20151208 Linux系统日常管理 (第二部分抓包工具tcpdump,、wireshark;防火墙工具:selinux,iptables)
2015-12-08 15:29
826 查看
1.抓包工具 tcpdump(都需要root的身份去执行)
tcpdump 系统自带抓包工具
tcpdump -nn -i eth0 tcp and host 192.168.0.1 and port 80
tcpdump -nn -s0 tcp and port not 22 -c 100 -w 1.cap
[root@niejicai-linux ~]# tcpdump
正常显示ip和端口
[root@niejicai-linux ~]# tcpdump -nn
还可以指定网卡和ip地址,包的类型(这里是抓数据包的流向)平时我们主要看包的流向!!!!
[root@niejicai-linux ~]# tcpdump -nn -i eth0 tcp and port 22 and host 192.168.1.218 (ip地址可以知道源目标ip也可以知道目的ip)。
抓数据包的本身的内容
[root@niejicai-linux ~]# tcpdump -nn -i eth0 tcp and port 22 and host 192.168.1.217 -w /tmp/1.txt
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C9 packets captured
9 packets received by filter
0 packets dropped by kernel
[root@niejicai-linux ~]# du -h /tmp/1.txt
4.0K /tmp/1.txt
查看内容(strings)
[root@niejicai-linux tmp]# strings /tmp/1.txt
FEeV9u
%}>&[@
r]'l
k%-GJ
'.qV
GEeVT
d.80
%}>&[@
r]'l
k%-GJ
'.qV
GEeV
4r @
SPEeV
xr!@
PEeV
TEeV'
xr$@
)l5\
Ima;*
TEeV|
gEeV
hrA@
gEeV
[root@niejicai-linux tmp]#
还可以知道包的数量 -c
[root@niejicai-linux ~]# tcpdump -nn -i eth0 tcp port 22 and host 192.168.1.217 -c 10 -w /tmp/1.txt
表示抓到10个包之后,就会自动结束
[root@niejicai-linux ~]# tcpdump -nn -s0 -i eth0 tcp and port 22 and host 192.168.1.217 -w /tmp/1.txt
指定全部包都抓,以免遗漏其他的包!!!!
-----------------------------------------------------------------------------------------------------------------------------------------------------
2.wireshark(都是需要以root的身份去执行)
在linux下也可以安装 yum install -y wireshark
抓包分析http请求:tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri"
根据你的服务器的网卡,可以知道网卡
[root@niejicai-linux ~]# tshark -i eth0 -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
Dec 7, 2015 17:14:06.608116092 [FF02::C]:1900 M-SEARCH *
Dec 7, 2015 17:14:10.609516230 [FF02::C]:1900 M-SEARCH *
Dec 7, 2015 17:14:13.610506890 [FF02::C]:1900 M-SEARCH
。。。。。。。
[root@niejicai-linux ~]# tshark
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.000000000 183.60.56.21 -> 192.168.1.217 OICQ 121 OICQ Protocol
0.378487961 192.168.1.66 -> 234.123.12.1 UDP 258 Source port: 20141 Destination port: 20141
0.409665645 192.168.1.218 -> 192.168.1.217 SSH 182 Encrypted response packet len=128
0.414243255 192.168.1.218 -> 192.168.1.217 SSH 198 Encrypted response packet len=144
0.414538447 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > ssh [ACK] Seq=1 Ack=273 Win=16273 Len=0
0.454146057 192.168.1.224 -> 234.123.12.1 UDP 266 Source port: 20141 Destination port: 20141
0.672030179 183.224.34.146 -> 192.168.1.217 TCP 60 http > 56209 [FIN, ACK] Seq=1 Ack=1 Win=123 Len=0
0.672046022 192.168.1.217 -> 183.224.34.146 TCP 60 56209 > http [ACK] Seq=1 Ack=2 Win=32510 Len=0
0.673281662 Micro-St_f8:43:4a -> Broadcast ARP 60 Who has 192.168.1.222? Tell 192.168.1.66
0.673932572 ByzoroNe_00:07:21 -> Broadcast ARP 60 Who has 192.168.1.217? Tell 192.168.1.91
0.673946824 Shuttle_6a:1b:cf -> ByzoroNe_00:07:21 ARP 60 192.168.1.217 is at 80:ee:73:6a:1b:cf
0.847288661 fe80::658d:e19b:ff8b:8001 -> ff02::c SSDP 208 M-SEARCH * HTTP/1.1
1.108472513 192.168.1.218 -> 192.168.1.217 SSH 470 Encrypted response packet len=416
1.115710972 192.168.1.218 -> 192.168.1.217 SSH 310 Encrypted response packet len=256
