10.11 Linux网络相关10.12 firewalld和netfilter10.13 netfilter5表5链介绍10.14 iptables语法

10.11 Linux网络相关 ifconfig

ifconfig 查看网卡ip 这个命令在centos 6 里面是默认有安装有的
在centos 7 里面只能用 ip add 去查看

ifconfig

安装包“net-tools ”
-a 选项，可以查看到所有的网卡，如果不加-a 那么有时候宕掉的网卡就不会显示出来
ifdown 网卡名字 关闭网卡
关闭网卡以后，使用ifconfig查看网卡是没有IP的
ifup 网卡名字 打开网卡
常用于针对单独的网卡使用，比如，我们对一个网卡进行了配置，但是不想重启所以的网络服务，就可以使用ifdown针对这个网卡进行操作
如果是在ssh远程登录，就不要用ifdown这个命令，假如你的服务器在美国，你刚好做了ifdown 你当前网卡的命令，那么你将再也无法连上你在美国服务器，只能通过联系那边的客服帮忙重新打开，这样就会很繁琐
如果一定要重启这个网卡

ifdown ens33 && ifup ens33

就可以解决这个问题

设置虚拟网卡

首先需要进入网卡配置文件目录

[root@localhost ~]# cd /etc/sysconfig/network-scripts/ [root@localhost network-scripts]# ls ifcfg-ens32 ifdown-ippp ifdown-sit ifup-bnep ifup-plip ifup-Team network-functions-ipv6 ifcfg-lo ifdown-ipv6 ifdown-Team ifup-eth ifup-plusb ifup-TeamPort ifdown ifdown-isdn ifdown-TeamPort ifup-ib ifup-post ifup-tunnel ifdown-bnep ifdown-post ifdown-tunnel ifup-ippp ifup-ppp ifup-wireless ifdown-eth ifdown-ppp ifup ifup-ipv6 ifup-routes init.ipv6-global ifdown-ib ifdown-routes ifup-aliases ifup-isdn ifup-sit network-functions 创建配置文件 [root@localhost network-scripts]# cp ifcfg-ens32 ifcfg-ens32:0

因为是命令行 ： 是特殊符号，需要用 进行脱义 编辑ifcftg-ens32配置文件

vim ifcfg-ens32:0 TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens32:0 UUID=4233625f-9278-4b12-b2cf-02f3dd5ed641 DEVICE=ens32:0 ONBOOT=yes IPADDR=192.168.133.160 NETMASK=255.255.255.0

需要改动一下NAME、DEVIDE改成当前的虚拟网卡的名字ens32:0
因为是虚拟网卡，共用的是ens32网卡的网关，所以gateway 和DNS 都可以不用写
这是就可以用到 ifdown ens32 && ifup ens32 这个命令，针对这个网卡进行重启

[root@localhost network-scripts]# ifdown ens32 && ifup ens32 成功断开设备 \\\’ens32\\\’。 成功激活的连接（D-Bus 激活路径：/org/freedesktop/NetworkManager/ActiveConnection/3）

查看网卡情况

[root@localhost network-scripts]# ifconfig -a ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.133.130 netmask 255.255.255.0 broadcast 192.168.133.255 inet6 fe80::daff:1b44:6a0f:1211 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:7d:ea:88 txqueuelen 1000 (Ethernet) RX packets 1508 bytes 121014 (118.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 681 bytes 93413 (91.2 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens32:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.133.160 netmask 255.255.255.0 broadcast 192.168.133.255 ether 00:0c:29:7d:ea:88 txqueuelen 1000 (Ethernet) lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 112 bytes 9708 (9.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 112 bytes 9708 (9.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

发现多了一个ens32:0 ，可以在Windows桌面ping 一下看看是否通

C:UsersAdministrator>ping 192.168.133.160 正在 Ping 192.168.133.160 具有 32 字节的数据: 来自 192.168.133.160 的回复: 字节=32 时间<1ms TTL=64 来自 192.168.133.160 的回复: 字节=32 时间<1ms TTL=64 来自 192.168.133.160 的回复: 字节=32 时间<1ms TTL=64 来自 192.168.133.160 的回复: 字节=32 时间<1ms TTL=64 192.168.133.160 的 Ping 统计信息: 数据包: 已发送 = 4，已接收 = 4，丢失 = 0 (0% %u4E22失)， 往返行程的估计时间(以毫秒为单位): 最短 = 0ms，最长 = 0ms，平均 = 0ms

地址的通的，证明也是可用的

查看网卡是否连接着网线
mii-tool 网卡名字

[root@localhost network-scripts]# mii-tool ens32 ens32: negotiated 1000baseT-FD flow-control, link ok

