主题: Linux服务器上软件提供服务 1.网络操作 2.端口操作 1.网络操作 本机必须能够ping通目标主机(本地虚拟机或者远程主机) 2.端口操作 1.开启服务监听端口 2.设置防火墙,放行访问该端口的数据包 iptables&netfilter 四表五链和堵通策略 应用举例: Linux上安装Tomcat和MySQL,客户端要能够访问服务器上的Tomcat服务和MySQL服务 操作: 1.网络操作 本机必须能够ping通目标主机(本地虚拟机或者远程主机) 2.端口操作 1.开启服务监听端口 2.设置防火墙,放行访问该端口的数据包 关键iptables和netfilter: iptables&netfilter的四表五链和堵通策略 演示的Linux操作系统版本CentOS release 6.7: [root@heima01 ~]# uname -a Linux heima01 2.6.32-573.el6.i686 #1 SMP Thu Jul 23 12:37:35 UTC 2015 i686 i686 i386 GNU/Linux [root@heima01 ~]# lsb_release -a LSB Version: :base-4.0-ia32:base-4.0-noarch:core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch Distributor ID: CentOS Description: CentOS release 6.7 (Final) Release: 6.7 Codename: Final CentOS6.7端口操作最佳实践: 查看iptables命令的帮助: iptables --help 不详细 man iptables 一般详细 手册页 info iptables 最详细 1.查看当前包过滤规则 示例:# service iptables status 2.根据需求添加或删除相应的规则。配置文件或者指令 示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT 3.iptables指令修改规则,立即生效,但不会持久化,所以根据需要手动进行持久化操作 示例:# service iptables save 4.直接修改/etc/sysconfig/iptables文件,规则不会立即生效,通过重启iptables,使其生效。 示例:# service iptables restart 1.网络操作: 1.1 使用ifconfig查看虚拟机网络地址 示例:# ifconfig [root@heima01 ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:71:C4:BB inet addr:192.168.211.130 Bcast:192.168.211.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe71:c4bb/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:420 errors:0 dropped:0 overruns:0 frame:0 TX packets:229 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:35784 (34.9 KiB) TX bytes:28445 (27.7 KiB) Interrupt:19 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:480 (480.0 b) TX bytes:480 (480.0 b) 1.2 在本地ping虚拟机网络地址,必须保证ping通 示例:ping 192.168.211.130 本机与虚拟机 网络不通: C:Usersjie>ping 192.168.211.130 正在 Ping 192.168.211.130 具有 32 字节的数据: 来自 192.168.211.1 的回复: 无法访问目标主机。 网络联通: C:Usersjie>ping 192.168.211.130 正在 Ping 192.168.211.130 具有 32 字节的数据: 来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64 来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64 来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64 来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64 192.168.211.130 的 Ping 统计信息: 数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失), 往返行程的估计时间(以毫秒为单位): 最短 = 0ms,最长 = 0ms,平均 = 0ms 2.端口操作: 2.1.启动服务,监听某个端口 查看某个端口是否已经被监听:(即相应的服务已经启动) 示例:# netstat -ntlp 2.2设置防火墙,放行访问这个端口的包 查看某个端口是否已经被监听:(即相应的服务已经启动) [root@heima01 ~]# netstat -ntlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1588/rpcbind tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1835/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1684/cupsd tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 2797/sshd tcp 0 0 0.0.0.0:53754 0.0.0.0:* LISTEN 1645/rpc.statd tcp 0 0 :::43942 :::* LISTEN 1645/rpc.statd tcp 0 0 :::3306 :::* LISTEN 1976/mysqld tcp 0 0 :::111 :::* LISTEN 1588/rpcbind tcp 0 0 :::22 :::* LISTEN 1835/sshd tcp 0 0 ::1:631 :::* LISTEN 1684/cupsd tcp 0 0 ::1:6010 :::* LISTEN 2797/sshd CentOS6.7中设置防火墙,放行访问端口的数据包: 查看防火墙的包过滤规则:(正在生效) 示例:# service iptables status 查看包过滤规则文件:(不一定正在生效) 示例:# cat /etc/sysconfig/iptables 查看链中的规则:(正在生效) 示例:# iptables -L 注意: 修改包过滤规则,必须重启iptables服务,使新的规则生效。 链中规则有顺序,请把规则放首位。 参数解释: 通堵策略: ACCEPT接收 DROP丢弃 REJECT拒绝 -I 插入规则 -D 删除规则 方式1:修改/etc/sysconfig/iptables文件 步骤: 1.为/etc/sysconfig/iptables文件添加一条规则 示例:-A INPUT -p tcp -m state --state NEW -m tcp --dport 端口号 -j ACCEPT 注意:规则有顺序,所以把规则添加到上面,而不是下面。 2.重启iptables服务,新加规则才会生效 示例:service iptables restart 方式2: 步骤: 1.使用iptables动态添加规则 添加接收访问某端口的包的规则 示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT 添加丢弃访问某端口的包的规则 示例:# iptables -I INPUT -p tcp --dport=3306 -j DROP 注意:立即生效,只对本次有效,规则不会添加到iptables文件,服务重启后失效 2.iptables指令删除规则: 1.查看规则,获取规则编号: 示例:# service iptables status 2.删除规则: 示例:# iptables -D INPUT 规则编号 3.再次查看规则,删除成功: 示例:# service iptables status 3.将本次的规则保存到iptables文件中 示例:# service iptables save 最佳实践: 查看iptables命令的帮助: iptables --help 不详细 man iptables 一般详细 手册页 info iptables 最详细 1.查看当前包过滤规则 示例:# service iptables status 2.根据需求添加或删除相应的规则。配置文件或者指令 示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT 3.iptables指令修改,立即生效,可能需要进行持久化操作 示例:# service iptables save 4.直接修改/etc/sysconfig/iptables文件,规则不会立即生效,通过重启iptables,使其生效。 示例:# service iptables restart 关键iptables: iptables中的四表五链和堵通策略 直接修改/etc/sysconfig/iptables文件,添加开放端口的规则: [root@heima01 ~]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Mon May 27 22:42:05 2019 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4:560] -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Mon May 27 22:42:05 2019 重启iptables服务,让规则生效: [root@heima01 ~]# service iptables restart iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] 查看链中的规则:(链中规则有顺序,请把规则放首位) [root@heima01 ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination 查看链中的规则: [root@heima01 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination 查看/etc/sysconfig/iptables文件: [root@heima01 ~]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Mon May 27 22:42:05 2019 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4:560] -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited iptables命令动态添加规则: 示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT [root@heima01 ~]# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT [root@heima01 ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 6 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination 将当前生效的规则保存到iptables文件: [root@heima01 ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@heima01 ~]# iptables -I INPUT -p tcp --dport=3306 -j DROP [root@heima01 ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination [root@heima01 ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@heima01 ~]# service iptables restart iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] [root@heima01 ~]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Tue May 28 18:23:29 2019 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [32:4416] -A INPUT -p tcp -m tcp --dport 3306 -j DROP -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Tue May 28 18:23:29 2019 iptables指令删除规则: 1.查看规则,获取规则编号: 示例:# service iptables status 2.删除规则: 示例:# iptables -D INPUT 规则编号 3.再次查看规则,删除成功: 示例:# service iptables status [root@heima01 ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination [root@heima01 ~]# iptables -D INPUT 1 [root@heima01 ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 6 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination