[CentOS 7系列]网络与安全

前端之家收集整理的这篇文章主要介绍了[CentOS 7系列]网络与安全前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

1、网卡IP

使用ifconfig和ip add命令查看网卡IP。

[root@server01~]#ifconfig##查看网卡IP,如果不支持,需要安装net-tools
ens33:flags=4163<UP,BROADCAST,RUNNING,MULTICAST>mtu1500
inet192.168.137.100netmask255.255.255.0broadcast192.168.137.255
inet6fe80::c1d7:5856:9856:2bb8prefixlen64scopeid0x20<link>
ether00:0c:29:0c:4d:a8txqueuelen1000(Ethernet)
RXpackets34093bytes19129820(18.2MiB)
RXerrors0dropped0overruns0frame0
TXpackets2629771bytes3934887034(3.6GiB)
TXerrors0dropped0overruns0carrier0collisions0

lo:flags=73<UP,LOOPBACK,RUNNING>mtu65536
inet127.0.0.1netmask255.0.0.0
inet6::1prefixlen128scopeid0x10<host>
looptxqueuelen1(LocalLoopback)
RXpackets76bytes6204(6.0KiB)
RXerrors0dropped0overruns0frame0
TXpackets76bytes6204(6.0KiB)
TXerrors0dropped0overruns0carrier0collisions0

[root@server01~]#ifconfig-a##查看所有网卡IP
ens33:flags=4163<UP,MULTICAST>mtu1500
inet192.168.137.100netmask255.255.255.0broadcast192.168.137.255
inet6fe80::c1d7:5856:9856:2bb8prefixlen64scopeid0x20<link>
ether00:0c:29:0c:4d:a8txqueuelen1000(Ethernet)
RXpackets34104bytes19130770(18.2MiB)
RXerrors0dropped0overruns0frame0
TXpackets2629778bytes3934888746(3.6GiB)
TXerrors0dropped0overruns0carrier0collisions0

lo:flags=73<UP,RUNNING>mtu65536
inet127.0.0.1netmask255.0.0.0
inet6::1prefixlen128scopeid0x10<host>
looptxqueuelen1(LocalLoopback)
RXpackets76bytes6204(6.0KiB)
RXerrors0dropped0overruns0frame0
TXpackets76bytes6204(6.0KiB)
TXerrors0dropped0overruns0carrier0collisions0

[root@server01~]#ipadd
1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNqlen1
link/loopback00:00:00:00:00:00brd00:00:00:00:00:00
inet127.0.0.1/8scopehostlo
valid_lftforeverpreferred_lftforever
inet6::1/128scopehost
valid_lftforeverpreferred_lftforever
2:ens33:<BROADCAST,MULTICAST,LOWER_UP>mtu1500qdiscpfifo_faststateUPqlen1000
link/ether00:0c:29:0c:4d:a8brdff:ff:ff:ff:ff:ff
inet192.168.137.100/24brd192.168.137.255scopeglobalens33
valid_lftforeverpreferred_lftforever
inet6fe80::c1d7:5856:9856:2bb8/64scopelink
valid_lftforeverpreferred_lftforever

如果要附加一个地址,可以设定虚拟网卡ens33:1。然后使用ifdown ens33/ifup ens33命令重新启动网卡,使配置生效。

[root@server01~]#mii-toolens33##查看网卡连接状态
ens33:negotiated1000baseT-FDflow-control,linkok
[root@server01~]#ethtoolens33##查看网卡连接状态
Settingsforens33:
Supportedports:[TP]
Supportedlinkmodes:10baseT/Half10baseT/Full
100baseT/Half100baseT/Full
1000baseT/Full
Supportedpauseframeuse:No
Supportsauto-negotiation:Yes
Advertisedlinkmodes:10baseT/Half10baseT/Full
100baseT/Half100baseT/Full
1000baseT/Full
Advertisedpauseframeuse:No
Advertisedauto-negotiation:Yes
Speed:1000Mb/s
Duplex:Full
Port:TwistedPair
PHYAD:0
Transceiver:internal
Auto-negotiation:on
MDI-X:off(auto)
SupportsWake-on:d
Wake-on:d
Currentmessagelevel:0x00000007(7)
drvprobelink
Linkdetected:yes##该行“yes”表示网卡连接正常


2、DNS

[root@server01~]#hostnamectlset-hostnamejuispan##更改主机名
[root@server01~]#bash
[root@juispan~]#
[root@server01~]#cat/etc/resolv.conf##DNS的配置文件
#GeneratedbyNetworkManager
nameserver114.114.114.114##使用nameserver定义DNS,可以写多个DNS
[root@server01~]#
[root@server01~]#cat/etc/hosts##本地hosts文件,IP和域名映射
127.0.0.1localhostlocalhost.localdomainlocalhost4localhost4.localdomain4
::1localhostlocalhost.localdomainlocalhost6localhost6.localdomain6
##一个IP能对应多个域名,一个域名对应一个IP;
##域名对应IP,以最后的映射为准。