如果是link，ok ，就证明网线是连这的
如果是没有连接网线，会提示 ebs\\\’32: no link
有时这个命令也会出现不支持
可以使用ethtool 网卡名字

[root@localhost network-scripts]# ethtool ens32 Settings for ens32: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supported pause frame use: No Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised pause frame use: No Advertised auto-negotiation: Yes Speed: 1000Mb/s Duplex: Full Port: Twisted Pair PHYAD: 0 Transceiver: internal Auto-negotiation: on MDI-X: off (auto) Supports Wake-on: d Wake-on: d Current message level: 0x00000007 (7) drv probe link Link detected: yes

主要关注Link detected 是否是yes 如果是yes 就是连通着的；no表示未连接

更改主机名

hostnamectl set-hostname在centos7下可用，6不支持

[root@localhost ~]# hostnamectl set-hostname aminglinux-001

查看主机名

hostname [root@localhost ~]# hostname aminglinux-001

需要退出终端重新登录才能显示，当然也可以直接进入一个子shell 直接查看

[root@localhost ~]# bash [root@aminglinux-001 ~]#

配置文件所在

cat /etc/hostname

[root@localhost ~]# cat /etc/hostname aminglinux-001

DNS配置文件所在

[root@localhost ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 119.29.29.29 nameserver 114.114.114.114

这个信息是在网卡配置文件里面的DNS行配置的
当然也可以临时更改，直接vim 编辑，但是这个配置只是临时生效，最终也是会被网卡配置文件里面的配置给更改掉

hosts 文件

这个文件在Windows上和Linux都有，这个是解析一个域名指向IP用的
例如：

[root@localhost ~]# ping www.qq123.com PING www.qq123.com (202.91.250.93) 56(84) bytes of data. 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=1 ttl=128 time=40.9 ms 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=2 ttl=128 time=38.5 ms 64 bytes from 202.91.250.93 (202.91.250.93): icmp_seq=3 ttl=128 time=37.4 ms ^C — www.qq123.com ping statistics — 3 packets transmitted, 3 received, 0% packet loss, time 2026ms rtt min/avg/max/mdev = 37.431/38.997/40.994/1.503 ms

这个域名指向的IP为 202.91.250.93 这个
我们只要修改本机的host以后

[root@localhost ~]# vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.133.130 www.qq123.com

格式化很简单，就是IP之后用空格分割，支持一行有一个IP对多个域名，这个写法以行位单位
再ping www.qq123.com

[root@localhost ~]# !ping ping www.qq123.com PING www.qq123.com (192.168.133.130) 56(84) bytes of data. 64 bytes from www.qq123.com (192.168.133.130): icmp_seq=1 ttl=64 time=0.173 ms 64 bytes from www.qq123.com (192.168.133.130): icmp_seq=2 ttl=64 time=0.054 ms 64 bytes from www.qq123.com (192.168.133.130): icmp_seq=3 ttl=64 time=0.064 ms ^C — www.qq123.com ping statistics — 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 0.054/0.097/0.173/0.053 ms

域名指向的IP，就变成我们的IP
这个配置，只会在本机生效
尝试在Windows系统下ping一下就知道结果

C:UsersAdministrator>ping www.qq123.com 正在 Ping www.qq123.com [202.91.250.93] 具有 32 字节的数据: 来自 202.91.250.93 的回复: 字节=32 时间=35ms TTL=230 来自 202.91.250.93 的回复: 字节=32 时间=34ms TTL=230 来自 202.91.250.93 的回复: 字节=32 时间=44ms TTL=230 来自 202.91.250.93 的回复: 字节=32 时间=35ms TTL=230 202.91.250.93 的 Ping 统计信息: 数据包: 已发送 = 4，已接收 = 4，丢失 = 0 (0% %u4E22失)， 往返行程的估计时间(以毫秒为单位): 最短 = 34ms，最长 = 44ms，平均 = 37ms 10.12 firewalld和netfilter SELINUX防火墙

selinux防火墙，一般都是关闭的，因为开启的话，会增加运维管理成本，因为很多服务受限于selinux，事实上把selinux关闭，也不会有太大的安全问题
配置密钥验证的时候，就用过，如果配置密钥验证的时候不关闭，就没有办法登录
临时关闭

setenforce 0

永久关闭需要编辑配置文件

vim /etc/selinux/config

# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing – SELinux security policy is enforced. # permissive – SELinux prints warnings instead of enforcing. # disabled – No SELinux policy is loaded. SELINUX=enforcing //更改为 disabled 将永久关闭selinux防火墙 # SELINUXTYPE= can take one of three two values: # targeted – Targeted processes are protected, # minimum – Modification of targeted policy. Only selected processes are protected. # mls – Multi Level Security protection. SELINUXTYPE=targeted