1.116066757 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > ssh [ACK] Seq=1 Ack=945 Win=16105 Len=0
1.173705529 192.168.1.218 -> 192.168.1.217 SSH 406 Encrypted response packet len=352
1.178867119 192.168.1.218 -> 192.168.1.217 SSH 198 Encrypted response packet len=144
1.179171245 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > ssh [ACK] Seq=1 Ack=1441 Win=16425 Len=0
1.684094885 192.168.1.218 -> 192.168.1.217 SSH 662 Encrypted response packet len=608
1.884003591 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > ssh [ACK] Seq=1 Ack=2049 Win=16273 Len=0
2.002482433 65280.1 -> 0.255 ZIP 60 GetNetInfo request
2.255821935 192.168.1.218 -> 192.168.1.217 SSH 358 Encrypted response packet len=304
2.371689700 192.168.1.66 -> 234.123.12.1 UDP 258 Source port: 20141 Destination port: 20141
2.455938954 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > ssh [ACK] Seq=1 Ack=2353 Win=16197 Len=0
2.466058925 192.168.1.224 -> 234.123.12.1 UDP 266 Source port: 20141 Destination port: 20141
2.891141884 fe80::658d:e19b:ff8b:8001 -> ff02::1:2 DHCPv6 157 Solicit XID: 0x1db6d0 CID: 000100011dad1a1d80ee736a1bcf
。。。。。。。
[root@niejicai-linux ~]# tshark -nn
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.000000000 6c:62:6d:f8:43:4a -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.145? Tell 192.168.1.66
0.144388210 192.168.1.66 -> 234.123.12.1 UDP 258 Source port: 20141 Destination port: 20141
0.254781606 00:22:aa:6e:ce:ae -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.216? Tell 192.168.1.254
0.255653395 192.168.1.218 -> 192.168.1.217 SSH 406 Encrypted response packet len=352
0.455867534 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > 22 [ACK] Seq=1 Ack=353 Win=16425 Len=0
0.462066861 183.60.56.21 -> 192.168.1.217 OICQ 121 OICQ Protocol
0.774112995 6c:62:6d:f8:43:4a -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.106? Tell 192.168.1.66
0.776764418 192.168.1.218 -> 192.168.1.217 SSH 470 Encrypted response packet len=416
0.976832138 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > 22 [ACK] Seq=1 Ack=769 Win=16321 Len=0
1.166878086 6c:62:6d:f8:43:4a -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.145? Tell 192.168.1.66
1.245341637 00:22:aa:6e:ce:ae -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.216? Tell 192.168.1.254
1.431430536 6c:62:6d:f8:43:4a -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.8? Tell 192.168.1.66
^C1.432436572 192.168.1.218 -> 192.168.1.217 SSH 598 Encrypted response packet len=544
1.433230542 6c:62:6d:f8:43:4a -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.109? Tell 192.168.1.66
1.435366473 6c:62:6d:f8:43:4a -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.101? Tell 192.168.1.66
1.632994138 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > 22 [ACK] Seq=1 Ack=1313 Win=16185 Len=0
1.658449744 192.168.1.224 -> 234.123.12.1 UDP 266 Source port: 20141 Destination port: 20141
1.721804390 192.168.1.217 -> 192.168.1.218 SSH 118 Encrypted request packet len=64
18 packets captured
-----------------------------------------------------------------------------------------------------------------------------------------------------
3.selinux(防火墙工具)
查看selinux状态
[root@niejicai-linux ~]# getenforce
Disabled
