zoukankan      html  css  js  c++  java
  • Linux对外提供服务 网络操作 端口操作 1.开启服务监听端口 2.设置防火墙,放行访问端口的包 iptables&netfilter 四表五链和通堵策略

    主题:
    	Linux服务器上软件提供服务 1.网络操作 2.端口操作
    	1.网络操作 本机必须能够ping通目标主机(本地虚拟机或者远程主机)
    	2.端口操作 1.开启服务监听端口 2.设置防火墙,放行访问该端口的数据包
    	iptables&netfilter 四表五链和堵通策略
    	
    应用举例:
    	Linux上安装Tomcat和MySQL,客户端要能够访问服务器上的Tomcat服务和MySQL服务
    
    操作:
    	1.网络操作 本机必须能够ping通目标主机(本地虚拟机或者远程主机)
    	2.端口操作 1.开启服务监听端口 2.设置防火墙,放行访问该端口的数据包
    关键iptables和netfilter:
    	iptables&netfilter的四表五链和堵通策略
    
    演示的Linux操作系统版本CentOS release 6.7:
    [root@heima01 ~]# uname -a
    Linux heima01 2.6.32-573.el6.i686 #1 SMP Thu Jul 23 12:37:35 UTC 2015 i686 i686 i386 GNU/Linux
    
    [root@heima01 ~]# lsb_release -a
    LSB Version:	:base-4.0-ia32:base-4.0-noarch:core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch
    Distributor ID:	CentOS
    Description:	CentOS release 6.7 (Final)
    Release:	6.7
    Codename:	Final
    
    CentOS6.7端口操作最佳实践:
    	查看iptables命令的帮助:
    		iptables --help 不详细
    		man iptables 一般详细 手册页
    		info iptables 最详细
    		
    	1.查看当前包过滤规则
    		示例:# service iptables status
    	2.根据需求添加或删除相应的规则。配置文件或者指令
    		示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
    	3.iptables指令修改规则,立即生效,但不会持久化,所以根据需要手动进行持久化操作
    		示例:# service iptables save
    	4.直接修改/etc/sysconfig/iptables文件,规则不会立即生效,通过重启iptables,使其生效。
    		示例:# service iptables restart
    
    1.网络操作:
    	1.1 使用ifconfig查看虚拟机网络地址
    		示例:# ifconfig
    [root@heima01 ~]# ifconfig
    eth0      Link encap:Ethernet  HWaddr 00:0C:29:71:C4:BB  
              inet addr:192.168.211.130  Bcast:192.168.211.255  Mask:255.255.255.0
              inet6 addr: fe80::20c:29ff:fe71:c4bb/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:420 errors:0 dropped:0 overruns:0 frame:0
              TX packets:229 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:35784 (34.9 KiB)  TX bytes:28445 (27.7 KiB)
              Interrupt:19 Base address:0x2000 
    
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:65536  Metric:1
              RX packets:8 errors:0 dropped:0 overruns:0 frame:0
              TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:480 (480.0 b)  TX bytes:480 (480.0 b)
    
    	1.2 在本地ping虚拟机网络地址,必须保证ping通
    		示例:ping 192.168.211.130
    
    本机与虚拟机
    	网络不通:
    C:Usersjie>ping 192.168.211.130
    正在 Ping 192.168.211.130 具有 32 字节的数据:
    来自 192.168.211.1 的回复: 无法访问目标主机。
    
    	网络联通:
    C:Usersjie>ping 192.168.211.130
    正在 Ping 192.168.211.130 具有 32 字节的数据:
    来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64
    来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64
    来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64
    来自 192.168.211.130 的回复: 字节=32 时间<1ms TTL=64
    
    192.168.211.130 的 Ping 统计信息:
        数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
    往返行程的估计时间(以毫秒为单位):
        最短 = 0ms,最长 = 0ms,平均 = 0ms
    
    
    	
    2.端口操作:
    	2.1.启动服务,监听某个端口
    		查看某个端口是否已经被监听:(即相应的服务已经启动)
    			示例:# netstat -ntlp
    	2.2设置防火墙,放行访问这个端口的包
    	
    查看某个端口是否已经被监听:(即相应的服务已经启动)
    [root@heima01 ~]# netstat -ntlp
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
    tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1588/rpcbind        
    tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1835/sshd           
    tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      1684/cupsd          
    tcp        0      0 127.0.0.1:6010              0.0.0.0:*                   LISTEN      2797/sshd           
    tcp        0      0 0.0.0.0:53754               0.0.0.0:*                   LISTEN      1645/rpc.statd      
    tcp        0      0 :::43942                    :::*                        LISTEN      1645/rpc.statd      
    tcp        0      0 :::3306                     :::*                        LISTEN      1976/mysqld         
    tcp        0      0 :::111                      :::*                        LISTEN      1588/rpcbind        
    tcp        0      0 :::22                       :::*                        LISTEN      1835/sshd           
    tcp        0      0 ::1:631                     :::*                        LISTEN      1684/cupsd          
    tcp        0      0 ::1:6010                    :::*                        LISTEN      2797/sshd 	
    
    CentOS6.7中设置防火墙,放行访问端口的数据包:
    	查看防火墙的包过滤规则:(正在生效)
    		示例:# service iptables status
    	查看包过滤规则文件:(不一定正在生效)
    		示例:# cat /etc/sysconfig/iptables
    	查看链中的规则:(正在生效)
    		示例:# iptables -L
    		
    	注意:
    		修改包过滤规则,必须重启iptables服务,使新的规则生效。
    		链中规则有顺序,请把规则放首位。
    		
    	参数解释:
    		通堵策略: ACCEPT接收 DROP丢弃 REJECT拒绝
    		-I 插入规则
    		-D 删除规则
    		
    		方式1:修改/etc/sysconfig/iptables文件
    			步骤:
    				1.为/etc/sysconfig/iptables文件添加一条规则
    					示例:-A INPUT -p tcp -m state --state NEW -m tcp --dport 端口号 -j ACCEPT
    					注意:规则有顺序,所以把规则添加到上面,而不是下面。
    					