需要重启才会生效
查看当前selinux防火墙的状态

getenforce

[root@localhost ~]# getenforce Enforcing //表示打开着

临时关闭

[root@localhost ~]# setenforce 0 [root@localhost ~]# getenforce Permissive //宽容的，遇到需要阻断的时候，只会有提醒，并不会真正的去阻断 netfilter防火墙

在centos 7 之前的版本叫netfilter， 在7版本的时候，改名为firewalld ，这两个机制不太一样，但实际的内部工具iptables工具用法是一样的
我们可以在 7 版本上关闭firewalld，打开netfilter，也就是说在7版本上使用6的防火墙机制也是没有问题的

关闭firewalld

systemctl disable firewalld //先停掉服务，不让他开机启动

[root@localhost ~]# systemctl disable firewalld Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.

systemctl stop firewalld //关闭服务 开启netfilter

开启前需要安装一个包

“iptables-services ”

[root@localhost ~]# yum install -y iptables-services

安装完成以后，会产生一个服务

systemctl enable iptables

[root@localhost ~]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.

开启服务

systemctl start iptables //开启服务

[root@localhost ~]# systemctl start iptables

查看iptables的默认规则

iptables -nvL

[root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 5 356 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes) pkts bytes target prot opt in out source destination

==iptables 仅仅是 firewalld和netfilter 这两个防火墙里面的一个工具，并不是防火墙==

10.13 netfilter5表5链介绍

通过man iptables，查看到5个表和5个链的相关

filter: This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).

这是默认表(如果没有通过- t选项)。它包含内置的链输入(发送到本地套接字的for数据包)、转发(用于通过框路由的数据包)和输出(针对本地生成的数据包)。 PS：一个默认的表，包含了3个内置的链INPUT、FORWARD、OUTPUT；INPUT链，就是数据包进来时需要经过的链；FORWARD链，将到达本机的数据包，转发到其他机器上的操作；OUTPUT链，本机的包，出去之前做的操作

nat: This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7.

当遇到创建新连接的包时，就会参考这个表。它包括三个内置的:预发布(在它们进来时就更改数据包)、输出(在路由之前对本地生成的包进行修改)和POSTROUTING(用于在它们即将过时时更改数据包)。IPv6 NAT支持从内核3.7开始。 PS：PREROUTING链，进来的那一刻进行操作，POSTROUTING链，在出去的那一刻进行操作；nat表常用于共享上网，端口映射

mangle: This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally- generated packets before routing). Since kernel 2.4.18, three other built-in chains are also sup‐ ported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).

此表用于专门的包更改。在内核2.4.17之前，它有两个内置链:预发布(用于在路由之前改变传入包)和输出(在路由之前改变本地生成的包)。由于内核2.4.18，其他三个内置链也都是sup -端口:输入(用于包进入盒子本身的包)，向前(用于修改包被从盒子中打开)和postr郊游(当它们将要出去的时候改变数据包)。 PS：少用

raw: This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)

此表主要用于配置与NOTRACK目标相结合的连接跟踪的豁免。它在netfilter钩子上注册更高的优先级，因此被称为ip_conntrack或任何其他IP表。它提供了以下内置的链:预发布(用于通过任何网络接口到达的包)输出(由本地流程生成的包) PS：少用

security: This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The security table is called after the filter table, allowing any Discre‐ tionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated packets before routing), and FORWARD (for altering packets being routed through the box).

此表用于强制访问控制(MAC)网络规则，例如由SECMARK和CONNSECMARK目标启用的网络规则。强制访问控制是由Linux securitymodule(如SELinux)实现的。安全表是在过滤表之后调用的，允许在过滤表中任何不一致的访问控制(DAC)规则在MAC规则之前生效。这个表提供了以下内置的链:输入(用于进入盒子本身的包)、输出(在路由前修改本地生成的包)和转发(用于修改通过该框被唤醒的数据包)。 PS：少用

iptables传输数据包的过程 根据下图，总结得出三个概念  当一个数据包进入网卡时，它首先进入PREROUTING链，内核根据数据包目的IP判断是否需要转送出去。 如果数据包就是进入本机的，它就会沿着图向下移动，到达INPUT链。数据包到了INPUT链后，任何进程都会收到它。本机上运行的程序可以发送数据包，这些数据包会经过OUTPUT链，然后到达POSTROUTING链输出。 如果数据包是要转发出去的，且内核允许转发，数据包就会如图所示向右移动，经过FORWARD链，然后到达POSTROUTING链输出。 10.14 iptables语法 查看规则

iptables -nvL

[root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 5 356 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes) pkts bytes target prot opt in out source destination [root@localhost ~]# man iptables [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 705 71728 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 38 4673 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 668 packets, 181K bytes) pkts bytes target prot opt in out source destination 规则保存路径

cat /etc/sysconfig/iptables

[root@localhost ~]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT -A INPUT -j REJECT –reject-with icmp-host-prohibited -A FORWARD -j REJECT –reject-with icmp-host-prohibited COMMIT 清空规则

iptables -F

[root@localhost ~]# iptables -F [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 4 packets, 280 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3 packets, 340 bytes) pkts bytes target prot opt in out source destination

