差異處

這裏顯示兩個版本的差異處。

連向這個比對檢視

兩邊的前次修訂版 前次修改
下次修改		 前次修改
tech:centos7_network [2018/07/07 10:33] Jonathan Tsaitech:centos7_network [2021/09/11 14:57] (目前版本) – [FirewallD (取代 iptables)] jonathan
行 1: 行 1:
 +====== CentOS7 網路相關整理 ======
 +可先透過 https://wiki.centos.org/zh-tw/FAQ/CentOS7 來了解 CentOS7 和之前版本的一些差異
 +
 +===== 沒有 ifconfig 命令問題 =====
 +<code sh>
 +yum install net-tools
 +</code>
 +++++ 安裝紀錄|<file>
 +[root@centos7-tmp ~]# yum install net-tools
 +Loaded plugins: fastestmirror
 +base                                                     | 3.6 kB     00:00
 +extras                                                   | 3.4 kB     00:00
 +updates                                                  | 3.4 kB     00:00
 +(1/4): base/7/x86_64/group_gz                              | 155 kB   00:00
 +(2/4): extras/7/x86_64/primary_db                          | 166 kB   00:00
 +(3/4): updates/7/x86_64/primary_db                         | 9.1 MB   00:01
 +(4/4): base/7/x86_64/primary_db                            | 5.3 MB   00:02
 +Determining fastest mirrors
 + * base: ftp.yzu.edu.tw
 + * extras: ftp.yzu.edu.tw
 + * updates: ftp.yzu.edu.tw
 +Resolving Dependencies
 +--> Running transaction check
 +---> Package net-tools.x86_64 0:2.0-0.17.20131004git.el7 will be installed
 +--> Finished Dependency Resolution
 +
 +Dependencies Resolved
 +
 +================================================================================
 + Package         Arch         Version                          Repository  Size
 +================================================================================
 +Installing:
 + net-tools       x86_64       2.0-0.17.20131004git.el7         base       304 k
 +
 +Transaction Summary
 +================================================================================
 +Install  1 Package
 +
 +Total download size: 304 k
 +Installed size: 917 k
 +Is this ok [y/d/N]: y
 +Downloading packages:
 +警告:/var/cache/yum/x86_64/7/base/packages/net-tools-2.0-0.17.20131004git.el7.x86_64.rpm: 表頭 V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
 +Public key for net-tools-2.0-0.17.20131004git.el7.x86_64.rpm is not installed
 +net-tools-2.0-0.17.20131004git.el7.x86_64.rpm              | 304 kB   00:00
 +Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
 +Importing GPG key 0xF4A80EB5:
 + Userid     : "CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>"
 + Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
 + Package    : centos-release-7-2.1511.el7.centos.2.10.x86_64 (@anaconda)
 + From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
 +Is this ok [y/N]: y
 +Running transaction check
 +Running transaction test
 +Transaction test succeeded
 +Running transaction
 +  Installing : net-tools-2.0-0.17.20131004git.el7.x86_64                    1/1
 +  Verifying  : net-tools-2.0-0.17.20131004git.el7.x86_64                    1/1
 +
 +Installed:
 +  net-tools.x86_64 0:2.0-0.17.20131004git.el7
 +
 +Complete!
 +</file>++++
 +++++ 執行紀錄 |<file>
 +[root@centos7-tmp ~]# ifconfig
 +ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
 +        inet 192.168.0.104  netmask 255.255.255.0  broadcast 192.168.0.255
 +        inet6 fe80::5054:ff:fe70:9a7d  prefixlen 64  scopeid 0x20<link>
 +        ether 52:54:00:70:9a:7d  txqueuelen 1000  (Ethernet)
 +        RX packets 12252  bytes 16348084 (15.5 MiB)
 +        RX errors 0  dropped 0  overruns 0  frame 0
 +        TX packets 7298  bytes 570168 (556.8 KiB)
 +        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 +
 +ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
 +        ether 52:54:00:fb:86:e8  txqueuelen 1000  (Ethernet)
 +        RX packets 49  bytes 3016 (2.9 KiB)
 +        RX errors 0  dropped 0  overruns 0  frame 0
 +        TX packets 0  bytes 0 (0.0 B)
 +        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 +
 +lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
 +        inet 127.0.0.1  netmask 255.0.0.0
 +        inet6 ::1  prefixlen 128  scopeid 0x10<host>
 +        loop  txqueuelen 0  (Local Loopback)