[root@niejicai-linux ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
-----------------------------------------------------------------------------------------------------------------------------------------------------
4.iptables(防火墙工具)
iptables规则相关:
iptables -F (不可以清空默认策略)
清楚规则:iptabels -F(默认指定filter)。
查看规则 iptables -t nat -nvL (-t指定表)
清除规则 iptables -t nat -F
增加/删除规则 iptables -A/-D INPUT -s 10.72.11.12 -p tcp --sport 1234 -d 10.72.137.159 --dport 80 -j DROP
插入规则 iptables -I INPUT -s 1.1.1.1 -j DROP/ACCEPT/REJECT
拒绝 / 接受 / 丢掉
iptables -nvL --line-numbers 查看规则带有id号
iptables -D INPUT 1 根据规则的id号删除对应规则
iptables -P INPUT DROP 用来设定默认规则,默认是ACCEPT ,一旦设定为DROP后,只能使用 iptables -P ACCEPT 才能恢复成原始状态,而不能使用-F参数
规则备份与恢复:
service iptables save 这样会保存到/etc/sysconfig/iptables
iptables-save >ipt.rule 可以把防火墙规则保存到指定文件中
iptables-restore < ipt.rule 这样可以恢复指定的规则
禁ping and 解禁ping
iptabels -I INPUT -p icmp -j DROP
iptabels -D INPUT -P icmp -j DROP
测试:
真正的防火墙是netfilter(网络过滤器)
[root@niejicai-linux ~]# iptables -nvL (默认指定的是filter表)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@niejicai-linux ~]# iptables -nvL -t filter (默认指定filter表)
Chain INPUT (policy ACCEPT 270 packets, 22833 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 101 packets, 11576 bytes)
pkts bytes target prot opt in out source destination
[root@niejicai-linux ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@niejicai-linux ~]# iptables -F 清空表的规则
[root@niejicai-linux ~]# iptables -Z 清空计数器
[root@niejicai-linux ~]# iptables -nvL
Chain INPUT (policy ACCEPT 80 packets, 6685 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 18 packets, 2055 bytes)
pkts bytes target prot opt in out source destination
[root@niejicai-linux ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@niejicai-linux ~]# service iptables save
(写完规则之后与清空iptables表,一定要记得保存)
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@niejicai-linux ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Dec 8 10:04:39 2015
*nat
:PREROUTING ACCEPT [48:7262]
:POSTROUTING ACCEPT [1:584]
:OUTPUT ACCEPT [1:584]
COMMIT
# Completed on Tue Dec 8 10:04:39 2015
# Generated by iptables-save v1.4.7 on Tue Dec 8 10:04:39 2015
*filter
:INPUT ACCEPT [199:16487]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90:11456]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Tue Dec 8 10:04:39 2015
[root@niejicai-linux ~]# service iptables stop (暂定)
iptables: Setting chains to policy ACCEPT: nat filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
[root@niejicai-linux ~]# service iptables start 重新启动IPtables)
如果还是需要以前的规则,一定要在stop之前要保存!
iptables: Applying firewall rules: [ OK ]
[root@niejicai-linux ~]# iptables -A/-I INPUT -s 1.1.1.1 -p tcp --sport 123 -d 192.168.1.218 --dport 80 -j ACCEPT/DROP/REJECT
-A/-I 源ip 目标ip 三种验证(允许,拒绝,丢掉)
( 原来规则的后面-A
原来规则的前面-I)
删除一条规则
首先:
[root@niejicai-linux ~]# iptables -nvL --line-number 显示规则的序号
Chain INPUT (policy ACCEPT 131 packets, 11222 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 63 packets, 8760 bytes)
num pkts bytes target prot opt in out source destination
[root@niejicai-linux ~]#
然后就可以进行曲删除:
[root@niejicai-linux ~]# iptables -D INPUT 2 删除第二条规则,看下面就是剩下一条规则!(当你又很很多规则的时候,当你删除的是第2条,后面的序号规则会补上来,所以以后删除成功与否,主要看规则,而不是看序号哦!)
