主题:
Linux服务器上软件提供服务 1.网络操作 2.端口操作
1.网络操作 本机必须能够ping通目标主机(本地虚拟机或者远程主机)
2.端口操作 1.开启服务监听端口 2.设置防火墙,放行访问该端口的数据包
iptables&netfilter 四表五链和堵通策略
应用举例:
Linux上安装Tomcat和MySQL,客户端要能够访问服务器上的Tomcat服务和MySQL服务
操作:
1.网络操作 本机必须能够ping通目标主机(本地虚拟机或者远程主机)
2.端口操作 1.开启服务监听端口 2.设置防火墙,放行访问该端口的数据包
关键iptables和netfilter:
iptables&netfilter的四表五链和堵通策略
演示的Linux操作系统版本CentOS release 6.7:
[root@heima01 ~]# uname -a
Linux heima01 2.6.32-573.el6.i686 #1 SMP Thu Jul 23 12:37:35 UTC 2015 i686 i686 i386 GNU/Linux
[root@heima01 ~]# lsb_release -a
LSB Version: :base-4.0-ia32:base-4.0-noarch:core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 6.7 (Final)
Release: 6.7
Codename: Final
CentOS6.7端口操作最佳实践:
查看iptables命令的帮助:
iptables --help 不详细
man iptables 一般详细 手册页
info iptables 最详细
1.查看当前包过滤规则
示例:# service iptables status
2.根据需求添加或删除相应的规则。配置文件或者指令
示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
3.iptables指令修改规则,立即生效,但不会持久化,所以根据需要手动进行持久化操作
示例:# service iptables save
4.直接修改/etc/sysconfig/iptables文件,规则不会立即生效,通过重启iptables,使其生效。
示例:# service iptables restart
1.网络操作:
1.1 使用ifconfig查看虚拟机网络地址
示例:# ifconfig
[root@heima01 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:71:C4:BB
inet addr:192.168.211.130 Bcast:192.168.211.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe71:c4bb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:420 errors:0 dropped:0 overruns:0 frame:0
TX packets:229 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:35784 (34.9 KiB) TX bytes:28445 (27.7 KiB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:480 (480.0 b) TX bytes:480 (480.0 b)
1.2 在本地ping虚拟机网络地址,必须保证ping通
示例:ping 192.168.211.130
本机与虚拟机
网络不通:
C:Usersjie>ping 192.168.211.130
正在 Ping 192.168.211.130 具有 32 字节的数据:
来自 192.168.211.1 的回复: 无法访问目标主机。
网络联通:
C:Usersjie>ping 192.168.211.130
正在 Ping 192.168.211.130 具有 32 字节的数据:
来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64
192.168.211.130 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
2.端口操作:
2.1.启动服务,监听某个端口
查看某个端口是否已经被监听:(即相应的服务已经启动)
示例:# netstat -ntlp
2.2设置防火墙,放行访问这个端口的包
查看某个端口是否已经被监听:(即相应的服务已经启动)
[root@heima01 ~]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1588/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1835/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1684/cupsd
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 2797/sshd
tcp 0 0 0.0.0.0:53754 0.0.0.0:* LISTEN 1645/rpc.statd
tcp 0 0 :::43942 :::* LISTEN 1645/rpc.statd
tcp 0 0 :::3306 :::* LISTEN 1976/mysqld
tcp 0 0 :::111 :::* LISTEN 1588/rpcbind
tcp 0 0 :::22 :::* LISTEN 1835/sshd
tcp 0 0 ::1:631 :::* LISTEN 1684/cupsd
tcp 0 0 ::1:6010 :::* LISTEN 2797/sshd
CentOS6.7中设置防火墙,放行访问端口的数据包:
查看防火墙的包过滤规则:(正在生效)
示例:# service iptables status
查看包过滤规则文件:(不一定正在生效)
示例:# cat /etc/sysconfig/iptables
查看链中的规则:(正在生效)
示例:# iptables -L
注意:
修改包过滤规则,必须重启iptables服务,使新的规则生效。
链中规则有顺序,请把规则放首位。
参数解释:
通堵策略: ACCEPT接收 DROP丢弃 REJECT拒绝
-I 插入规则
-D 删除规则
方式1:修改/etc/sysconfig/iptables文件
步骤:
1.为/etc/sysconfig/iptables文件添加一条规则
示例:-A INPUT -p tcp -m state --state NEW -m tcp --dport 端口号 -j ACCEPT
注意:规则有顺序,所以把规则添加到上面,而不是下面。
2.重启iptables服务,新加规则才会生效
示例:service iptables restart
方式2:
步骤:
1.使用iptables动态添加规则
添加接收访问某端口的包的规则
示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
添加丢弃访问某端口的包的规则
示例:# iptables -I INPUT -p tcp --dport=3306 -j DROP
注意:立即生效,只对本次有效,规则不会添加到iptables文件,服务重启后失效
2.iptables指令删除规则:
1.查看规则,获取规则编号:
示例:# service iptables status
2.删除规则:
示例:# iptables -D INPUT 规则编号
3.再次查看规则,删除成功:
示例:# service iptables status
3.将本次的规则保存到iptables文件中
示例:# service iptables save
最佳实践:
查看iptables命令的帮助:
iptables --help 不详细
man iptables 一般详细 手册页
info iptables 最详细
1.查看当前包过滤规则
示例:# service iptables status
2.根据需求添加或删除相应的规则。配置文件或者指令
示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
3.iptables指令修改,立即生效,可能需要进行持久化操作
示例:# service iptables save
4.直接修改/etc/sysconfig/iptables文件,规则不会立即生效,通过重启iptables,使其生效。
示例:# service iptables restart
关键iptables:
iptables中的四表五链和堵通策略
直接修改/etc/sysconfig/iptables文件,添加开放端口的规则:
[root@heima01 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Mon May 27 22:42:05 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:560]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon May 27 22:42:05 2019
重启iptables服务,让规则生效:
[root@heima01 ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
查看链中的规则:(链中规则有顺序,请把规则放首位)
[root@heima01 ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
查看链中的规则:
[root@heima01 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
查看/etc/sysconfig/iptables文件:
[root@heima01 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Mon May 27 22:42:05 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:560]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables命令动态添加规则:
示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
[root@heima01 ~]# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
[root@heima01 ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
将当前生效的规则保存到iptables文件:
[root@heima01 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@heima01 ~]# iptables -I INPUT -p tcp --dport=3306 -j DROP
[root@heima01 ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@heima01 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@heima01 ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
[root@heima01 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue May 28 18:23:29 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [32:4416]
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue May 28 18:23:29 2019
iptables指令删除规则:
1.查看规则,获取规则编号:
示例:# service iptables status
2.删除规则:
示例:# iptables -D INPUT 规则编号
3.再次查看规则,删除成功:
示例:# service iptables status
[root@heima01 ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@heima01 ~]# iptables -D INPUT 1
[root@heima01 ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination