关于linux防火墙netfilter 详解
关于linux内核防火墙netfilter详解
信息流经过linux主机时的一般处理流程:
信息流报文---->报文到达主机时---->做一些预处理prerouting-----> 路由转换,--->审核--->postrouting--->路由选择---->转发出去--->
原理netfilter能实现防火墙功能是基于linux内核调度实现。
[root@lib ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@lib ~]# systemctl start firewalld
查看其全部默认规则
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
79 5656 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
3 390 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
3 390 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
3 390 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
2 286 REJECT all -- * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 42 packets, 4480 bytes)
pkts bytes target prot opt in out source destination
42 4480 OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
3 390 IN_public all -- ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 IN_public all -- + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
3 390 IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
3 390 IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
3 390 IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
1 104 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
[root@lib ~]#
[root@lib ~]# yum install firewall-config
打开图形防火墙配置命令
[root@lib ~]# firewall-config
neifilter功能模块详解
报文经过的过程:hook function:prerouting input output forward postrouting链(内置): chianPREROUTINGINPUTFORWARDOUTPUTPOSTROUTING功能:filter:过滤,防火墙;nat:network address translation;用于修改源IP或目标IP,也可以改端口;mangle:拆解报文,做出修改,并重新封装起来;raw:关闭nat表上启用的连接追踪机制;功能<--链:
高 raw:PREROUTING, OUTPUT
| mangle:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTINGnat:PREROUTING,[INPUT,]OUTPUT,POSTROUTING
低 filter:INPUT,FORWARD,OUTPUT报文流向:流入本机:PREROUTING --> INPUT由本机流出:OUTPUT --> POSTROUTING转发:PREROUTING --> FORWARD --> POSTROUTINGnetfilter 防火墙规则可以通过iptables命令去管理访问量多的放前面规范小的放前面iptables/netfilter规则:组成部分:根据规则匹配条件来尝试匹配报文,一旦匹配成功,就由规则定义的处理动作作出处理;匹配条件:基本匹配条件:内建扩展匹配条件:由扩展模块定义;处理动作:基本处理动作:内建扩展处理动作:由扩展模块定义;自定义处理机制:自定义链iptables的链:内置链和自定义链内置链:对应于hook function自定义链接:用于内置链的扩展和补充,可实现更灵活的规则管理机制;添加规则时的考量点:(1) 要实现哪种功能:判断添加到哪个表上;(2) 报文流经的路径:判断添加到哪个链上;链:链上的规则次序,即为检查的次序;因此,隐含一定的应用法则:(1) 同类规则(访问同一应用),匹配范围小的放上面;(2) 不同类的规则(访问不同应用),匹配到报文频率较大的放在上面;(3) 将那些可由一条规则描述的多个规则合并起来;(4) 设置默认策略;iptables命令:高度模块化,由诸多扩展模块实现其检查条件或处理动作的定义;/usr/lib64/xtables/IPv6:libip6t_IPv4:libipt_, libxt_iptables命令:iptables [-t table] COMMAND chain [rulenum] [-m machename [per-match-options]] [-j targetname [per-target-options]] [options]匹配条件:基本匹配条件:-s, -d, -p, -i, -o扩展匹配条件:-m matchname per-match-options处理动作:基本处理动作:ACCEPT, DROP扩展处理动作:REJECT,RETURN,LOG,REDIRECT,...用户自定义链:COMMAND:链管理:-N,-X,-E,-P,-F,-Z规则管理:-A,-I,-R,-D查看:-L,-n, -v, -x, --line-numbers iptables/netfilter规则:组成部分:根据规则匹配条件来尝试匹配报文,一旦匹配成功,就由规则定义的处理动作作出处理;匹配条件:基本匹配条件:内建扩展匹配条件:由扩展模块定义;处理动作:基本处理动作:内建扩展处理动作:由扩展模块定义;自定义处理机制:自定义链iptables的链:内置链和自定义链内置链:对应于hook function自定义链接:用于内置链的扩展和补充,可实现更灵活的规则管理机制;添加规则时的考量点:(1) 要实现哪种功能:判断添加到哪个表上;(2) 报文流经的路径:判断添加到哪个链上;链:链上的规则次序,即为检查的次序;因此,隐含一定的应用法则:(1) 同类规则(访问同一应用),匹配范围小的放上面;(2) 不同类的规则(访问不同应用),匹配到报文频率较大的放在上面;(3) 将那些可由一条规则描述的多个规则合并起来;(4) 设置默认策略;iptables命令:高度模块化,由诸多扩展模块实现其检查条件或处理动作的定义;/usr/lib64/xtables/IPv6:libip6t_IPv4:libipt_, libxt_iptables [-t table] {-A|-C|-D} chain rule-specificationiptables [-t table] -I chain [rulenum] rule-specificationiptables [-t table] -R chain rulenum rule-specificationiptables [-t table] -D chain rulenumiptables [-t table] -S [chain [rulenum]]iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]iptables [-t table] -N chainiptables [-t table] -X [chain]iptables [-t table] -P chain targetiptables [-t table] -E old-chain-name new-chain-namerule-specification = [matches...] [target]match = -m matchname [per-match-options]target = -j targetname [per-target-options]规则格式:iptables [-t table] COMMAND chain [-m matchname [per-match-options]] -j targetname [per-target-options]-t table:raw, mangle, nat, [filter]COMMAND:链管理:-N:new, 自定义一条新的规则链;[root@lib ~]# iptables -vnL in_web_rules
Chain in_web_rules (0 references) 引用计数为0
pkts bytes target prot opt in out source destination
[root@lib ~]#
-X: delete,删除自定义的规则链;注意:仅能删除 用户自定义的 引用计数为0的 空的 链;[root@lib ~]# iptables -X in_web_rules
[root@lib ~]# iptables -vnL in_web_rules
iptables: No chain/target/match by that name.
[root@lib ~]#
-P:Policy,设置默认策略;对filter表中的链而言,其默认策略有:ACCEPT:接受DROP:丢弃REJECT:拒绝[root@lib ~]# iptables -vnL FORWARD | head -1
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
[root@lib ~]# iptables -P FORWARD DROP
[root@lib ~]# iptables -vnL FORWARD | head -1
Chain FORWARD (policy DROP 0 packets, 0 bytes)
[root@lib ~]# iptables -P FORWARD ACCEPT
[root@lib ~]# iptables -vnL FORWARD | head -1
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
[root@lib ~]#
-E:重命名自定义链;引用计数不为0的自定义链不能够被重命名,也不能被删除;规则管理:[root@lib ~]# iptables -vnL in_web_rules
Chain in_web_rules (0 references)
pkts bytes target prot opt in out source destination
[root@lib ~]# iptables -E in_web_rules in_web_rules_new1
[root@lib ~]# iptables -vnL in_web_rules_new1
Chain in_web_rules_new1 (0 references)
pkts bytes target prot opt in out source destination
[root@lib ~]# iptables -vnL in_web_rules
iptables: No chain/target/match by that name.
[root@lib ~]#
-A:append,追加;-I:insert, 插入,要指明位置,省略时表示第一条;-D:delete,删除;(1) 指明规则序号;(2) 指明规则本身;[root@lib ~]# iptables -vnL FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
3 0 0 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
4 0 0 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 0 0 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 0 0 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 0 0 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
8 0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 0 0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@lib ~]# iptables -D FORWARD 8 删除第8条forward规则
[root@lib ~]# iptables -vnL FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
3 0 0 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
4 0 0 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 0 0 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 0 0 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 0 0 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
8 0 0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@lib ~]#
-R:replace,替换指定链上的指定规则;-F:flush,清空指定的规则链;[root@lib ~]# iptables -vnL INPUT 查看INPUT链路规则
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
77 5976 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
7 1087 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
7 1087 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 1087 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 1087 REJECT all -- * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@lib ~]#
[root@lib ~]# iptables -F INPUT
[root@lib ~]# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 7 packets, 575 bytes)
pkts bytes target prot opt in out source destination
[root@lib ~]#
-Z:zero,置零;iptables的每条规则都有两个计数器:(1) 匹配到的报文的个数;(2) 匹配到的所有报文的大小之和; [root@lib ~]# iptables -Z INPUT
查看:-L:list, 列出指定鏈上的所有规则;-n:numberic,以数字格式显示地址和端口号;-v:verbose,详细信息;-vv, -vvv-x:exactly,显示计数器结果的精确值; --line-numbers:显示规则的序号;[root@lib ~]# iptables -L -n
[root@lib ~]# iptables -L --line-numbers -v -n
[root@lib ~]# iptables -L --line-numbers -vv -n
[root@lib ~]# iptables -L --line-numbers -v -n -x
[root@lib ~]# iptables -vnxL --line-number
[root@lib ~]# iptables -vnxL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8539 737755 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
1175 174348 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
1175 174348 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
1175 174348 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1168 173260 REJECT all -- * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@lib ~]#
[root@lib ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
[root@lib ~]#
chain:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING匹配条件:基本匹配条件:无需加载任何模块,由iptables/netfilter自行提供;[!] -s, --source address[/mask][,...]:检查报文中的源IP地址是否符合此处指定的地址或范围;[!] -d, --destination address[/mask][,...]:检查报文中的目标IP地址是否符合此处指定的地址或范围;所有地址:0.0.0.0/0[!] -p, --protocol protocolprotocol: tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or "all"{tcp|udp|icmp}[!] -i, --in-interface name:数据报文流入的接口;只能应用于数据报文流入的环节,只能应用于PREROUTING,INPUT和FORWARD链;[!] -o, --out-interface name:数据报文流出的接口;只能应用于数据报文流出的环节,只能应用于FORWARD、OUTPUT和POSTROUTING链; 处理动作:-j targetname [per-target-options]ACCEPTDROPREJECTcentos 7 有7张表
[root@lib ~]# iptables -L 默认filter表
[root@lib ~]# iptables -t filter -L
[root@lib ~]# iptables -t mangle -L
[root@lib ~]# iptables -t raw -L
[root@lib ~]# iptables -t nat -L
[root@lib ~]# iptables -t security -L
[root@lib ~]# systemctl stop firewalld
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@lib ~]#
例如允许192.168.0.0/24 网访问本机
[root@lib ~]# iptables -t filter -A INPUT -s 192.168.0.0/24 -d 192.168.0.103 -p tcp -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 432 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 592 bytes)
pkts bytes target prot opt in out source destination
[root@lib ~]#
允许本机访问192.168.0.0/24网段
[root@lib ~]# iptables -t filter -A OUTPUT -s 192.168.0.103 -d 192.168.0.0/24 -p tcp -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
254 18424 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 592 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
[root@lib ~]#
-d , -p 不写代表所有
[root@lib ~]# iptables -P INPUT DROP
[root@lib ~]# iptables -P FORWARD DROP
[root@lib ~]# iptables -P OUTPUT DROP
DROP后建立起了白名单
[root@lib ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
381 27776 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
79 9064 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
[root@lib ~]#
192.168.0.101ping 不通了192.168.0.103 ,英文其INPUT只开放了tcp 协议流经过,ping是ICMP协议
C:\Users\kerberos>ping 192.168.0.103
Pinging 192.168.0.103 with 32 bytes of data:
Request timed out.