[root@niejicai-linux ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 6 packets, 432 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 392 bytes)
num pkts bytes target prot opt in out source destination
实例:
针对filter表,预设策略INPUT链DROP,其他两个链ACCEPT,然后针对192.168.0.0/24开通22端口,对所有网段开放80端口,对所有网段开放21端口。 脚本如下:
#! /bin/bash
ipt="/sbin/iptables"
$ipt -F; $ipt -P INPUT DROP;
$ipt -P OUTPUT ACCEPT; $ipt -P FORWARD ACCEPT;
$ipt -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
icmp的包有常见的应用,本机ping通外网,外网ping不通本机 iptables -I INPUT -p icmp --icmp-type 8 -j DROP
nat表应用:
路由器就是使用iptables的nat原理实现
假设您的机器上有两块网卡eth0和eth1,其中eth0的IP为192.168.10.11,eth1的IP为172.16.10.11 。eth0连接了intnet 但eth1没有连接,现在有另一台机器(172.16.10.12)和eth1是互通的,那么如何设置也能够让连接eth1的这台机器能够连接intnet?
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -o eth0 -j MASQUERADE
tcpdump 系统自带抓包工具
tcpdump -nn -i eth0 tcp and host 192.168.0.1 and port 80
tcpdump -nn -s0 tcp and port not 22 -c 100 -w 1.cap
[root@niejicai-linux ~]# tcpdump
正常显示ip和端口
[root@niejicai-linux ~]# tcpdump -nn
还可以指定网卡和ip地址,包的类型(这里是抓数据包的流向)平时我们主要看包的流向!!!!
[root@niejicai-linux ~]# tcpdump -nn -i eth0 tcp and port 22 and host 192.168.1.218 (ip地址可以知道源目标ip也可以知道目的ip)。
抓数据包的本身的内容
[root@niejicai-linux ~]# tcpdump -nn -i eth0 tcp and port 22 and host 192.168.1.217 -w /tmp/1.txt
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C9 packets captured
9 packets received by filter
0 packets dropped by kernel
[root@niejicai-linux ~]# du -h /tmp/1.txt
4.0K /tmp/1.txt
查看内容(strings)
[root@niejicai-linux tmp]# strings /tmp/1.txt
FEeV9u
%}>&[@
r]'l
k%-GJ
'.qV
GEeVT
d.80
%}>&[@
r]'l
k%-GJ
'.qV
GEeV
4r @
SPEeV
xr!@
PEeV
TEeV'
xr$@
)l5\
Ima;*
TEeV|
gEeV
hrA@
gEeV
[root@niejicai-linux tmp]#
还可以知道包的数量 -c
[root@niejicai-linux ~]# tcpdump -nn -i eth0 tcp port 22 and host 192.168.1.217 -c 10 -w /tmp/1.txt
表示抓到10个包之后,就会自动结束
[root@niejicai-linux ~]# tcpdump -nn -s0 -i eth0 tcp and port 22 and host 192.168.1.217 -w /tmp/1.txt
指定全部包都抓,以免遗漏其他的包!!!!