清空规则之后，文件内的规则还是存在的

[root@localhost ~]# iptables -F [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 4 packets, 280 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3 packets, 340 bytes) pkts bytes target prot opt in out source destination [root@localhost ~]# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT -A INPUT -j REJECT –reject-with icmp-host-prohibited -A FORWARD -j REJECT –reject-with icmp-host-prohibited COMMIT

想要让当前执行的规则保存到文件里需要执行以下命令

service iptables save

如果不做规则保存，重启iptables之后，规则将会从配置文件里重新加载

重启iptables服务

systemctl restart iptables.service [root@localhost ~]# systemctl restart iptables.service [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 280 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 3 packets, 340 bytes) pkts bytes target prot opt in out source destination iptables的选项

iptables默认是对filter表进行配置

-t选项，能指定对那个表操作

[root@localhost ~]# iptables -t filter -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 51 3528 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 4 562 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 32 packets, 4232 bytes) pkts bytes target prot opt in out source destination [root@localhost ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination -Z 选项 清空计数器

[root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 107 7916 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 791 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 72 packets, 9804 bytes) pkts bytes target prot opt in out source destination [root@localhost ~]# iptables -Z ; iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

这是可以看到 pkts、bytes已经没有数据了，但是重新执行 iptables -nvL，又会有新的数据，因为每时每刻都在进行通信，所以这个数值是一直有变化的 命令写法

iptables -A INPUT -p tcp –dport 80 -j DROP

写命令的时候就算是简写，也要指定 链，指定协议，不然会报错
命令理解：

iptables -A INPUT -s 192.168.188.1 -p tcp –sport 1234 -d 192.168.188.128 –dport 80 -j DROP

默认对filter表进行操作，-A 增加一条规则， INPUT 针对这个链进行操作，-s 指定一个来源IP为192.168.188.1，-p 指定针对TCP协议，–sport针对来源的端口位1234，-d 指定目标IP位192.168.188.128 ，—dport 指定目标端口为80，-j指定数据处理办法为DROP丢掉、或者REJECT拒绝。
DROP和REJECT的区别 是 REJECT拒绝会看一遍数据，才告诉你我不允许你来，这是一种比较有礼貌的做法；DROP丢掉是不管来的是什么东西只要是这个规则不允许的直接丢不管里面是什么东西（一般常用DROP比较多）

-A选项

-A 是在规则的最下方新增一个规则；

[root@localhost ~]# iptables -A INPUT -s 192.168.188.1 -p tcp –sport 1234 -d 192.168.188.128 –dport 80 -j DROP [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 61 5040 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 12 2070 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 //-A ，在所有规则的最后进行排队 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 14 packets, 1248 bytes) pkts bytes target prot opt in out source destination -I选项

-I 是插入的意思，直接插入在最上方执行；

[root@localhost ~]# iptables -I INPUT -p tcp –dport 80 -j DROP [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 // -I 规则直接插入到最前 130 11252 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 42 4897 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes) pkts bytes target prot opt in out source destination

规则过滤的时候，会从上往下的一条一条的匹配，在最上面的自然会最先使用到，

-D 选项 删除规则

[root@localhost ~]# iptables -D INPUT -p tcp –dport 80 -j DROP [root@localhost ~]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 195 17204 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 53 6072 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes) pkts bytes target prot opt in out source destination

规则删除了

针对序列号删除规则

直接更改-I或者-A为-D这样做，的确比较快，但是如果命令历史里不存在或者说记不清定义规则的命令了呢。

iptables -nvL –line-number

显示规则的序列号

[root@localhost ~]# iptables -nvL –line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 202 17760 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 53 6072 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 6 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 7 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 12 packets, 2468 bytes) num pkts bytes target prot opt in out source destination

根据序列号删除规则

[root@localhost ~]# iptables -D INPUT 7 [root@localhost ~]# iptables -nvL –line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 266 22396 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 53 6072 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 6 0 0 DROP tcp — * * 192.168.188.1 192.168.188.128 tcp spt:1234 dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 19 packets, 3108 bytes) num pkts bytes target prot opt in out source destination -P选项 默认策略

iptables -P OUTPUT DROP

默认策略比较容易误操作，一般不建议跳转

更多关于云服务器，域名注册，虚拟主机的问题，请访问西部数码官网：www.west.cn