放其进来
[root@lib ~]# iptables -t filter -A INPUT -s 192.168.0.101 -d 192.168.0.103 -p icmp -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
766 57344 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
0 0 ACCEPT icmp -- 192.168.0.101 192.168.0.103
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
320 36208 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
[root@lib ~]#
还是ping不通,因为没有放其出去
C:\Users\kerberos>ping 192.168.0.103
Pinging 192.168.0.103 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.103:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\kerberos>
抓包可以看的出
[root@lib ~]# tcpdump -i ens33 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
16:18:21.075645 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 347, length 40
16:18:26.077079 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 348, length 40
16:18:31.079188 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 349, length 40
加一条规则,放其出去
[root@lib ~]# iptables -t filter -A OUTPUT -s 192.168.0.103 -d 192.168.0.101 -p icmp -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1070 79152 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
6 360 ACCEPT icmp -- 192.168.0.101 192.168.0.103
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
484 53984 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
0 0 ACCEPT icmp -- 192.168.0.103 192.168.0.101
[root@lib ~]#
再ping
C:\Users\kerberos>ping 192.168.0.103
Pinging 192.168.0.103 with 32 bytes of data:
Reply from 192.168.0.103: bytes=32 time<1ms TTL=64
Reply from 192.168.0.103: bytes=32 time<1ms TTL=64
Reply from 192.168.0.103: bytes=32 time<1ms TTL=64
Reply from 192.168.0.103: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.0.103:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Users\kerberos>
抓包
[root@lib ~]# tcpdump -i ens33 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
16:21:09.433967 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 352, length 40
16:21:09.434011 IP 192.168.0.103 > 192.168.0.101: ICMP echo reply, id 1, seq 352, length 40
16:21:10.442321 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 353, length 40
16:21:10.442357 IP 192.168.0.103 > 192.168.0.101: ICMP echo reply, id 1, seq 353, length 40
防火墙定制机制: 一般使用白名单机制,拒绝所有,允许特定。
[root@lib ~]# systemctl status firewalld
练习:本机地址172.16.0.671、开放本机的所有tcp服务给所有主机;# iptables -I INPUT -d 172.16.0.67 -p tcp -j ACCEPT# iptables -I OUTPUT -s 172.16.0.67 -p tcp -j ACCEPT 2、开放本机的所有udp服务给172.16.0.0/16网络中的主机,但不包含172.16.0.200;# iptables -I INPUT 2 -d 172.16.0.67 -s 172.16.0.200 -p udp -j REJECT# iptables -I INPUT 3 -d 172.16.0.67 -s 172.16.0.0/16 -p udp -j ACCEPT# iptables -I OUTPUT 2 -s 172.16.0.67 -d 172.16.0.0/16 -p udp -j ACCEPT3、默认策略为REJECT;扩展:1、仅开放本机的ssh服务给172.16.0.0/16中的主机,而且不包含172.16.0.200; iptables/netfilter
framework: netfilter
五链:
PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
filter:包过滤;nat:地址转换;mangle:报文修改;raw:关闭nat表上启用的连接追踪机制;security:filter:INPUT,FORWARD,OUTPUTnat:PREROUTING,INPUT,OUTPUT,POSTROUTINGmangle:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTINGraw:OUTPUT,PREROUTINGiptables命令:iptables [-t table] COMMAND chain [rulenum] [-m machename [per-match-options]] [-j targetname [per-target-options]] [options]匹配条件:基本匹配条件:-s, -d, -p, -i, -o扩展匹配条件:-m matchname per-match-options处理动作:基本处理动作:ACCEPT, DROP扩展处理动作:REJECT,RETURN,LOG,REDIRECT,...用户自定义链:COMMAND:链管理:-N,-X,-E,-P,-F,-Z规则管理:-A,-I,-R,-D查看:-L,-n, -v, -x, --line-numbers大写处理
小写条件匹配
[root@lib ~]# rpm -ql iptables | grep -i -E 'tcp|icmp|upd'
/usr/lib64/xtables/libip6t_icmp6.so
/usr/lib64/xtables/libipt_icmp.so
/usr/lib64/xtables/libxt_TCPMSS.so
/usr/lib64/xtables/libxt_TCPOPTSTRIP.so
/usr/lib64/xtables/libxt_tcp.so
/usr/lib64/xtables/libxt_tcpmss.so
[root@lib ~]#
iptables(2)
iptables [-t table] COMMAND [chain] [PARAMETERS] [-m matchname [per-match-options]] [-j targetname [per-target-options]]
匹配条件:基本匹配条件:PARAMETERS扩展匹配条件:隐式扩展:在使用-p选项指明了特定的协议时,无需再同时使用-m选项指明扩展模块的扩展机制;显式扩展:必须使用-m选项指明要调用的扩展模块的扩展机制;隐式扩展:不需要手动加载扩展模块;因为它们是对协议的扩展,所以,但凡使用-p指明了协议,就表示已经指明了要扩展的模块;tcp:[!] --source-port, --sport port[:port]:匹配报文的源端口;可以是端口范围;[!] --destination-port,--dport port[:port]:匹配报文的目标端口;可以是端口范围;[!] --tcp-flags mask compmask is the flags which we should examine, written as a comma-separated list,例如 SYN,ACK,FIN,RSTcomp is a comma-separated list of flags which must be set,例如SYN例如:“--tcp-flags SYN,ACK,FIN,RST SYN”表示,要检查的标志位为SYN,ACK,FIN,RST四个,其中SYN必须为1,余下的必须为0;[!] --syn:用于匹配第一次握手,相当于”--tcp-flags SYN,ACK,FIN,RST SYN“; 允许 192.168.0.0/24访问192.168.0.103 22端口服务
[root@lib ~]# iptables -I INPUT -s 192.168.0.0/24 -d 192.168.0.103 -p tcp --dport 22 -j ACCEPT I表示插入
[root@lib ~]# iptables -I OUTPUT -s 192.168.0.103 -d 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
127 9148 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
2221 175K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103
10 600 ACCEPT icmp -- 192.168.0.101 192.168.0.103
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp dpt:22
1391 152K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24
4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
[root@lib ~]#
ssh 无法连接了,有问题,貌似是客户端连接ssh显示端口不是22,而是一个随机端口,不是这个原因,是上面OUTPUT 出口应该是--sport 22
删除重新配置
[root@lib ~]#iptables -D OUTPUT 1
[root@lib ~]# iptables -I OUTPUT -s 192.168.0.103 -d 192.168.0.0/24 -p tcp --sport 22 -j ACCEPT
此时如果执行 [root@lib ~]# iptables -F 就清理策略,就只剩默认策略了,也就是 policy DROP
ssh 就连不上了
为了去除上面风险
指定下面规则,相当于默认策略 DROP ,但又没有上面 iptables —F的风险
[root@lib ~]#iptables -A INPUT -d 192.168.0.103 -j REJECT
[root@lib ~]#iptables -A OUTPUT -s 192.168.0.103 -j REJECT
[root@lib ~]#iptables -P INPUT ACCEPT
[root@lib ~]#iptables -P OUTPUT ACCEPT
相当于默认策略的DROP
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 18 packets, 2660 bytes)
num pkts bytes target prot opt in out source destination
1 619 52768 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
2 31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103
3 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 215 39652 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
2 4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
3 30 2460 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
ping 自己 可以通
[root@lib ~]# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.027 ms
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.027/0.031/0.035/0.004 ms
回到之前的默认策略
[root@lib ~]# iptables -P INPUT DROP
[root@lib ~]# iptables -P OUTPUT DROP
[root@lib ~]# iptables -D INPUT 3
[root@lib ~]# iptables -D OUTPUT 3
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy DROP 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 953 77040 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
2 31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 396 60380 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
2 4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
ping自己,ping不同,过分紧张了
[root@lib ~]# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
[root@lib ~]#
再回到production 模式
[root@lib ~]# iptables -A INPUT -d 192.168.0.103 -j REJECT
[root@lib ~]# iptables -A OUTPUT -s 192.168.0.103 -j REJECT
[root@lib ~]#
[root@lib ~]# iptables -P INPUT ACCEPT
[root@lib ~]# iptables -P OUTPUT ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1902 148K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103
0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
955 132K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
0 0 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
又或者可以这样设置,对网卡进行设置
[root@lib ~]# iptables -A INPUT -i ens33 -j REJECT
[root@lib ~]# iptables -A OUTPUT -o ens33 -j REJECT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2135 165K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103
0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
1 143 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1082 147K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
0 0 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
此时可以把第三条配置删了
[root@lib ~]# iptables -D INPUT 3
[root@lib ~]# iptables -D OUTPUT 3
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2217 171K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
31 1860 ACCEPT icmp -- 192.168.0.101 192.168.0.103
3 429 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1127 153K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
4 240 ACCEPT icmp -- 192.168.0.103 192.168.0.101
0 0 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lib ~]# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.031 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.052 ms
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.031/0.041/0.052/0.012 ms
[root@lib ~]#
samba 137,138 udp dns tcp53或者upd53139,445 tcpudp [!] --source-port, --sport port[:port]:匹配报文的源端口;可以是端口范围;[!] --destination-port,--dport port[:port]:匹配报文的目标端口;可以是端口范围;icmp [!] --icmp-type {type[/code]|typename}echo-request:8echo-reply:0[root@lib ~]# iptables -D INPUT 2
[root@lib ~]# iptables -D OUTPUT 2
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2453 187K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
38 5520 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1299 188K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
462 42904 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lib ~]# ping 192.168.0.101
PING 192.168.0.101 (192.168.0.101) 56(84) bytes of data.