-----------------------------------------------------------------------------------------------------------------------------------------------------
2.wireshark(都是需要以root的身份去执行)
在linux下也可以安装 yum install -y wireshark
抓包分析http请求:tshark -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri"
根据你的服务器的网卡,可以知道网卡
[root@niejicai-linux ~]# tshark -i eth0 -n -t a -R http.request -T fields -e "frame.time" -e "ip.src" -e "http.host" -e "http.request.method" -e "http.request.uri"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
Dec 7, 2015 17:14:06.608116092 [FF02::C]:1900 M-SEARCH *
Dec 7, 2015 17:14:10.609516230 [FF02::C]:1900 M-SEARCH *
Dec 7, 2015 17:14:13.610506890 [FF02::C]:1900 M-SEARCH
。。。。。。。
[root@niejicai-linux ~]# tshark
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.000000000 183.60.56.21 -> 192.168.1.217 OICQ 121 OICQ Protocol
0.378487961 192.168.1.66 -> 234.123.12.1 UDP 258 Source port: 20141 Destination port: 20141
0.409665645 192.168.1.218 -> 192.168.1.217 SSH 182 Encrypted response packet len=128
0.414243255 192.168.1.218 -> 192.168.1.217 SSH 198 Encrypted response packet len=144
0.414538447 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > ssh [ACK] Seq=1 Ack=273 Win=16273 Len=0
0.454146057 192.168.1.224 -> 234.123.12.1 UDP 266 Source port: 20141 Destination port: 20141
0.672030179 183.224.34.146 -> 192.168.1.217 TCP 60 http > 56209 [FIN, ACK] Seq=1 Ack=1 Win=123 Len=0
0.672046022 192.168.1.217 -> 183.224.34.146 TCP 60 56209 > http [ACK] Seq=1 Ack=2 Win=32510 Len=0
0.673281662 Micro-St_f8:43:4a -> Broadcast ARP 60 Who has 192.168.1.222? Tell 192.168.1.66
0.673932572 ByzoroNe_00:07:21 -> Broadcast ARP 60 Who has 192.168.1.217? Tell 192.168.1.91
0.673946824 Shuttle_6a:1b:cf -> ByzoroNe_00:07:21 ARP 60 192.168.1.217 is at 80:ee:73:6a:1b:cf
0.847288661 fe80::658d:e19b:ff8b:8001 -> ff02::c SSDP 208 M-SEARCH * HTTP/1.1
1.108472513 192.168.1.218 -> 192.168.1.217 SSH 470 Encrypted response packet len=416
1.115710972 192.168.1.218 -> 192.168.1.217 SSH 310 Encrypted response packet len=256
1.116066757 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > ssh [ACK] Seq=1 Ack=945 Win=16105 Len=0
1.173705529 192.168.1.218 -> 192.168.1.217 SSH 406 Encrypted response packet len=352
1.178867119 192.168.1.218 -> 192.168.1.217 SSH 198 Encrypted response packet len=144
1.179171245 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > ssh [ACK] Seq=1 Ack=1441 Win=16425 Len=0
1.684094885 192.168.1.218 -> 192.168.1.217 SSH 662 Encrypted response packet len=608
1.884003591 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > ssh [ACK] Seq=1 Ack=2049 Win=16273 Len=0
2.002482433 65280.1 -> 0.255 ZIP 60 GetNetInfo request
2.255821935 192.168.1.218 -> 192.168.1.217 SSH 358 Encrypted response packet len=304
2.371689700 192.168.1.66 -> 234.123.12.1 UDP 258 Source port: 20141 Destination port: 20141
2.455938954 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > ssh [ACK] Seq=1 Ack=2353 Win=16197 Len=0
2.466058925 192.168.1.224 -> 234.123.12.1 UDP 266 Source port: 20141 Destination port: 20141
2.891141884 fe80::658d:e19b:ff8b:8001 -> ff02::1:2 DHCPv6 157 Solicit XID: 0x1db6d0 CID: 000100011dad1a1d80ee736a1bcf
。。。。。。。
[root@niejicai-linux ~]# tshark -nn
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
0.000000000 6c:62:6d:f8:43:4a -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.145? Tell 192.168.1.66
0.144388210 192.168.1.66 -> 234.123.12.1 UDP 258 Source port: 20141 Destination port: 20141
0.254781606 00:22:aa:6e:ce:ae -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.216? Tell 192.168.1.254
0.255653395 192.168.1.218 -> 192.168.1.217 SSH 406 Encrypted response packet len=352
0.455867534 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > 22 [ACK] Seq=1 Ack=353 Win=16425 Len=0
0.462066861 183.60.56.21 -> 192.168.1.217 OICQ 121 OICQ Protocol
0.774112995 6c:62:6d:f8:43:4a -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.106? Tell 192.168.1.66