    				2.重启iptables服务,新加规则才会生效
    					示例:service iptables restart
    		方式2:
    			步骤:
    				1.使用iptables动态添加规则
    					添加接收访问某端口的包的规则
    					示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
    					添加丢弃访问某端口的包的规则
    					示例:# iptables -I INPUT -p tcp --dport=3306 -j DROP
    					注意:立即生效,只对本次有效,规则不会添加到iptables文件,服务重启后失效
    				
    				2.iptables指令删除规则:
    					1.查看规则,获取规则编号:
    						示例:# service iptables status
    					2.删除规则:
    						示例:# iptables -D INPUT 规则编号
    					3.再次查看规则,删除成功:
    						示例:# service iptables status
    				
    				3.将本次的规则保存到iptables文件中
    					示例:# service iptables save		
    					
    				
    		最佳实践:
    			查看iptables命令的帮助:
    				iptables --help 不详细
    				man iptables 一般详细 手册页
    				info iptables 最详细
    				
    			1.查看当前包过滤规则
    				示例:# service iptables status
    			2.根据需求添加或删除相应的规则。配置文件或者指令
    				示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
    			3.iptables指令修改,立即生效,可能需要进行持久化操作
    				示例:# service iptables save
    			4.直接修改/etc/sysconfig/iptables文件,规则不会立即生效,通过重启iptables,使其生效。
    				示例:# service iptables restart
    
    关键iptables:
    	iptables中的四表五链和堵通策略
    
    直接修改/etc/sysconfig/iptables文件,添加开放端口的规则:
    [root@heima01 ~]# cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.4.7 on Mon May 27 22:42:05 2019
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [4:560]
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A INPUT -p icmp -j ACCEPT 
    -A INPUT -i lo -j ACCEPT 
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
    -A INPUT -j REJECT --reject-with icmp-host-prohibited 
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    
    COMMIT
    # Completed on Mon May 27 22:42:05 2019
    
    重启iptables服务,让规则生效:
    [root@heima01 ~]# service iptables restart
    iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
    iptables: Flushing firewall rules:                         [  OK  ]
    iptables: Unloading modules:                               [  OK  ]
    iptables: Applying firewall rules:                         [  OK  ]
    
    查看链中的规则:(链中规则有顺序,请把规则放首位)
    [root@heima01 ~]# service iptables status
    Table: filter
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination         
    1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
    3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination         
    1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination
    
    查看链中的规则:
    [root@heima01 ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql 
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    ACCEPT     icmp --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination  
    
    
    查看/etc/sysconfig/iptables文件:
    [root@heima01 ~]# cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.4.7 on Mon May 27 22:42:05 2019
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [4:560]
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A INPUT -p icmp -j ACCEPT 
    -A INPUT -i lo -j ACCEPT 
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
    -A INPUT -j REJECT --reject-with icmp-host-prohibited 
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    
    iptables命令动态添加规则:
    	示例:# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
    	
    [root@heima01 ~]# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
    [root@heima01 ~]# service iptables status
    Table: filter
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination         
    1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
    2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    3    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
    4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    6    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination         
    1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination 
    
    将当前生效的规则保存到iptables文件:
    [root@heima01 ~]# service iptables save
    iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
    
    [root@heima01 ~]# iptables -I INPUT -p tcp --dport=3306 -j DROP
    [root@heima01 ~]# service iptables status
    Table: filter
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination         
    1    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
    2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
    3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    4    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
    5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    7    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination         
    1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination         
    
    [root@heima01 ~]# service iptables save
    iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
    [root@heima01 ~]# service iptables restart
    iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
    iptables: Flushing firewall rules:                         [  OK  ]
    iptables: Unloading modules:                               [  OK  ]
    iptables: Applying firewall rules:                         [  OK  ]
    [root@heima01 ~]# cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.4.7 on Tue May 28 18:23:29 2019
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [32:4416]
    -A INPUT -p tcp -m tcp --dport 3306 -j DROP 
    -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT 
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A INPUT -p icmp -j ACCEPT 
    -A INPUT -i lo -j ACCEPT 
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
    -A INPUT -j REJECT --reject-with icmp-host-prohibited 
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited 
    COMMIT
    # Completed on Tue May 28 18:23:29 2019
    
    
    iptables指令删除规则:
    	1.查看规则,获取规则编号:
    		示例:# service iptables status
    	2.删除规则:
    		示例:# iptables -D INPUT 规则编号
    	3.再次查看规则,删除成功:
    		示例:# service iptables status
    		
    [root@heima01 ~]# service iptables status
    Table: filter
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination         
    1    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
    2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
    3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    4    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
    5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    7    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination         
    1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination         
    
    [root@heima01 ~]# iptables -D INPUT 1
    
    [root@heima01 ~]# service iptables status
    Table: filter
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination         
    1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
    2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    3    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
    4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    6    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination         
    1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination 
  • 相关阅读:
    go基础_定时器
    作业3:写一个测试程序,消耗固定内存
    Hdu3397Sequence operation线段树
    Hdu3308LCIS线段树
    Poj3667Hotel线段树
    Poj1436Horizontally Visible Segments线段树
    Poj3225Help with Intervals区间线段树
    Poj2528Mayor's posters线段树
    poj3468A Simple Problem with Integers区间和线段树
    Hdu1698Just a Hook线段树区间更新
  • 原文地址:https://www.cnblogs.com/mozq/p/10935830.html
Copyright © 2011-2022 走看看