From 192.168.0.103 icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.0.103 icmp_seq=2 Destination Port Unreachable
ping: sendmsg: Operation not permitted
^C
--- 192.168.0.101 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1000ms
[root@lib ~]#
添加规则
放其出去
[root@lib ~]# iptables -I OUTPUT 2 -s 192.168.0.103 -p icmp --icmp-type 8 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3041 236K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
55 9273 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1715 235K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
0 0 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
486 50288 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
试着ping,可以ping出去,只是收不到reply而已,因为没有配置
[root@lib ~]# ping 192.168.0.100
PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
[root@lamp ~]# tcpdump -i ens33 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:21:25.826655 IP 192.168.0.103 > 192.168.0.100: ICMP echo request, id 6301, seq 81, length 64
20:21:25.826691 IP 192.168.0.100 > 192.168.0.103: ICMP echo reply, id 6301, seq 81, length 64
20:21:26.826886 IP 192.168.0.103 > 192.168.0.100: ICMP echo request, id 6301, seq 82, length 64
20:21:26.826909 IP 192.168.0.100 > 192.168.0.103: ICMP echo reply, id 6301, seq 82, length 64
在给一条配置,可以接受reply
[root@lib ~]# iptables -I INPUT 2 -d 192.168.0.103 -p icmp --icmp-type 0/0 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3412 266K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
1 84 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 0 code 0
240 27642 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1923 271K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
161 13524 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
679 79464 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lib ~]# ping 192.168.0.100
PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.526 ms
64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.325 ms
^C
--- 192.168.0.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.325/0.425/0.526/0.102 ms
[root@lib ~]#
成功
别人ping其实不通的,因为没有配置
[root@lamp ~]# ping 192.168.0.103
PING 192.168.0.103 (192.168.0.103) 56(84) bytes of data.
^C
--- 192.168.0.103 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
[root@lamp ~]#
再配置
[root@lib ~]# iptables -I INPUT 3 -d 192.168.0.103 -p icmp --icmp-type 8 -j ACCEPT
[root@lib ~]# iptables -I OUTPUT 3 -s 192.168.0.103 -p icmp --icmp-type 0/0 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4417 349K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
1 84 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 0 code 0
2 168 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
264 30983 REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2599 346K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
161 13524 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
2 168 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 0 code 0
712 89640 REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lamp ~]# ping 192.168.0.103
PING 192.168.0.103 (192.168.0.103) 56(84) bytes of data.
64 bytes from 192.168.0.103: icmp_seq=1 ttl=64 time=0.341 ms
64 bytes from 192.168.0.103: icmp_seq=2 ttl=64 time=0.317 ms
^C
--- 192.168.0.103 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.317/0.329/0.341/0.012 ms
[root@lamp ~]#
配置samba 共享服务器规则
[root@lib ~]# iptables -I INPUT -d 192.168.0.103 -p udp --dport 137:138 -j ACCEPT
[root@lib ~]# iptables -I OUTPUT -s 192.168.0.103 -p udp --sport 137:138 -j ACCEPT
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 1 packets, 356 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138
5246 420K ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:22
1 84 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 0 code 0
2 168 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
857 119K REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 356 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 udp spts:137:138
3057 430K ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:22
161 13524 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
2 168 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 0 code 0
1257 253K REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
配置后还是无法telnet
[root@lamp ~]# telnet 192.168.0.103 137
Trying 192.168.0.103...
^C
[root@lamp ~]# telnet 192.168.0.103 138
Trying 192.168.0.103...
^C
[root@lamp ~]#
[root@lamp ~]# smbclient //192.168.0.103/HRDept -U smbuser4
Connection to 192.168.0.103 failed (Error NT_STATUS_IO_TIMEOUT)
[root@lamp ~]#
139 和445端口
显式扩展:必须要手动加载扩展模块, [-m matchname [per-match-options]];
显式扩展:必须使用-m选项指明要调用的扩展模块的扩展机制;1、multiportThis module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports. It can only be used in conjunction with one of the following protocols: tcp, udp, udplite, dccp and sctp.以离散或连续的 方式定义多端口匹配条件,最多15个;[!] --source-ports,--sports port[,port|,port:port]...:指定多个源端口;[!] --destination-ports,--dports port[,port|,port:port]...:指定多个目标端口;# iptables -I INPUT -d 172.16.0.7 -p tcp -m multiport --dports 22,80,139,445,3306 -j ACCEPT-R, --replace chain rulenum rule-specification
Replace a rule in the selected chain. If the source and/or destination names resolve
to multiple addresses, the command will fail. Rules are numbered starting at 1.
[root@lib ~]# iptables -R INPUT 2 -d 192.168.0.103 -p tcp -m multiport --dports 22,80,139,445 -j ACCEPT
[root@lib ~]# iptables -R OUTPUT 2 -s 192.168.0.103 -p tcp -m multiport --sport 22,80,139,445 -j ACCEPT
[root@lib ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138
152 10960 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22,80,139,445
1 84 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 0 code 0
2 168 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
3609 557K REJECT all -- ens33 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
249 54072 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 udp spts:137:138
9 1480 ACCEPT tcp -- 192.168.0.103 0.0.0.0/0 multiport sports 22,80,139,445
1 84 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 8
2 168 ACCEPT icmp -- 192.168.0.103 0.0.0.0/0 icmptype 0 code 0
2645 863K REJECT all -- * ens33 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lamp ~]# smbclient -L 192.168.0.103
Enter SAMBA\root's password:
Anonymous login successful
Sharename Type Comment--------- ---- -------print$ Disk Printer DriversHRDept Disk HR share fileIPC$ IPC IPC Service (Samba 4.8.3)Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment--------- -------Workgroup Master--------- -------SAMBA LIB[root@lamp ~]#
2、iprange以连续地址块的方式来指明多IP地址匹配条件;[!] --src-range from[-to][!] --dst-range from[-to]# iptables -I INPUT -d 172.16.0.7 -p tcp -m multiport --dports 22,80,139,445,3306 -m iprange --src-range 172.16.0.61-172.16.0.70 -j REJECT# iptables -I OUTPUT -s 172.16.0.7 -p tcp -m multiport --sports 22,80,139,445,3306 -m iprange --src-range 172.16.0.61-172.16.0.70 -j REJECT3、timeThis matches if the packet arrival time/date is within a given range.--timestart hh:mm[:ss]--timestop hh:mm[:ss][!] --weekdays day[,day...][!] --monthdays day[,day...]--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]--kerneltz:使用内核配置的时区而非默认的UTC;iptables -R INPUT 3 -d 172.16.0.7 -p tcp -m multiport --dports 22,80,139,445,3306 -m iprange --src-range 172.16.0.61-172.16.0.70 -m time --timestart 10:00:00 --timestop 16:00:00 --weekdays 1,2,3,4,5 --kerneltz -j REJECT
iptables -R INPUT 3 -s 172.16.0.7 -p tcp -m multiport --sports 22,80,139,445,3306 -m iprange --dst-range 172.16.0.61-172.16.0.70 -m time --timestart 10:00:00 --timestop 16:00:00 --weekdays 1,2,3,4,5 --kerneltz -j REJECT
4、string 检查字符编码后的字符是否匹配This modules matches a given string by using some pattern matching strategy. --algo {bm|kmp} 算法[!] --string pattern[!] --hex-string pattern--from offset--to offset~]# iptables -I OUTPUT -m string --algo bm --string "gay" -j REJECTThe string pattern can be used for simple text characters.
iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /index.html' -j LOG# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|.iptables -p udp --dport 53 -m string --algo bm --from 40 --to 57 --hex-string '|03|www|09|net‐filter|03|org|00|'5、connlimit 拒绝服务***,限制单客户端访问并发数Allows you to restrict the number of parallel connections to a server per client IP address (or client address block).--connlimit-upto n--connlimit-above n防火墙的默认规则是拒绝的,所以低于就允许,~]# iptables -I INPUT -d 172.16.0.7 -p tcp --syn --dport 22 -m connlimit --connlimit-above 2 -j REJECT[root@lib ~]# systemctl start mariadb
[root@lib ~]#
[root@lib ~]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
MariaDB [(none)]> create user 'test'@'%' IDENTIFIED BY 'test';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> select user,host from mysql.user where user = 'test';
+------+------+
| user | host |
+------+------+
| test | % |
+------+------+
1 row in set (0.00 sec)
MariaDB [(none)]>
访问不了
[root@lamp ~]# mysql -u test -h 192.168.0.103 -p
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on '192.168.0.103' (110)
[root@lamp ~]#
添加防火墙规则
[root@lib ~]# iptables -I INPUT 2 -s 192.168.0.0/24 -d 192.168.0.103 -p tcp --dport 3306 -j ACCEPT
[root@lib ~]# iptables -I OUTPUT 2 -d 192.168.0.0/24 -s 192.168.0.103 -p tcp --sport 3306 -j ACCEPT
[root@lib ~]# iptables -vnL | grep 3306
1 60 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:3306
0 0 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:3306
[root@lib ~]#
[root@lamp ~]# mysql -u test -h 192.168.0.103 -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
修改第一条进站规则,同一个客户端连接大于2条,就拒绝多余的连接,就是检查其TCP3次握手次数
[root@lib ~]# iptables -R INPUT 2 -d 192.168.0.103 -s 192.168.0.0/24 -p tcp --dport 3306 -m connlimit --connlimit-upto 2 -j ACCEPT
[root@lib ~]# iptables -vnL | grep 3306
0 0 ACCEPT tcp -- 192.168.0.0/24 192.168.0.103 tcp dpt:3306 #conn src/32 <= 2
11 952 ACCEPT tcp -- 192.168.0.103 192.168.0.0/24 tcp spt:3306
[root@lib ~]#
6、limit 从报文发包速率来限制,令牌方式This module matches at a limited rate using a token bucket filter. --limit rate[/second|/minute|/hour|/day]--limit-burst number 可以收集多少个令牌环~]# iptables -I OUTPUT -s 172.16.0.7 -p icmp --icmp-type 0 -j ACCEPT限制本机某tcp服务接收新请求的速率:--syn, -m limit[root@lamp ~]# wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home%3A/matthewdva%3A/build%3A/EPEL%3A/el7/CentOS_7/x86_64/hping3-0.0.20051105-24.el7.x86_64.rpm
[root@lamp ~]# yum intall hping3-0.0.20051105-24.el7.x86_64.rpm
[root@lamp ~]# rpm -ql hping3
/usr/sbin/hping
/usr/sbin/hping2
/usr/sbin/hping3
#iptables -I INPUT 6 -d 192.168.0.103 -p icmp --icmp-type 8 -m limit --limit-burst 5 --limit 20/minute -j ACCEPT
#iptables -I OUTPUT 6 -s 192.168.0.103 -p icmp --icmp-type 0 -j ACCEPT