0.776764418 192.168.1.218 -> 192.168.1.217 SSH 470 Encrypted response packet len=416
0.976832138 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > 22 [ACK] Seq=1 Ack=769 Win=16321 Len=0
1.166878086 6c:62:6d:f8:43:4a -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.145? Tell 192.168.1.66
1.245341637 00:22:aa:6e:ce:ae -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.216? Tell 192.168.1.254
1.431430536 6c:62:6d:f8:43:4a -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.8? Tell 192.168.1.66
^C1.432436572 192.168.1.218 -> 192.168.1.217 SSH 598 Encrypted response packet len=544
1.433230542 6c:62:6d:f8:43:4a -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.109? Tell 192.168.1.66
1.435366473 6c:62:6d:f8:43:4a -> ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.1.101? Tell 192.168.1.66
1.632994138 192.168.1.217 -> 192.168.1.218 TCP 60 49864 > 22 [ACK] Seq=1 Ack=1313 Win=16185 Len=0
1.658449744 192.168.1.224 -> 234.123.12.1 UDP 266 Source port: 20141 Destination port: 20141
1.721804390 192.168.1.217 -> 192.168.1.218 SSH 118 Encrypted request packet len=64
18 packets captured
-----------------------------------------------------------------------------------------------------------------------------------------------------
3.selinux(防火墙工具)
查看selinux状态
[root@niejicai-linux ~]# getenforce
Disabled
[root@niejicai-linux ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
-----------------------------------------------------------------------------------------------------------------------------------------------------
4.iptables(防火墙工具)
iptables规则相关:
iptables -F (不可以清空默认策略)
清楚规则:iptabels -F(默认指定filter)。
查看规则 iptables -t nat -nvL (-t指定表)
清除规则 iptables -t nat -F
增加/删除规则 iptables -A/-D INPUT -s 10.72.11.12 -p tcp --sport 1234 -d 10.72.137.159 --dport 80 -j DROP
插入规则 iptables -I INPUT -s 1.1.1.1 -j DROP/ACCEPT/REJECT
拒绝 / 接受 / 丢掉
iptables -nvL --line-numbers 查看规则带有id号
iptables -D INPUT 1 根据规则的id号删除对应规则
iptables -P INPUT DROP 用来设定默认规则,默认是ACCEPT ,一旦设定为DROP后,只能使用 iptables -P ACCEPT 才能恢复成原始状态,而不能使用-F参数
规则备份与恢复:
service iptables save 这样会保存到/etc/sysconfig/iptables
iptables-save >ipt.rule 可以把防火墙规则保存到指定文件中
iptables-restore < ipt.rule 这样可以恢复指定的规则
禁ping and 解禁ping
iptabels -I INPUT -p icmp -j DROP
iptabels -D INPUT -P icmp -j DROP
测试:
真正的防火墙是netfilter(网络过滤器)
[root@niejicai-linux ~]# iptables -nvL (默认指定的是filter表)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@niejicai-linux ~]# iptables -nvL -t filter (默认指定filter表)
Chain INPUT (policy ACCEPT 270 packets, 22833 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 101 packets, 11576 bytes)
pkts bytes target prot opt in out source destination
[root@niejicai-linux ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@niejicai-linux ~]# iptables -F 清空表的规则
[root@niejicai-linux ~]# iptables -Z 清空计数器
[root@niejicai-linux ~]# iptables -nvL
Chain INPUT (policy ACCEPT 80 packets, 6685 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 18 packets, 2055 bytes)
pkts bytes target prot opt in out source destination
[root@niejicai-linux ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@niejicai-linux ~]# service iptables save
(写完规则之后与清空iptables表,一定要记得保存)
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@niejicai-linux ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Dec 8 10:04:39 2015
*nat
:PREROUTING ACCEPT [48:7262]
:POSTROUTING ACCEPT [1:584]
:OUTPUT ACCEPT [1:584]
COMMIT
# Completed on Tue Dec 8 10:04:39 2015
# Generated by iptables-save v1.4.7 on Tue Dec 8 10:04:39 2015
*filter
:INPUT ACCEPT [199:16487]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90:11456]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Tue Dec 8 10:04:39 2015
[root@niejicai-linux ~]# service iptables stop (暂定)
iptables: Setting chains to policy ACCEPT: nat filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
[root@niejicai-linux ~]# service iptables start 重新启动IPtables)
如果还是需要以前的规则,一定要在stop之前要保存!
