考這個表。它包括三個內置的:預發布(在它們進來時就更改數據包)、輸出(在路由之前對本地生成的包進行修改)和POSTROUTING(用于在它們即將過時時更改數據包)。IPv6 NAT支持從內核3.7開始。 PS：PREROUTING鏈，進來的那一刻進行操作，POSTROUTING鏈，在出去的那一刻進行操作；nat表常用于共享上網，端口映射

mangle: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally- generated packets before routing). Since kernel 2.4.18, three other built-in chains are also sup‐ ported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).

此表用于專門的包更改。在內核2.4.17之前，它有兩個內置鏈:預發布(用于在路由之前改變傳入包)和輸出(在路由之前改變本地生成的包)。由于內核2.4.18，其他三個內置鏈也都是sup -端口:輸入(用于包進入盒子本身的包)，向前(用于修改包被從盒子中打開)和postr郊游(當它們將要出去的時候改變數據包)。 PS：少用

raw: This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)

此表主要用于配置與NOTRACK目標相結合的連接跟蹤的豁免。它在netfilter鉤子上注冊更高的優先級，因此被稱為ip_conntrack或任何其他IP表。它提供了以下內置的鏈:預發布(用于通過任何網絡接口到達的包)輸出(由本地流程生成的包) PS：少用

security: This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The security table is called after the filter table, allowing any Discre‐ tionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated packets before routing), and FORWARD (for altering packets being routed through the box).

此表用于強制訪問控制(MAC)網絡規則，例如由SECMARK和CONNSECMARK目標啟用的網絡規則。強制訪問控制是由Linux securitymodule(如SELinux)實現的。安全表是在過濾表之后調用的，允許在過濾表中任何不一致的訪問控制(DAC)規則在MAC規則之前生效。這個表提供了以下內置的鏈:輸入(用于進入盒子本身的包)、輸出(在路由前修改本地生成的包)和轉發(用于修改通過該框被喚醒的數據包)。 PS：少用

iptables傳輸數據包的過程根據下圖，總結得出三個概念當一個數據包進入網卡時，它首先進入PREROUTING鏈，內核根據數據包目的IP判斷是否需要轉送出去。如果數據包就是進入本機的，它就會沿著圖向下移動，到達INPUT鏈。數據包到了INPUT鏈后，任何進程都會收到它。本機上運行的程序可以發送數據包，這些數據包會經過OUTPUT鏈，然后到達POSTROUTING鏈輸出。如果數據包是要轉發出去的，且內核允許轉發，數據包就會如圖所示向右移動，經過FORWARD鏈，然后到達POSTROUTING鏈輸出。 10.14 iptables語法查看規則

[root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 5 356 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes) pkts bytes target prot opt in out source destination [root@localhost ~]# man iptables [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 705 71728 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 38 4673 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 668 packets, 181K bytes) pkts bytes target prot opt in out source destination 規則保存路徑

[root@localhost ~]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT -A INPUT -j REJECT –reject-with icmp-host-prohibited -A FORWARD -j REJECT –reject-with icmp-host-prohibited COMMIT 清空規則

[root@localhost ~]# iptables -F [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 4 packets, 280 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3 packets, 340 bytes) pkts bytes target prot opt in out source destination [root@localhost ~]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT -A INPUT -j REJECT –reject-with icmp-host-prohibited -A FORWARD -j REJECT –reject-with icmp-host-prohibited COMMIT

如果不做規則保存，重啟iptables之后，規則將會從配置文件里重新加載

systemctl restart iptables.service [root@localhost ~]# systemctl restart iptables.service [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 280 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 3 packets, 340 bytes) pkts bytes target prot opt in out source destination iptables的選項

[root@localhost ~]# iptables -t filter -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 51 3528 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 4 562 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 32 packets, 4232 bytes) pkts bytes target prot opt in out source destination [root@localhost ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination -Z 選項清空計數器

[root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 107 7916 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 791 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 72 packets, 9804 bytes) pkts bytes target prot opt in out source destination [root@localhost ~]# iptables -Z ; iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

這是可以看到 pkts、bytes已經沒有數據了，但是重新執行 iptables -nvL，又會有新的數據，因為每時每刻都在進行通信，所以這個數值是一直有變化的命令寫法

寫命令的時候就算是簡寫，也要指定鏈，指定協議，不然會報錯
命令理解：

iptables -A INPUT -s 192.168.188.1 -p tcp –sport 1234 -d 192.168.188.128 –dport 80 -j DROP

默認對filter表進行操作，-A 增加一條規則， INPUT 針對這個鏈進行操作，-s 指定一個來源IP為192.168.188.1，-p 指定針對TCP協議，–sport針對來源的端口位1234，-d 指定目標IP位192.168.188.128 ，—dport 指定目標端口為80，-j指定數據處理辦法為DROP丟掉、或者REJECT拒絕。
DROP和REJECT的區別是 REJECT拒絕會看一遍數據，才告訴你我不允許你來，這是一種比較有禮貌的做法；DROP丟掉是不管來的是什么東西只要是這個規則不允許的直接丟不管里面是什么東西（一般常用DROP比較多）

[root@localhost ~]# iptables -A INPUT -s 192.168.188.1 -p tcp –sport 1234 -d 192.168.188.128 –dport 80 -j DROP [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 61 5040 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 12 2070 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 //-A ，在所有規則的最后進行排隊 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 14 packets, 1248 bytes) pkts bytes target prot opt in out source destination -I選項

[root@localhost ~]# iptables -I INPUT -p tcp –dport 80 -j DROP [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 // -I 規則直接插入到最前 130 11252 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 42 4897 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes) pkts bytes target prot opt in out source destination

規則過濾的時候，會從上往下的一條一條的匹配，在最上面的自然會最先使用到，

[root@localhost ~]# iptables -D INPUT -p tcp –dport 80 -j DROP [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 195 17204 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 53 6072 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes) pkts bytes target prot opt in out source destination

直接更改-I或者-A為-D這樣做，的確比較快，但是如果命令歷史里不存在或者說記不清定義規則的命令了呢。

[root@localhost ~]# iptables -nvL –line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 202 17760 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 53 6072 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 6 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 7 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 12 packets, 2468 bytes) num pkts bytes target prot opt in out source destination

[root@localhost ~]# iptables -D INPUT 7 [root@localhost ~]# iptables -nvL –line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 266 22396 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 53 6072 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 6 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 19 packets, 3108 bytes) num pkts bytes target prot opt in out source destination -P選項默認策略

聲明：本網站發布的內容（圖片、視頻和文字）以原創、轉載和分享網絡內容為主，如果涉及侵權請盡快告知，我們將會在第一時間刪除。文章觀點不代表本網站立場，如需處理請聯系客服。郵箱：3140448839@qq.com。本站原創內容未經允許不得轉載，或轉載時需注明出處：三五互聯知識庫 » 10.11 Linux網絡相關10.12 firewalld和netfilter10.13 netfilter5表5鏈介紹10.14 iptables語法

熱門搶注

熱門競價

推薦一口價

猜你還會喜歡下面的內容

熱門標簽

切換注冊登錄

切換登錄注冊