对于web 新请求数进行限制 限制本机某tcp服务接收新请求的速率:--syn, -m limit
7、stateThe "state" extension is a subset of the "conntrack" module. "state" allows access to the connection tracking state for this packet.[!] --state stateINVALID, ESTABLISHED, NEW, RELATED or UNTRACKED.NEW: 新连接请求;ESTABLISHED:已建立的连接;INVALID:无法识别的连接;RELATED:相关联的连接,当前连接是一个新请求,但附属于某个已存在的连接;UNTRACKED:未追踪的连接;链接追踪,查询在内存中记录
state扩展:内核模块装载:nf_conntracknf_conntrack_ipv4手动装载:nf_conntrack_ftp 追踪到的连接: 在并发访问量大的模式中,不建议开启/proc/net/nf_conntrack[root@lib ~]# cat /proc/net/nf_conntrack
ipv4 2 tcp 6 299 ESTABLISHED src=192.168.0.103 dst=192.168.0.101 sport=22 dport=56005 src=192.168.0.101 dst=192.168.0.103 sport=56005 dport=22 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 117 TIME_WAIT src=192.168.0.101 dst=192.168.0.103 sport=53484 dport=80 src=192.168.0.103 dst=192.168.0.101 sport=80 dport=53484 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 117 TIME_WAIT src=192.168.0.101 dst=192.168.0.103 sport=53483 dport=80 src=192.168.0.103 dst=192.168.0.101 sport=80 dport=53483 [ASSURED] mark=0 zone=0 use=2
[root@lib ~]#
调整可记录的连接数量最大值:/proc/sys/net/nf_conntrack_max[root@lib ~]# cat /proc/sys/net/nf_conntrack_max
25432
[root@lib ~]#
超时时长: 不同协议,超时时长不同/proc/sys/net/netfilter/*timeout*[root@lib ~]# cat /proc/sys/net/netfilter/timeout
15
600
30
10
60
432000
120
30
300
60
120
120
300
30
180
[root@lib ~]# ls -lt /proc/sys/net/netfilter/
total 0
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_acct
-r--r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_buckets
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_checksum
-r--r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_count
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_events
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_events_retry_timeout
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_expect_max
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_generic_timeout
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_helper
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_icmp_timeout
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_log_invalid
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_max
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_be_liberal
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_loose
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_max_retrans
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_close
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_close_wait
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_established
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_fin_wait
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_last_ack
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_max_retrans
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_syn_recv
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_syn_sent
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_time_wait
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_tcp_timeout_unacknowledged
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_timestamp
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_udp_timeout
-rw-r--r-- 1 root root 0 Aug 4 21:53 nf_conntrack_udp_timeout_stream
dr-xr-xr-x 1 root root 0 Aug 4 21:53 nf_log
[root@lib ~]#
清空所有规则
[root@lib ~]# iptables -F
[root@lib ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 432 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 432 bytes)
pkts bytes target prot opt in out source destination
[root@lib ~]#
-I 默认插入第一规则, -A 在前面规则后追加规则
建立规则
[root@lib ~]# iptables -A INPUT -d 192.168.0.103 -p tcp -m multiport --dports 22:23,80,139,445,3306 -m state --state NEW -j ACCEPT
[root@lib ~]# iptables -I INPUT -d 192.168.0.103 -m state --state ESTABLISHED -j ACCEPT
[root@lib ~]# iptables -A OUTPUT -s 192.168.0.103 -m state --state ESTABLISHED -j ACCEPT
[root@lib ~]# iptables -A INPUT -d 192.168.0.103 -j REJECT
[root@lib ~]# iptables -A OUTPUT -s 192.168.0.103 -j REJECT
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 1339 109K ACCEPT all -- 0.0.0.0/0 192.168.0.103 state ESTABLISHED
2 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,139,445,3306 state NEW
3 3 164 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,137,138,139,445,3306 state NEW
4 52 2992 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 773 116K ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 50 4472 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
NTP出站同步时间服务器
[root@lib ~]# iptables -I OUTPUT 2 -s 192.168.0.103 -p udp -m multiport --dports 123,323 -m state --state NEW -j ACCEPT
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2146 181K ACCEPT all -- 0.0.0.0/0 192.168.0.103 state ESTABLISHED
2 2 120 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,139,445,3306 state NEW
3 3 164 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,137,138,139,445,3306 state NEW
4 52 2992 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1321 191K ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 50 4472 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lib ~]# iptables -I INPUT 2 -d 192.168.0.103 -p udp --dport 137:138 -m state --state NEW -j ACCEPT
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 247 22635 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 6 312 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 22:23,80,139,445,3306 state NEW
4 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 167 30990 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 8 688 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
samba ssh mysql httpd都可以访问,
[root@lamp ~]# smbclient //192.168.0.103/HRDept -U smbuser4
Enter SAMBA\smbuser4's password:
Try "help" to get a list of possible commands.
smb: \>
[root@lamp ~]# mysql -u test -h 192.168.0.103 -ptest
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 14
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
对于ftp 进行定义规则
[root@lib ~]# systemctl start vsftpd
[root@lib ~]#
装载模块,追踪ftp
[root@lib ~]# modinfo nf_conntrack_ftp
filename: /lib/modules/3.10.0-514.el7.x86_64/kernel/net/netfilter/nf_conntrack_ftp.ko
alias: nfct-helper-ftp
alias: ip_conntrack_ftp
description: ftp connection tracking helper
author: Rusty Russell <rusty@rustcorp.com.au>
license: GPL
rhelversion: 7.3
srcversion: D43BF56A22E3D137BA1227B
depends: nf_conntrack
intree: Y
vermagic: 3.10.0-514.el7.x86_64 SMP mod_unload modversions
signer: CentOS Linux kernel signing key
sig_key: D4:88:63:A7:C1:6F:CC:27:41:23:E6:29:8F:74:F0:57:AF:19:FC:54
sig_hashalgo: sha256
parm: ports:array of ushort
parm: loose:bool
[root@lib ~]# lsmod | grep nf_conntrack_ftp
[root@lib ~]# modprobe nf_conntrack_ftp
[root@lib ~]# lsmod | grep nf_conntrack_ftp
nf_conntrack_ftp 18638 0
nf_conntrack 111302 4 xt_connlimit,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4
[root@lib ~]#
改造开发21 端口和RELATED 状态的入站规则
[root@lib ~]# iptables -R INPUT 3 -d 192.168.0.103 -p tcp -m multiport --dports 21:23,80,139,445,3306 -m state --state NEW -j ACCEPT
[root@lib ~]# iptables -R INPUT 1 -d 192.168.0.103 -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@lib ~]#
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 14 1008 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
4 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 182 34934 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 8 688 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
访问ftp成功
[root@lamp ~]# ftp 192.168.0.103
Connected to 192.168.0.103 (192.168.0.103).
220 (vsFTPd 3.0.2)
Name (192.168.0.103:root): tom
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,0,103,146,162).
150 Here comes the directory listing.
226 Transfer done (but failed to open directory).
ftp>
[root@lamp ~]# yum install telnet-server --downloadonly --downloaddir=/tmp/
[root@lamp ~]# scp -p /tmp/telnet-server-0.17-64.el7.x86_64.rpm 192.168.0.103:/tmp/
root@192.168.0.103's password:
telnet-server-0.17-64.el7.x86_64.rpm 100% 41KB 40.8KB/s 00:00
[root@lamp ~]#
[root@lib vsftpd]# yum install /tmp/telnet-server-0.17-64.el7.x86_64.rpm
启动telnet 服务
[root@lib vsftpd]# systemctl start telnet.socket
[root@lib vsftpd]# systemctl status telnet.socket
● telnet.socket - Telnet Server Activation Socket
Loaded: loaded (/usr/lib/systemd/system/telnet.socket; disabled; vendor preset: disabled)
Active: active (listening) since Sun 2019-08-04 23:59:04 CST; 5s ago
Docs: man:telnetd(8)
Listen: [::]:23 (Stream)
Accepted: 0; Connected: 0
Aug 04 23:59:04 lib systemd[1]: Listening on Telnet Server Activation Socket.
Aug 04 23:59:04 lib systemd[1]: Starting Telnet Server Activation Socket.
[root@lib vsftpd]#
对telnet加日志规则
[root@lib vsftpd]# iptables -I INPUT 3 -d 192.168.0.103 -p tcp --dport 23 -m state --state NEW -j LOG
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 26 2000 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 LOG tcp -- 0.0.0.0/0 192.168.0.103 tcp dpt:23 state NEW LOG flags 0 level 4
4 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
5 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 191 37230 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 8 688 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
[root@lamp ~]# telnet 192.168.0.103
Trying 192.168.0.103...
Connected to 192.168.0.103.
Escape character is '^]'.
Kernel 3.10.0-514.el7.x86_64 on an x86_64
lib login: test12
Password:
Last login: Mon Aug 5 00:04:03 from lib
[test12@lib ~]$
[root@lib log]# tail -f messages
Aug 5 00:04:01 lib systemd: Started Session 1106 of user root.
Aug 5 00:04:01 lib systemd: Starting Session 1106 of user root.
Aug 5 00:04:03 lib systemd: Created slice user-1050.slice.
Aug 5 00:04:03 lib systemd: Starting user-1050.slice.
Aug 5 00:04:03 lib systemd-logind: New session 1107 of user test12.
Aug 5 00:04:03 lib systemd: Started Session 1107 of user test12.
Aug 5 00:04:03 lib systemd: Starting Session 1107 of user test12.
Aug 5 00:04:17 lib systemd-logind: Removed session 1107.
Aug 5 00:04:17 lib systemd: Removed slice user-1050.slice.
Aug 5 00:04:17 lib systemd: Stopping user-1050.slice.
Aug 5 00:04:31 lib kernel: IN=ens33 OUT= MAC=00:0c:29:b7:65:02:00:0c:29:20:7b:a8:08:00 SRC=192.168.0.102 DST=192.168.0.103 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=43583 DF PROTO=TCP SPT=51302 DPT=23 WINDOW=29200 RES=0x00 SYN URGP=0
Aug 5 00:04:31 lib systemd: Started Telnet Server (192.168.0.102:51302).
Aug 5 00:04:31 lib systemd: Starting Telnet Server (192.168.0.102:51302)...
Aug 5 00:04:36 lib systemd: Created slice user-1050.slice.
Aug 5 00:04:36 lib systemd: Starting user-1050.slice.
Aug 5 00:04:36 lib systemd-logind: New session 1108 of user test12.
Aug 5 00:04:36 lib systemd: Started Session 1108 of user test12.