iptables: Applying firewall rules: [ OK ]
[root@niejicai-linux ~]# iptables -A/-I INPUT -s 1.1.1.1 -p tcp --sport 123 -d 192.168.1.218 --dport 80 -j ACCEPT/DROP/REJECT
-A/-I 源ip 目标ip 三种验证(允许,拒绝,丢掉)
( 原来规则的后面-A
原来规则的前面-I)
删除一条规则
首先:
[root@niejicai-linux ~]# iptables -nvL --line-number 显示规则的序号
Chain INPUT (policy ACCEPT 131 packets, 11222 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 63 packets, 8760 bytes)
num pkts bytes target prot opt in out source destination
[root@niejicai-linux ~]#
然后就可以进行曲删除:
[root@niejicai-linux ~]# iptables -D INPUT 2 删除第二条规则,看下面就是剩下一条规则!(当你又很很多规则的时候,当你删除的是第2条,后面的序号规则会补上来,所以以后删除成功与否,主要看规则,而不是看序号哦!)
[root@niejicai-linux ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 6 packets, 432 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 392 bytes)
num pkts bytes target prot opt in out source destination
实例:
针对filter表,预设策略INPUT链DROP,其他两个链ACCEPT,然后针对192.168.0.0/24开通22端口,对所有网段开放80端口,对所有网段开放21端口。 脚本如下:
#! /bin/bash
ipt="/sbin/iptables"
$ipt -F; $ipt -P INPUT DROP;
$ipt -P OUTPUT ACCEPT; $ipt -P FORWARD ACCEPT;
$ipt -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT
icmp的包有常见的应用,本机ping通外网,外网ping不通本机 iptables -I INPUT -p icmp --icmp-type 8 -j DROP
nat表应用:
路由器就是使用iptables的nat原理实现
假设您的机器上有两块网卡eth0和eth1,其中eth0的IP为192.168.10.11,eth1的IP为172.16.10.11 。eth0连接了intnet 但eth1没有连接,现在有另一台机器(172.16.10.12)和eth1是互通的,那么如何设置也能够让连接eth1的这台机器能够连接intnet?
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -o eth0 -j MASQUERADE
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- ASP.NET 5 WebApi 返回 HttpResponseMessage
- iOS通过http post上传图片
- [转]https方式使用git保存密码的方式
- 【高可用HA】Apache (1) —— Mac下安装Apache Httpd到自定义路径(非/etc/apache2)
- ESXi5 中克隆Linux虚拟主机的网络配置
- 新服配置(四) mount.cifs 失败 mount error(13): Permission denied
- 网络爬虫基本工作流程和抓取策略
- 弱网络环境下最优调度和优化传输层协议方案
- 获取网络时间
- get/post方式调用http接口
- 轻松管理您的网络password
- WebSocket原理及与http1.0/1.1 long poll和 ajax轮询的区别【转自知乎】
- OkHttp关于https请求的设置
- 网络开发
- linux下的CPU、内存、IO、网络的压力测试
- 了解HTTP
- CentOS6.5设置网络连接
- HTTP常用响应头
- HTTP常用请求头
- TCP,IP详解,卷一:协议学习笔记之第三章IP:网际协议