3、防火墙

[root@server01~]#setenforce0##临时关闭selinux
[root@server01~]#getenforce##查看selinux状态
Permissive
[root@server01~]#cat/etc/selinux/config##selinux配置文件

#ThisfilecontrolsthestateofSELinuxonthesystem.
#SELINUX=cantakeoneofthesethreevalues:
#enforcing-SELinuxsecuritypolicyisenforced.
#permissive-SELinuxprintswarningsinsteadofenforcing.
#disabled-NoSELinuxpolicyisloaded.
SELINUX=enforcing##改成disabled可以永久关闭
#SELINUXTYPE=cantakeoneofthreetwovalues:
#targeted-Targetedprocessesareprotected,#minimum-Modificationoftargetedpolicy.Onlyselectedprocessesareprotected.
#mls-MultiLevelSecurityprotection.
SELINUXTYPE=targeted

在CentOS 7之前使用netfilter防火墙;CentOS 7开始使用firewalld防火墙。CentOS 7默认采用的是firewalld管理netfilter子系统,底层调用的仍然是iptables命令。不同的防火墙软件相互间存在冲突,使用某个时应禁用其他的。

关闭firewalld开启netfilter:

[root@server01~]#systemctlstopfirewalld
[root@server01~]#systemctldisablefirewalld
Removedsymlink/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removedsymlink/etc/systemd/system/basic.target.wants/firewalld.service.
[root@server01~]#yuminstall-yiptables-services
......
已安装:
iptables-services.x86_640:1.4.21-17.el7

完毕!
[root@server01~]#systemctlenableiptables
Createdsymlinkfrom/etc/systemd/system/basic.target.wants/iptables.serviceto/usr/lib/systemd/system/iptables.service.
[root@server01~]#systemctlstartiptables


4、Netfilter

�Netfilter有5张表:

filter:
Thisisthedefaulttable(ifno-toptionispassed).Itcontainsthebuilt-inchainsINPUT(forpacketsdestinedtolocalsockets),FORWARD(forpacketsbeingroutedthroughtheBox),andOUTPUT(forlocally-generatedpackets).
##filter表用于过滤包,是最常用的表,有INPUT、FORWARD、OUTPUT三个链。
nat:
Thistableisconsultedwhenapacketthatcreatesanewconnectionisencountered.Itconsistsofthreebuilt-ins:PREROUTING(foralteringpacketsassoonastheycomein),OUTPUT(foralteringlocally-generatedpacketsbeforerouting),andPOSTROUTING(foralteringpacketsastheyareabouttogoout).IPv6NATsupportisavailablesincekernel3.7.
##nat表用于网络地址转换,有PREROUTING、OUTPUT、POSTROUTING三个链。
mangle:
Thistableisusedforspecializedpacketalteration.Untilkernel2.4.17ithadtwobuilt-inchains:PREROUTING(foralteringincomingpacketsbeforerouting)andOUTPUT(foralteringlocally-generatedpacketsbeforerouting).Sincekernel2.4.18,threeotherbuilt-inchainsarealsosupported:INPUT(forpacketscomingintotheBoxitself),FORWARD(foralteringpacketsbeingroutedthroughtheBox),andPOSTROUTING(foralteringpacketsastheyareabouttogoout).
##managle表用于给数据包做标记,几乎用不到。
raw:
ThistableisusedmainlyforconfiguringexemptionsfromconnectiontrackingincombinationwiththeNOTRACKtarget.Itregistersatthenet�\filterhookswithhigherpriorityandisthuscalledbeforeip_conntrack,oranyotherIPtables.Itprovidesthefollowingbuilt-inchains:PREROUTING(forpacketsarrivingviaanynetworkinterface)OUTPUT(forpacketsgeneratedbylocalprocesses)
##raw表可以实现不追踪某些数据包,几乎用不到。
security:
ThistableisusedforMandatoryAccessControl(MAC)networkingrules,suchasthoseenabledbytheSECMARKandCONNSECMARKtargets.MandatoryAccessControlisimplementedbyLinuxSecurityModulessuchasSELinux.Thesecuritytableiscalledafterthefiltertable,allowinganyDis�\cretionaryAccessControl(DAC)rulesinthefiltertabletotakeeffectbeforeMACrules.Thistableprovidesthefollowingbuilt-inchains:INPUT(forpacketscomingintotheBoxitself),andFORWARD(foralteringpacketsbeingroutedthroughtheBox).
##security表在CentOS6中并没有,用于强制访问控制(MAC)的网络规则,几乎用不到。

猜你在找的CentOS相关文章