Aug 5 00:04:36 lib systemd: Starting Session 1108 of user test12.
[root@lib log]# iptables -R INPUT 3 -d 192.168.0.103 -p tcp --dport 23 -m state --state NEW -j LOG --log-prefix "access telnet"
[root@lib log]#
[root@lib ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 37 2872 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 LOG tcp -- 0.0.0.0/0 192.168.0.103 tcp dpt:23 state NEW LOG flags 0 level 4 prefix "access telnet"
4 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
5 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 199 39934 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 8 688 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
[root@lib ~]#
日志有前缀了
[root@lib log]# tail -f messages
Aug 5 00:09:10 lib kernel: access telnetIN=ens33 OUT= MAC=00:0c:29:b7:65:02:58:fb:84:0c:97:07:08:00 SRC=192.168.0.101 DST=192.168.0.103 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=14262 DF PROTO=TCP SPT=60250 DPT=23 WINDOW=64240 RES=0x00 SYN URGP=0
Aug 5 00:09:10 lib systemd: Started Telnet Server (192.168.0.101:60250).
Aug 5 00:09:10 lib systemd: Starting Telnet Server (192.168.0.101:60250)...
Aug 5 00:09:13 lib systemd: Created slice user-1050.slice.
Aug 5 00:09:13 lib systemd: Starting user-1050.slice.
Aug 5 00:09:13 lib systemd-logind: New session 1112 of user test12.
Aug 5 00:09:13 lib systemd: Started Session 1112 of user test12.
Aug 5 00:09:13 lib systemd: Starting Session 1112 of user test12.
Aug 5 00:10:01 lib systemd: Started Session 1113 of user root.
Aug 5 00:10:01 lib systemd: Starting Session 1113 of user root.
处理动作(跳转目标):-j targetname [per-target-options]简单target:ACCEPT, DROP扩展target:REJECTThis is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating TARGET, ending rule traversal.--reject-with typeThe type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreach‐ able, icmp-net-prohibited, icmp-host-prohibited, or icmp-admin-prohibited (*), which return the appropriate ICMP error message (icmp-port-unreachable is the default).LOGTurn on kernel logging of matching packets.--log-level--log-prefix默认日志保存于/var/log/messagesRETURN:返回调用者;自定义链做为target:[root@lib ~]# iptables -N in_ping_rules
[root@lib ~]# iptables -A in_ping_rules -d 192.168.0.103 -p icmp --icmp-type 8 -j ACCEPT
[root@lib ~]# iptables -I in_ping_rules -d 192.168.0.103 -s 192.168.0.101 -p icmp -j REJECT
[root@lib ~]# iptables --line-numbers -vnL
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 69 5272 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 LOG tcp -- 0.0.0.0/0 192.168.0.103 tcp dpt:23 state NEW LOG flags 0 level 4 prefix "access telnet"
4 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
5 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 222 45494 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 96 8256 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
Chain in_ping_rules (0 references) 无效的,需要被调用才行
num pkts bytes target prot opt in out source destination
1 0 0 REJECT icmp -- 192.168.0.101 192.168.0.103 reject-with icmp-port-unreachable
2 0 0 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
[root@lib ~]#
[root@lib ~]# iptables -I INPUT 5 -d 192.168.0.103 -p icmp -j in_ping_rules
[root@lib ~]# iptables --line-numbers -vnL
Chain INPUT (policy ACCEPT 1 packets, 143 bytes)
num pkts bytes target prot opt in out source destination
1 84 6368 ACCEPT all -- 0.0.0.0/0 192.168.0.103 state RELATED,ESTABLISHED
2 0 0 ACCEPT udp -- 0.0.0.0/0 192.168.0.103 udp dpts:137:138 state NEW
3 0 0 LOG tcp -- 0.0.0.0/0 192.168.0.103 tcp dpt:23 state NEW LOG flags 0 level 4 prefix "access telnet"
4 0 0 ACCEPT tcp -- 0.0.0.0/0 192.168.0.103 multiport dports 21:23,80,139,445,3306 state NEW
5 0 0 in_ping_rules icmp -- 0.0.0.0/0 192.168.0.103
6 0 0 REJECT all -- 0.0.0.0/0 192.168.0.103 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 232 48662 ACCEPT all -- 192.168.0.103 0.0.0.0/0 state ESTABLISHED 万能的,能进来就能出去
2 0 0 ACCEPT udp -- 192.168.0.103 0.0.0.0/0 multiport dports 123,323 state NEW
3 96 8256 REJECT all -- 192.168.0.103 0.0.0.0/0 reject-with icmp-port-unreachable
Chain in_ping_rules (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT icmp -- 192.168.0.101 192.168.0.103 reject-with icmp-port-unreachable
2 0 0 ACCEPT icmp -- 0.0.0.0/0 192.168.0.103 icmptype 8
[root@lib ~]#
可以ping通
[root@lamp ~]# ping 192.168.0.103
PING 192.168.0.103 (192.168.0.103) 56(84) bytes of data.
64 bytes from 192.168.0.103: icmp_seq=1 ttl=64 time=0.604 ms
64 bytes from 192.168.0.103: icmp_seq=2 ttl=64 time=0.834 ms
^C
--- 192.168.0.103 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.604/0.719/0.834/0.115 ms
[root@lamp ~]#
[root@lib ~]# iptables -X in_ping_rules ,这条规则被调用着,不可删除。
iptables: Too many links.
[root@lib ~]#
保存和载入规则:保存:iptables-save > /PATH/TO/SOME_RULE_FILE重载:iptabls-restore < /PATH/FROM/SOME_RULE_FILE-n, --noflush:不清除原有规则-t, --test:仅分析生成规则集,但不提交CentOS 6:保存规则:service iptables save保存规则于/etc/sysconfig/iptables文件,覆盖保存;重载规则:service iptables restart默认重载/etc/sysconfig/iptables文件中的规则 配置文件:/etc/sysconfig/iptables-configCentOS 7:(1) 自定义Unit File,进行iptables-restore;(2) firewalld服务;(3) 自定义脚本;规则优化的思路:使用自定义链管理特定应用的相关规则,模块化管理规则;(1) 优先放行双方向状态为ESTABLISHED的报文;(2) 服务于不同类别的功能的规则,匹配到报文可能性更大的放前面;(3) 服务于同一类别的功能的规则,匹配条件较严格的放在前面;(4) 设置默认策略:白名单机制(a) iptables -P,不建议;(b) 建议在规则的最后定义规则做为默认策略;关闭服务器80 主动往外的链接,即出站不为NEW 状态,只能为ESTABLISHED,防止***
iptables/netfilter:
netfilter: raw 链接追踪,mangle报文修改, nat地址转换, filter
PREROUTING --> INPUT
PREROUTING --> FORWARD --> POSTROUTING
OUTPUT --> POSTROUTING
filter:INPUT,FORWARD,OUTPUT
nat:PREROUTING,INPUT,OUTPUT,POSTROUTING
iptables:[-t table] COMMAND [chain] rule-specification-m matchname [per-match-options]-t targetname [per-target-options][options]匹配 条件:基本匹配条件:-s, -d, -p, -m, -i, -o扩展匹配条件:隐式扩展:-p tcp: --dport, --sport, --tcp-flags, --syn -p udp:--dport, --sport-p imcp: --icmp-type显式扩展:multiport:--sports, --dportsiprange:--src-range, --dst-rangetime:--timestart, --timestop, --weekdays, --monthdays, --datestart, --datestopstring:--algo {bm|kmp}, --stringconnlimit:--connlimit-upto, --connlimit-abovelimit:--limit, --limit-burststate:--stateNEW, ESTABLISHED, RELATED, INVALID, UNTRACKEDtarget:-j:ACCEPT/DROPREJECT:--reject-withLOG:--log-level, --log-prefix自定义链RETURNiptables-save/iptables-restoreiptables(3)
iptables/netfilter网络防火墙:
(1) 网关;
(2) filter表的FORWARD链;
要注意的问题:(1) 请求-响应报文均会经由FORWARD链,要注意规则的方向性;(2) 如果要启用conntrack机制,建议将双方向的状态为ESTABLISHED的报文直接放行;隐藏内网IP地址,内网IP访问外网服务器时,源IP地址都转换位外网网关的IP地址
NAT: Network Address Translation请求报文:由管理员定义;响应报文:由NAT的conntrack机制自动实现; 请求报文:改源地址:SNAT,MASQUERADE改目标地址:DNATiptables/netfilter:NAT定义在nat表;PREROUTING,INPUT,OUTPUT,POSTROUTINGSNAT:POSTROUTING 改源IPDNAT:PREROUTING 改目标IPPAT: 改源端口云端外网IP服务器 ,注意链接追踪数量 target:SNAT:This target is only valid in the nat table, in the POSTROUTING and INPUT chains, and user-defined chains which are only called from those chains.--to-source [ipaddr[-ipaddr]]DNAT:This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains.--to-destination [ipaddr[-ipaddr]][:port[-port]]MASQUERADEThis target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target.SNAT场景中应用于POSTROUTING链上的规则实现源地址转换,但外网地址不固定时,使用此target;REDIRECTThis target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains.--to-ports port[-port]layer7主机A: 192.168.10.2 服务器C: 172.16.0.67主机B路由功能 INC1: 192.168.10.254 INC2: 172.16.0.6 开启IPv4 forware功能
