1、网卡IP
使用ifconfig和ip add命令查看网卡IP。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
[root@server01 ~]
# ifconfig ##查看网卡IP,如果不支持,需要安装net-tools
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.137.100 netmask 255.255.255.0 broadcast 192.168.137.255
inet6 fe80::c1d7:5856:9856:2bb8 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:0c:4d:a8 txqueuelen 1000 (Ethernet)
RX packets 34093 bytes 19129820 (18.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2629771 bytes 3934887034 (3.6 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 76 bytes 6204 (6.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 76 bytes 6204 (6.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@server01 ~]
# ifconfig -a ##查看所有网卡IP
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.137.100 netmask 255.255.255.0 broadcast 192.168.137.255
inet6 fe80::c1d7:5856:9856:2bb8 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:0c:4d:a8 txqueuelen 1000 (Ethernet)
RX packets 34104 bytes 19130770 (18.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2629778 bytes 3934888746 (3.6 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 76 bytes 6204 (6.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 76 bytes 6204 (6.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@server01 ~]
# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link
/loopback
00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1
/8
scope host lo
valid_lft forever preferred_lft forever
inet6 ::1
/128
scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link
/ether
00:0c:29:0c:4d:a8 brd ff:ff:ff:ff:ff:ff
inet 192.168.137.100
/24
brd 192.168.137.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::c1d7:5856:9856:2bb8
/64
scope link
valid_lft forever preferred_lft forever
|
如果要附加一个地址,可以设定虚拟网卡ens33:1。然后使用ifdown ens33/ifup ens33命令重新启动网卡,使配置生效。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
[root@server01 ~]
# mii-tool ens33 ##查看网卡连接状态
ens33: negotiated 1000baseT-FD flow-control, link ok
[root@server01 ~]
# ethtool ens33 ##查看网卡连接状态
Settings
for
ens33:
Supported ports: [ TP ]
Supported link modes: 10baseT
/Half
10baseT
/Full
100baseT
/Half
100baseT
/Full
1000baseT
/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT
/Half
10baseT
/Full
100baseT
/Half
100baseT
/Full
1000baseT
/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb
/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off (auto)
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected:
yes
##该行“yes”表示网卡连接正常
|
2、DNS
|
1
2
3
4
5
6
7
8
9
10
11
12
|
[root@server01 ~]
# hostnamectl set-hostname juispan ##更改主机名
[root@server01 ~]
# bash
[root@juispan ~]
#
[root@server01 ~]
# cat /etc/resolv.conf ##DNS的配置文件
# Generated by NetworkManager
nameserver 114.114.114.114
##使用nameserver定义DNS,可以写多个DNS
[root@server01 ~]
#
[root@server01 ~]
# cat /etc/hosts ##本地hosts文件,IP和域名映射
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
##一个IP能对应多个域名,一个域名对应一个IP;
##域名对应IP,以最后的映射为准。
|
3、防火墙
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
[root@server01 ~]
# setenforce 0 ##临时关闭selinux
[root@server01 ~]
# getenforce ##查看selinux状态
Permissive
[root@server01 ~]
# cat /etc/selinux/config ##selinux配置文件
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
##改成disabled可以永久关闭
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
|
在CentOS 7之前使用netfilter防火墙;CentOS 7开始使用firewalld防火墙。CentOS 7默认采用的是firewalld管理netfilter子系统,底层调用的仍然是iptables命令。不同的防火墙软件相互间存在冲突,使用某个时应禁用其他的。
▎关闭firewalld开启netfilter:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[root@server01 ~]
# systemctl stop firewalld
[root@server01 ~]
# systemctl disable firewalld
Removed
symlink
/etc/systemd/system/dbus-org
.fedoraproject.FirewallD1.service.
Removed
symlink
/etc/systemd/system/basic
.target.wants
/firewalld
.service.
[root@server01 ~]
# yum install -y iptables-services
......
已安装:
iptables-services.x86_64 0:1.4.21-17.el7
完毕!
[root@server01 ~]
# systemctl enable iptables
Created
symlink
from
/etc/systemd/system/basic
.target.wants
/iptables
.service to
/usr/lib/systemd/system/iptables
.service.
[root@server01 ~]
# systemctl start iptables
|
4、Netfilter
▎Netfilter有5张表,filter和nat表需要熟练掌握:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
filter:
This is the default table(
if
no -t option is passed).It contains the built-
in
chains INPUT(
for
packets destined to
local
sockets),FORWARD(
for
packets being routed through the box),and OUTPUT(
for
locally-generated packets).
##filter表用于过滤包,是最常用的表,有INPUT、FORWARD、OUTPUT三个链。
nat:
This table is consulted when a packet that creates a new connection is encountered.It consists of three built-ins:PREROUTING(
for
altering packets as soon as they come
in
),OUTPUT(
for
altering locally-generated packets before routing),and POSTROUTING(
for
altering packets as they are about to go out).IPv6 NAT support is available since kernel 3.7.
##nat表用于网络地址转换,有PREROUTING、OUTPUT、POSTROUTING三个链。
mangle:
This table is used
for
specialized packet alteration.Until kernel 2.4.17 it had two built-
in
chains:PREROUTING(
for
altering incoming packets before routing) and OUTPUT(
for
altering locally-generated packets before routing).Since kernel 2.4.18, three other built-
in
chains are also supported:INPUT(
for
packets coming into the box itself),FORWARD(
for
altering packets being routed through the box),and POSTROUTING (
for
altering packets as they are about to go out).
##managle表用于给数据包做标记,几乎用不到。
raw:
This table is used mainly
for
configuring exemptions from connection tracking
in
combination with the NOTRACK target.It registers at the net‐filter hooks with higher priority and is thus called before ip_conntrack,or any other IP tables.It provides the following built-
in
chains:PREROUTING (
for
packets arriving via any network interface) OUTPUT (
for
packets generated by
local
processes)
##raw表可以实现不追踪某些数据包,几乎用不到。
security:
This table is used
for
Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets.Mandatory Access Control is implemented by Linux Security Modules such as SELinux.The security table is called after the filter table,allowing any Dis‐cretionary Access Control(DAC) rules
in
the filter table to take effect before MAC rules.This table provides the following built-
in
chains:INPUT (
for
packets coming into the box itself), OUTPUT (
for
altering locally-generated packets before routing), and FORWARD (
for
altering packets being routed through the box).
##security表在CentOS 6中并没有,用于强制访问控制(MAC)的网络规则,几乎用不到。
本文转自Grodd51CTO博客,原文链接:http://blog.51cto.com/juispan/1946904,如需转载请自行联系原作者
|