添加路由
#route add -net 192.168.10.0/24 gw 172.16.0.6
添加防火墙规则
#iptables -A FORWARD -j REJECT
请求报文出去
#iptables -I FORWARD -s 192.168.10.0/24 -p tcp --dport 80 -j ACCEPT
响应报文回来
#iptables -I FORWARD -d 192.168.10.0/24 -p tcp --sdport 80 -j ACCEPT
####################
使用状态链接 内网主机可以访问外网任何网络服务,外网不能访问内网
#iptables -D FORWARD 1
#iptables -D FORWARD 1
#iptables -I FORWARD -m state --state ESTABLISHED -j ACCEPT
#iptables -I FORWARD 2 -s 192.169.10.0/24 -m state --state NEW -j ACCEPT
####################
开放内网一个服务给外网访问
#iptables -I FORWARD 3 -d 192.169.10.0/24 -p tcp --dport 80 -m state --state NEW -j ACCEPT
开放多个服务费外网访问
#iptables -R FORWARD -3 -d 192.168.10.2 -p tcp -m multiport --dports 21:23,80,139,445 -m state --state NEW -j ACCEPT
#iptables -I FORWARD 4 -d 192.168.10.2 -p udp --dport 137:138 -m state --state NEW -j ACCEPT
#modprobe nf_conntrack_ftp
[root@lib ~]# lsmod | grep nf_conntrack_ftp
[root@lib ~]#
[root@lib ~]# modprobe nf_conntrack_ftp
[root@lib ~]# lsmod | grep nf_conntrack_ftp nf_conntrack_ftp 18638 0
nf_conntrack 111302 1 nf_conntrack_ftp
[root@lib ~]#
开机会失效,
永久有用
[root@lib ~]# diff /etc/sysconfig/iptables-config /etc/sysconfig/iptables-config.bk.20190806
6c6
< IPTABLES_MODULES="nf_conntrack_ftp"
IPTABLES_MODULES=""
[root@lib ~]#
开放ftp访问
#iptables -I FORWARD 5 -d 192.168.10.2 -p tcp -m state --state RELATED -j ACCEPT
#NAT 功能实现
#iptables -F FORWARD
内网主机访问外网服务,隐藏内网IP,通过构建SNAT实现
#iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 172.16.0.6
DNAT 实现
外网访问内网服务
#iptables -t nat -F
#iptables -t nat -A PREROUTING -d 172.16.0.6 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.2
PAT 实现 也可以通过DNAT实现
外网访问内网服务80, 实际是访问8080
#iptables -t nat -R PREROUTING 1 -d 172.16.0.6 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.2:8080
#iptables -A FORWARD -s 172.16.0.200 -p tcp --dport 8080 -d 192.168.10.2 -j REJECT
本地端口映射
#iptables -A PREROUTING -t nat -d 192.168.10.2 -p tcp --dport 80 -j REDIRECT --to-ports 8080
tcp_wrapper:
库文件:libwrap.so,tcp包装器;判断一个服务程序是否能够由tcp_wrapper进行访问控制的方法:(1) 动态链接至libwrap.so库;ldd /PATH/TO/PROGRAMlibwrap.so(2) 静态编译libwrap.so库文件至程序中:strings /PATH/TO/PGRGRAM hosts_access配置文件:/etc/hosts.allow, /etc/hosts.denySee 'man 5 hosts_options' and 'man 5 hosts_access' for information on rule syntax. 配置文件语法:daemon_list : client_list[ : option : option ...]daemon_list:程序文件名称列表(1) 单个应用程序文件名;(2) 程序文件名列表,以逗号分隔;(3) ALL:所有受tcp_wrapper控制的应用程序文件;client_list:(1) 单个IP地址或主机名;(2) 网络地址:n.n.n.n/m.m.m.m,n.n.n.;(3) 内建的ACL:ALL:所有客户端主机;LOCAL:Matches any host whose name does not contain a dot character.UNKNOWNKNOWNPARANOIDOPERATORS:EXCEPTlist1 EXCEPT list2 EXCEPT list3sshd: 172.16. EXCEPT 172.16.100. EXCEPT 172.16.100.68[ : option : option ...]deny:拒绝,主要用于hosts.allow文件中定义“拒绝”规则;allow:允许,主要用于hosts.deny文件中定义”允许“规则;spawn:生成,发起,触发执行用户指定的任意命令,此处通常用于记录日志;vsftpd: 172.16. : spawn /bin/echo $(date) login attempt from %c to %s >> /var/log/tcp_wrapper.log 如若内容造成侵权/违法违规/事实不符,请联系编程学习网邮箱:809451989@qq.com进行投诉反馈,一经查实,立即删除!
相关文章
- 在Linux系统中配置Nginx网页优化(一)
配置Nginx隐藏版本号在生产环境中,需要隐藏Nginx的版本号,以避免安全漏洞的泄漏查看方法使用fiddler工具在Windows客户端查看Nginx版本号 在CentOS系统中使用"curl -I 网址”命令查看Nginx隐藏版本号的方法修改配置文件法 修改源码法修改配置文件法Nginx的配置文件中的s…...
2024/4/24 8:02:06 - Nginx优化实战(进程管理、防盗链)
Nginx进程管理实例: [root@nginx nginx-1.12.2]# cd /usr/local/nginx/ [root@nginx nginx]# ls client_body_temp fastcgi_temp logs sbin uwsgi_temp conf html proxy_temp scgi_temp [root@nginx nginx]# cd conf/ [root@nginx conf…...
2024/4/24 8:02:03 - su和sudo命令的使用及日志追踪
su是英文“switch user”的缩写,即切换用户之意。su和su 指令加上“-”参数的区别:su指令不加任何参数,默认切换到root,但没有转到root用户家目录,这时虽然切换为root用户了,但并没有切换到root的登陆环境(shell,环境变量),不能获取环境变量。su加上参数“-”是切换到…...
2024/4/30 17:06:33 - Python Excel第三方库对照表
负责公司报表系统开发,尝试了以下库并得出总结(备注:可能和实际有出入):...
2024/4/24 8:02:04 - Asible学习笔记--常用模块(二)
Ansible常用模块 本节包括的模块: (1)包管理模块yum (2)配置yum源模块yum_repository (3)服务管理模块service (4)systemd模块 (5)用户管理模块user (6)debug模块 (7)定时任务模块cron 包管理模块yum yum--Ansible官方使用说明文档 ansible-doc -s yum - name: …...
2024/4/24 8:02:01 - k8s实践(十二):Prometheus Operator监控Kubernetes集群
环境说明:主机名 操作系统版本 ip docker version kubelet version helm version 配置 备注master Centos 7.6.1810 172.27.9.131 Docker 18.09.6 V1.14.2 v2.14.3 2C2G master主机node01 Centos 7.6.1810 172.27.9.135 Docker 18.09.6 V1.14.2 v2.14.3 2C2G node节点node02 C…...
2024/4/24 8:02:01 - 详述Linux系统中配置Nginx网页优化(二)
更改Nginx运行进程数在高并发场景,需要启动更多的Nginx进程以保证快速响应,以处理用户的请求,避免造成阻塞 可以使用ps aux命令查看Nginx运行进程的个数更改进程数的配置方法修改配置文件,修改进程配置参数修改配置文件的worker_ processes参数一般设为CPU的个数或者核数 在…...
2024/4/24 8:02:01 - Nginx服务优化(一)隐藏版本号
配置Nginx隐藏版本号 在生产环境中,需要隐藏Nginx的版本号,以避免安全漏洞的泄漏 查看方法使用fiddler工具在Windows客户端查看Nginx版本号在CentOS系统中使用"curl -I网址”命令查看Nginx隐藏版本号的方法修改配置文件法 修改源码法编译安装nginx服务 1.将宿主机上的工…...
2024/4/24 8:01:57 - Ubuntu / CentOS 缺少libpng12.so.0问题lib
概述 Ubuntu / CentOS 上运行可执行可执行文件,出现:xxxlibpng12.so.0: wrong ELF class: ELFCLASS32。错误原因是64位系统用了32位的libpng12.so.0,下载一个64位的共享库即可。 解决方法 可以去网上搜这个库的安装包,我使用的是这个。https://pan.baidu.com/s/1EVCvPZhRjQ…...
2024/4/27 17:23:21 - 理论:linux系统安全及应用
前言:主要从账号安全控制,系统引导和登录控制,弱口令检测,端口扫描本地控制去了解学习 一 :账号安全基本措施 1.1 系统账号清理将非登录用户的Shell设为/sbin/nologin 锁定长期不使用的账号 usermod -L 删除无用的账号 userdel -r 锁定账号文件passwd、shadow,…...
2024/4/29 23:58:41 - 网站压力测试工具安装使用
1.安装 yum -y install httpd-tools 2.测试 ab -r -n 150000 -c 10000 http://192.168.1.11/index.php #-n : 访问次数 #-c : 并发数...
2024/4/24 8:01:55 - Django之入门 CMDB系统 (六) 前后端分离之后端
Django之入门 CMDB系统 (六) 前后端分离之后端前言作者: 何全,github地址: https://github.com/ QQ交流群: 通过此教程完成从零入门,能够独立编写一个简单的CMDB系统。 目前主流的方法开发方式,分为2种:mvc 和 mvvc方式。本教程为 mvvc(前后端分离)的入门教程。 教程项…...
2024/4/24 8:01:53 - Linux/Centos7系统管理之系统安全及应用
Linux/Centos7系统管理之系统安全及应用 1.账号安全控制2.系统引导和登录控制3.弱口令检测4.端口扫描 一、账号安全控制 1.1基本安全措施 1.1.1系统账号清理 (1)在Linux系统中,除了用户手动创建的各种账号之外,还包括一些随系统或程序安装过程而产生的其他大量账号。除…...
2024/4/15 6:58:13 - 如何写一个最优的Dockerfile
[TOC] 1. 为什么要优化Dockerfile 我们如果使用Dockerfile来构建Docker镜像,如果一不小心就会导致镜像大小超过1G,这是非常恐怖的。一般也都是好几百兆。较大的镜像往往会导致移植,迁移缓慢,部署上线也就慢。Dockerfile就像代码一样需要持续去进行优化。使用下面的几个优化…...
2024/4/16 17:18:00 - django修改用户名账号和密码
导入用户模块from django.contrib.auth.models import Useruser=User.objects.get(username="rock")查看用户状态user.is_active更改密码user.set_password(123456)user.save()...
2024/4/16 17:17:18 - Nginx——Rewrite及nginx模块(理论篇)
Rewrite跳转场景 URL看起来更规范,合理 企业会将动态URL地址伪装成静态地址提供服务 网址换新域名后,让旧的访问跳转到新的域名上 服务端某些业务调整 Rewrite跳转实现Rewrite实用场景Nginx跳转需求的实现方式使用rewrite进行匹配跳转使用if匹配全局变量后跳转使用location匹…...
2024/4/15 6:58:10 - 在centos7.4 上 时间服务器chrony的配置实战-20191125
关于chrony: chrony is a versatile implementation of the Network Time Protocol (NTP). It can synchronize the system clock with NTP servers, reference clocks (e.g. GPS receiver), and manual input using wristwatch and keyboard. It can also operate as an NTPv…...
2024/4/24 8:01:52 - http,php,mysql的搭建
我用的是yum安装,全部yum安装完之后需要配置http支持php,过程不复杂:(1)第一步,编辑/etc/conf/httpd.conf如图找到AddType然后后面添加上.php(2)第二步,找到下图中的dir_module在图中如下出添加上index.php(3)第三步,在/var/www/html中写入index.php文件,内容如下…...
2024/4/24 8:01:52 - 持续集成之Gitlab安装与应用
前言: Gitlab 是一个利用 Ruby on Rails 开发的开源应用程序,实现一个自托管的 Git 项目仓库,可通过Web 界面进行访问公开的或者私人的项目 Gitlab 拥有与 Github 类似的功能,能够浏览源代码,管理缺陷和注释。可以管理团队对仓库的访问,他非常易于浏览提交过的版本并提供…...
2024/4/24 8:01:50 - LNMP架构搭建Discuz论坛(实战!)
什么是LNMP架构 LNMP平台就是Linux、Ngnix、 MySQL、 PHP的组合架构,需要Linux服务器、MySQL数据库、PHP解析环境 MySQL安装配置 为了与Nginx、PHP环境保持一致,此处选择采用源代码编译的方式安装MySQL组件 MySQL部署的方法编译安装MySQL 优化调整 初始化数据库 启动mysq|服务…...
2024/4/24 8:01:56
最新文章
- MySQL中的并发控制,读写锁,和锁的粒度
MySQL中的并发控制,读写锁,和锁的粒度 并发控制的概述 在数据库系统中,并发控制是一种用于确保当多个用户同时访问数据库时,系统能够提供数据的一致性和隔离性的机制。MySQL支持多种并发控制技术,其中包括锁机制、多…...
2024/4/30 17:07:44 - 梯度消失和梯度爆炸的一些处理方法
在这里是记录一下梯度消失或梯度爆炸的一些处理技巧。全当学习总结了如有错误还请留言,在此感激不尽。 权重和梯度的更新公式如下: w w − η ⋅ ∇ w w w - \eta \cdot \nabla w ww−η⋅∇w 个人通俗的理解梯度消失就是网络模型在反向求导的时候出…...
2024/3/20 10:50:27 - DevOps三步法之反馈:流动是油门,反馈是刹车
打个比方,流动是油门,反馈是刹车。流动是关于行使,反馈是关于安全。车辆要想持续平稳运行,需要油门与刹车良好配合,否则就有可能车毁人亡。核电站需要使核反应处于临界状态,超出临界状态就是核爆炸这也需要…...
2024/4/30 6:15:51 - 【蓝桥杯嵌入式】13届程序题刷题记录及反思
一、题目分析 考察内容: led按键(短按)PWM输出(PA1)串口接收lcd显示 根据PWM输出占空比调节,高频与低频切换 串口接收(指令解析)【中断接收】 2个显示界面 led灯闪烁定时器 二…...
2024/4/30 4:47:33 - 【外汇早评】美通胀数据走低,美元调整
原标题:【外汇早评】美通胀数据走低,美元调整昨日美国方面公布了新一期的核心PCE物价指数数据,同比增长1.6%,低于前值和预期值的1.7%,距离美联储的通胀目标2%继续走低,通胀压力较低,且此前美国一季度GDP初值中的消费部分下滑明显,因此市场对美联储后续更可能降息的政策…...
2024/4/29 23:16:47 - 【原油贵金属周评】原油多头拥挤,价格调整
原标题:【原油贵金属周评】原油多头拥挤,价格调整本周国际劳动节,我们喜迎四天假期,但是整个金融市场确实流动性充沛,大事频发,各个商品波动剧烈。美国方面,在本周四凌晨公布5月份的利率决议和新闻发布会,维持联邦基金利率在2.25%-2.50%不变,符合市场预期。同时美联储…...
2024/4/29 6:03:24 - 【外汇周评】靓丽非农不及疲软通胀影响
原标题:【外汇周评】靓丽非农不及疲软通胀影响在刚结束的周五,美国方面公布了新一期的非农就业数据,大幅好于前值和预期,新增就业重新回到20万以上。具体数据: 美国4月非农就业人口变动 26.3万人,预期 19万人,前值 19.6万人。 美国4月失业率 3.6%,预期 3.8%,前值 3…...
2024/4/29 2:29:43 - 【原油贵金属早评】库存继续增加,油价收跌
原标题:【原油贵金属早评】库存继续增加,油价收跌周三清晨公布美国当周API原油库存数据,上周原油库存增加281万桶至4.692亿桶,增幅超过预期的74.4万桶。且有消息人士称,沙特阿美据悉将于6月向亚洲炼油厂额外出售更多原油,印度炼油商预计将每日获得至多20万桶的额外原油供…...
2024/4/29 14:21:50 - 【外汇早评】日本央行会议纪要不改日元强势
原标题:【外汇早评】日本央行会议纪要不改日元强势近两日日元大幅走强与近期市场风险情绪上升,避险资金回流日元有关,也与前一段时间的美日贸易谈判给日本缓冲期,日本方面对汇率问题也避免继续贬值有关。虽然今日早间日本央行公布的利率会议纪要仍然是支持宽松政策,但这符…...
2024/4/27 17:58:04 - 【原油贵金属早评】欧佩克稳定市场,填补伊朗问题的影响
原标题:【原油贵金属早评】欧佩克稳定市场,填补伊朗问题的影响近日伊朗局势升温,导致市场担忧影响原油供给,油价试图反弹。此时OPEC表态稳定市场。据消息人士透露,沙特6月石油出口料将低于700万桶/日,沙特已经收到石油消费国提出的6月份扩大出口的“适度要求”,沙特将满…...
2024/4/27 14:22:49 - 【外汇早评】美欲与伊朗重谈协议
原标题:【外汇早评】美欲与伊朗重谈协议美国对伊朗的制裁遭到伊朗的抗议,昨日伊朗方面提出将部分退出伊核协议。而此行为又遭到欧洲方面对伊朗的谴责和警告,伊朗外长昨日回应称,欧洲国家履行它们的义务,伊核协议就能保证存续。据传闻伊朗的导弹已经对准了以色列和美国的航…...
2024/4/28 1:28:33 - 【原油贵金属早评】波动率飙升,市场情绪动荡
原标题:【原油贵金属早评】波动率飙升,市场情绪动荡因中美贸易谈判不安情绪影响,金融市场各资产品种出现明显的波动。随着美国与中方开启第十一轮谈判之际,美国按照既定计划向中国2000亿商品征收25%的关税,市场情绪有所平复,已经开始接受这一事实。虽然波动率-恐慌指数VI…...
2024/4/30 9:43:09 - 【原油贵金属周评】伊朗局势升温,黄金多头跃跃欲试
原标题:【原油贵金属周评】伊朗局势升温,黄金多头跃跃欲试美国和伊朗的局势继续升温,市场风险情绪上升,避险黄金有向上突破阻力的迹象。原油方面稍显平稳,近期美国和OPEC加大供给及市场需求回落的影响,伊朗局势并未推升油价走强。近期中美贸易谈判摩擦再度升级,美国对中…...
2024/4/27 17:59:30 - 【原油贵金属早评】市场情绪继续恶化,黄金上破
原标题:【原油贵金属早评】市场情绪继续恶化,黄金上破周初中国针对于美国加征关税的进行的反制措施引发市场情绪的大幅波动,人民币汇率出现大幅的贬值动能,金融市场受到非常明显的冲击。尤其是波动率起来之后,对于股市的表现尤其不安。隔夜美国股市出现明显的下行走势,这…...
2024/4/25 18:39:16 - 【外汇早评】美伊僵持,风险情绪继续升温
原标题:【外汇早评】美伊僵持,风险情绪继续升温昨日沙特两艘油轮再次发生爆炸事件,导致波斯湾局势进一步恶化,市场担忧美伊可能会出现摩擦生火,避险品种获得支撑,黄金和日元大幅走强。美指受中美贸易问题影响而在低位震荡。继5月12日,四艘商船在阿联酋领海附近的阿曼湾、…...
2024/4/28 1:34:08 - 【原油贵金属早评】贸易冲突导致需求低迷,油价弱势
原标题:【原油贵金属早评】贸易冲突导致需求低迷,油价弱势近日虽然伊朗局势升温,中东地区几起油船被袭击事件影响,但油价并未走高,而是出于调整结构中。由于市场预期局势失控的可能性较低,而中美贸易问题导致的全球经济衰退风险更大,需求会持续低迷,因此油价调整压力较…...
2024/4/26 19:03:37 - 氧生福地 玩美北湖(上)——为时光守候两千年
原标题:氧生福地 玩美北湖(上)——为时光守候两千年一次说走就走的旅行,只有一张高铁票的距离~ 所以,湖南郴州,我来了~ 从广州南站出发,一个半小时就到达郴州西站了。在动车上,同时改票的南风兄和我居然被分到了一个车厢,所以一路非常愉快地聊了过来。 挺好,最起…...
2024/4/29 20:46:55 - 氧生福地 玩美北湖(中)——永春梯田里的美与鲜
原标题:氧生福地 玩美北湖(中)——永春梯田里的美与鲜一觉醒来,因为大家太爱“美”照,在柳毅山庄去寻找龙女而错过了早餐时间。近十点,向导坏坏还是带着饥肠辘辘的我们去吃郴州最富有盛名的“鱼头粉”。说这是“十二分推荐”,到郴州必吃的美食之一。 哇塞!那个味美香甜…...
2024/4/25 18:39:14 - 氧生福地 玩美北湖(下)——奔跑吧骚年!
原标题:氧生福地 玩美北湖(下)——奔跑吧骚年!让我们红尘做伴 活得潇潇洒洒 策马奔腾共享人世繁华 对酒当歌唱出心中喜悦 轰轰烈烈把握青春年华 让我们红尘做伴 活得潇潇洒洒 策马奔腾共享人世繁华 对酒当歌唱出心中喜悦 轰轰烈烈把握青春年华 啊……啊……啊 两…...
2024/4/26 23:04:58 - 扒开伪装医用面膜,翻六倍价格宰客,小姐姐注意了!
原标题:扒开伪装医用面膜,翻六倍价格宰客,小姐姐注意了!扒开伪装医用面膜,翻六倍价格宰客!当行业里的某一品项火爆了,就会有很多商家蹭热度,装逼忽悠,最近火爆朋友圈的医用面膜,被沾上了污点,到底怎么回事呢? “比普通面膜安全、效果好!痘痘、痘印、敏感肌都能用…...
2024/4/27 23:24:42 - 「发现」铁皮石斛仙草之神奇功效用于医用面膜
原标题:「发现」铁皮石斛仙草之神奇功效用于医用面膜丽彦妆铁皮石斛医用面膜|石斛多糖无菌修护补水贴19大优势: 1、铁皮石斛:自唐宋以来,一直被列为皇室贡品,铁皮石斛生于海拔1600米的悬崖峭壁之上,繁殖力差,产量极低,所以古代仅供皇室、贵族享用 2、铁皮石斛自古民间…...
2024/4/28 5:48:52 - 丽彦妆\医用面膜\冷敷贴轻奢医学护肤引导者
原标题:丽彦妆\医用面膜\冷敷贴轻奢医学护肤引导者【公司简介】 广州华彬企业隶属香港华彬集团有限公司,专注美业21年,其旗下品牌: 「圣茵美」私密荷尔蒙抗衰,产后修复 「圣仪轩」私密荷尔蒙抗衰,产后修复 「花茵莳」私密荷尔蒙抗衰,产后修复 「丽彦妆」专注医学护…...
2024/4/30 9:42:22 - 广州械字号面膜生产厂家OEM/ODM4项须知!
原标题:广州械字号面膜生产厂家OEM/ODM4项须知!广州械字号面膜生产厂家OEM/ODM流程及注意事项解读: 械字号医用面膜,其实在我国并没有严格的定义,通常我们说的医美面膜指的应该是一种「医用敷料」,也就是说,医用面膜其实算作「医疗器械」的一种,又称「医用冷敷贴」。 …...
2024/4/30 9:43:22 - 械字号医用眼膜缓解用眼过度到底有无作用?
原标题:械字号医用眼膜缓解用眼过度到底有无作用?医用眼膜/械字号眼膜/医用冷敷眼贴 凝胶层为亲水高分子材料,含70%以上的水分。体表皮肤温度传导到本产品的凝胶层,热量被凝胶内水分子吸收,通过水分的蒸发带走大量的热量,可迅速地降低体表皮肤局部温度,减轻局部皮肤的灼…...
2024/4/30 9:42:49 - 配置失败还原请勿关闭计算机,电脑开机屏幕上面显示,配置失败还原更改 请勿关闭计算机 开不了机 这个问题怎么办...
解析如下:1、长按电脑电源键直至关机,然后再按一次电源健重启电脑,按F8健进入安全模式2、安全模式下进入Windows系统桌面后,按住“winR”打开运行窗口,输入“services.msc”打开服务设置3、在服务界面,选中…...
2022/11/19 21:17:18 - 错误使用 reshape要执行 RESHAPE,请勿更改元素数目。
%读入6幅图像(每一幅图像的大小是564*564) f1 imread(WashingtonDC_Band1_564.tif); subplot(3,2,1),imshow(f1); f2 imread(WashingtonDC_Band2_564.tif); subplot(3,2,2),imshow(f2); f3 imread(WashingtonDC_Band3_564.tif); subplot(3,2,3),imsho…...
2022/11/19 21:17:16 - 配置 已完成 请勿关闭计算机,win7系统关机提示“配置Windows Update已完成30%请勿关闭计算机...
win7系统关机提示“配置Windows Update已完成30%请勿关闭计算机”问题的解决方法在win7系统关机时如果有升级系统的或者其他需要会直接进入一个 等待界面,在等待界面中我们需要等待操作结束才能关机,虽然这比较麻烦,但是对系统进行配置和升级…...
2022/11/19 21:17:15 - 台式电脑显示配置100%请勿关闭计算机,“准备配置windows 请勿关闭计算机”的解决方法...
有不少用户在重装Win7系统或更新系统后会遇到“准备配置windows,请勿关闭计算机”的提示,要过很久才能进入系统,有的用户甚至几个小时也无法进入,下面就教大家这个问题的解决方法。第一种方法:我们首先在左下角的“开始…...
2022/11/19 21:17:14 - win7 正在配置 请勿关闭计算机,怎么办Win7开机显示正在配置Windows Update请勿关机...
置信有很多用户都跟小编一样遇到过这样的问题,电脑时发现开机屏幕显现“正在配置Windows Update,请勿关机”(如下图所示),而且还需求等大约5分钟才干进入系统。这是怎样回事呢?一切都是正常操作的,为什么开时机呈现“正…...
2022/11/19 21:17:13 - 准备配置windows 请勿关闭计算机 蓝屏,Win7开机总是出现提示“配置Windows请勿关机”...
Win7系统开机启动时总是出现“配置Windows请勿关机”的提示,没过几秒后电脑自动重启,每次开机都这样无法进入系统,此时碰到这种现象的用户就可以使用以下5种方法解决问题。方法一:开机按下F8,在出现的Windows高级启动选…...
2022/11/19 21:17:12 - 准备windows请勿关闭计算机要多久,windows10系统提示正在准备windows请勿关闭计算机怎么办...
有不少windows10系统用户反映说碰到这样一个情况,就是电脑提示正在准备windows请勿关闭计算机,碰到这样的问题该怎么解决呢,现在小编就给大家分享一下windows10系统提示正在准备windows请勿关闭计算机的具体第一种方法:1、2、依次…...
2022/11/19 21:17:11 - 配置 已完成 请勿关闭计算机,win7系统关机提示“配置Windows Update已完成30%请勿关闭计算机”的解决方法...
今天和大家分享一下win7系统重装了Win7旗舰版系统后,每次关机的时候桌面上都会显示一个“配置Windows Update的界面,提示请勿关闭计算机”,每次停留好几分钟才能正常关机,导致什么情况引起的呢?出现配置Windows Update…...
2022/11/19 21:17:10 - 电脑桌面一直是清理请关闭计算机,windows7一直卡在清理 请勿关闭计算机-win7清理请勿关机,win7配置更新35%不动...
只能是等着,别无他法。说是卡着如果你看硬盘灯应该在读写。如果从 Win 10 无法正常回滚,只能是考虑备份数据后重装系统了。解决来方案一:管理员运行cmd:net stop WuAuServcd %windir%ren SoftwareDistribution SDoldnet start WuA…...
2022/11/19 21:17:09 - 计算机配置更新不起,电脑提示“配置Windows Update请勿关闭计算机”怎么办?
原标题:电脑提示“配置Windows Update请勿关闭计算机”怎么办?win7系统中在开机与关闭的时候总是显示“配置windows update请勿关闭计算机”相信有不少朋友都曾遇到过一次两次还能忍但经常遇到就叫人感到心烦了遇到这种问题怎么办呢?一般的方…...
2022/11/19 21:17:08 - 计算机正在配置无法关机,关机提示 windows7 正在配置windows 请勿关闭计算机 ,然后等了一晚上也没有关掉。现在电脑无法正常关机...
关机提示 windows7 正在配置windows 请勿关闭计算机 ,然后等了一晚上也没有关掉。现在电脑无法正常关机以下文字资料是由(历史新知网www.lishixinzhi.com)小编为大家搜集整理后发布的内容,让我们赶快一起来看一下吧!关机提示 windows7 正在配…...
2022/11/19 21:17:05 - 钉钉提示请勿通过开发者调试模式_钉钉请勿通过开发者调试模式是真的吗好不好用...
钉钉请勿通过开发者调试模式是真的吗好不好用 更新时间:2020-04-20 22:24:19 浏览次数:729次 区域: 南阳 > 卧龙 列举网提醒您:为保障您的权益,请不要提前支付任何费用! 虚拟位置外设器!!轨迹模拟&虚拟位置外设神器 专业用于:钉钉,外勤365,红圈通,企业微信和…...
2022/11/19 21:17:05 - 配置失败还原请勿关闭计算机怎么办,win7系统出现“配置windows update失败 还原更改 请勿关闭计算机”,长时间没反应,无法进入系统的解决方案...
前几天班里有位学生电脑(windows 7系统)出问题了,具体表现是开机时一直停留在“配置windows update失败 还原更改 请勿关闭计算机”这个界面,长时间没反应,无法进入系统。这个问题原来帮其他同学也解决过,网上搜了不少资料&#x…...
2022/11/19 21:17:04 - 一个电脑无法关闭计算机你应该怎么办,电脑显示“清理请勿关闭计算机”怎么办?...
本文为你提供了3个有效解决电脑显示“清理请勿关闭计算机”问题的方法,并在最后教给你1种保护系统安全的好方法,一起来看看!电脑出现“清理请勿关闭计算机”在Windows 7(SP1)和Windows Server 2008 R2 SP1中,添加了1个新功能在“磁…...
2022/11/19 21:17:03 - 请勿关闭计算机还原更改要多久,电脑显示:配置windows更新失败,正在还原更改,请勿关闭计算机怎么办...
许多用户在长期不使用电脑的时候,开启电脑发现电脑显示:配置windows更新失败,正在还原更改,请勿关闭计算机。。.这要怎么办呢?下面小编就带着大家一起看看吧!如果能够正常进入系统,建议您暂时移…...
2022/11/19 21:17:02 - 还原更改请勿关闭计算机 要多久,配置windows update失败 还原更改 请勿关闭计算机,电脑开机后一直显示以...
配置windows update失败 还原更改 请勿关闭计算机,电脑开机后一直显示以以下文字资料是由(历史新知网www.lishixinzhi.com)小编为大家搜集整理后发布的内容,让我们赶快一起来看一下吧!配置windows update失败 还原更改 请勿关闭计算机&#x…...
2022/11/19 21:17:01 - 电脑配置中请勿关闭计算机怎么办,准备配置windows请勿关闭计算机一直显示怎么办【图解】...
不知道大家有没有遇到过这样的一个问题,就是我们的win7系统在关机的时候,总是喜欢显示“准备配置windows,请勿关机”这样的一个页面,没有什么大碍,但是如果一直等着的话就要两个小时甚至更久都关不了机,非常…...
2022/11/19 21:17:00 - 正在准备配置请勿关闭计算机,正在准备配置windows请勿关闭计算机时间长了解决教程...
当电脑出现正在准备配置windows请勿关闭计算机时,一般是您正对windows进行升级,但是这个要是长时间没有反应,我们不能再傻等下去了。可能是电脑出了别的问题了,来看看教程的说法。正在准备配置windows请勿关闭计算机时间长了方法一…...
2022/11/19 21:16:59 - 配置失败还原请勿关闭计算机,配置Windows Update失败,还原更改请勿关闭计算机...
我们使用电脑的过程中有时会遇到这种情况,当我们打开电脑之后,发现一直停留在一个界面:“配置Windows Update失败,还原更改请勿关闭计算机”,等了许久还是无法进入系统。如果我们遇到此类问题应该如何解决呢࿰…...
2022/11/19 21:16:58 - 如何在iPhone上关闭“请勿打扰”
Apple’s “Do Not Disturb While Driving” is a potentially lifesaving iPhone feature, but it doesn’t always turn on automatically at the appropriate time. For example, you might be a passenger in a moving car, but your iPhone may think you’re the one dri…...
2022/11/19 21:16:57