 +        RX packets 0  bytes 0 (0.0 B)
 +        RX errors 0  dropped 0  overruns 0  frame 0
 +        TX packets 0  bytes 0 (0.0 B)
 +        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 +
 +</file>++++
 +  * 參考網址 - http://www.centoscn.com/CentosBug/osbug/2014/0916/3750.html
 +  * https://wiki.centos.org/zh-tw/FAQ/CentOS7
 +
 +===== FirewallD (取代 iptables) =====
 +  * 取得 zome <code sh>firewall-cmd --get-default-zone</code>
 +  * 查看目前開放的服務 <code sh>firewall-cmd --zone=iredmail --list-services</code>
 +  * 新增臨時開放的服務 <code sh>firewall-cmd --zone=iredmail --add-service=mysql</code>
 +  * 查看永久開放的服務 <code sh>firewall-cmd --zone=iredmail --permanent --list-services</code>
 +  * 新增永久開放的服務 <code sh>firewall-cmd --zone=iredmail --permanent --add-service=snmp</code>
 +<note>
 +  * 如果是直接修改 /etc/firewalld/services/ 或 /etc/firewalld/zones/ 裡面的設定檔 
 +    * Exp. /etc/firewalld/services/smtps.xml 與 /etc/firewalld/zones/iredmail.xml
 +  * 更改後可以透過 <code sh>
 +firewall-cmd --complete-reload
 +</code>讓設定生效
 +</note>
 +
 +  * 啟用與關閉 firewalld <cli>
 +[root@jonathan-vm1 ~]# firewall-cmd --get-default-zone
 +FirewallD is not running
 +[root@jonathan-vm1 ~]# systemctl start firewalld
 +[root@jonathan-vm1 ~]# systemctl enable firewalld
 +Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
 +Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.
 +[root@jonathan-vm1 ~]# firewall-cmd --get-default-zone
 +public
 +[root@jonathan-vm1 ~]# firewall-cmd --list-services
 +cockpit dhcpv6-client ssh
 +[root@jonathan-vm1 ~]# systemctl stop firewalld
 +[root@jonathan-vm1 ~]# systemctl disable firewalld
 +Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
 +Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
 +[root@jonathan-vm1 ~]# systemctl list-unit-files | grep firewalld
 +firewalld.service                                                disabled
 +</cli>
 +
 +===== netstat 的替代語法 ss =====
 +  * 看 listen port :<code sh>ss -l -n</code>Exp. 看 SMTP 25 port<cli>
 +# ss -l -n | grep 25
 +tcp    LISTEN          100       *:25                    *:*
 +tcp    LISTEN          100      :::25                   :::*
 +</cli>
 +  * 看 TCP 連線 :<code sh>ss -t -n</code> Exp. 看 IMAP port 143 連線<cli>
 +# ss -t -n | grep 143
 +ESTAB      0      0      192.168.0.236:143                60.248.245.172:56450
 +ESTAB      0      0      192.168.0.236:143                192.168.0.2:51137
 +ESTAB      0      0      192.168.0.236:143                192.168.0.254:14983
 +ESTAB      0      0      192.168.0.236:143                192.168.0.254:14902
 +:
 +ESTAB      0      0      192.168.0.236:143                60.248.245.172:62832
 +</cli>
 +
 +===== 修改 IP 設定 =====
 +  * Exp 修改 eth0 IP 為 192.168.1.28
 +    - <code h vi /etc/sysconfig/network-scripts/ifcfg-eth0 >
 +:
 +BOOTPROTO=static
 +IPADDR=192.168.1.28
 +NETMASK=255.255.255.0
 +GATEWAY=192.168.1.254
 +:
 +DNS1=192.168.1.254
 +DNS2=101.101.101.101
 +</code>
 +    - <code sh>systemctl restart network.service</code>
 +
 +===== 查看現在的 IP 與 route =====
 +  * <code sh>
 +ip a
 +ip route list
 +</code>
 +
 +===== 修改 DNS 設定 =====
 +  * 直接改 /etc/resolv.conf 一段時間就會被 NetworkManager 更改消失, 必須改使用 nmcli 來設定
 +  * Exp. 要設定網卡 eth0 的 DNS 為 192.168.11.242 與 168.95.192.1 <code sh>
 +nmcli con mod eth0 ipv4.dns "192.168.11.242 168.95.192.1"
 +nmcli con up eth0
 +</code>
 +
 +===== 關閉 IPv6 的方式 =====
 +  * 因為很多服務會認來源 IP (Exp. Mail Server), 因此避免來源 IP 變成 IPv6 造成問題, 因此有需要關閉
 +  * 在  /etc/sysctl.conf 內增加以下兩行<file>
 +:
 +net.ipv6.conf.all.disable_ipv6 = 1
 +net.ipv6.conf.default.disable_ipv6 = 1
 +</file>
 +  * 下命令生效 <code sh>
 +sysctl -p
 +</code>
 +  * 最好重開機
 +
 +===== 參考網址 =====
 +  * [[https://www.phpini.com/linux/rhel-centos-7-setup-static-ip|RHEL / CentOS 7 設定網路固定 IP]]
 +  * [[https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7|How To Set Up a Firewall Using FirewallD on CentOS 7]]
 +  * https://www.phpini.com/linux/rhel-centos-7-change-dns-server
 +  * [[https://shazi.info/%E5%9C%A8-centos-7-%E4%B8%AD%E6%89%80%E4%B8%8D%E8%A6%8B%E7%9A%84%E5%91%BD%E4%BB%A4-round-1%EF%BC%9A-ifconfig%E3%80%81route%E3%80%81netstat%E3%80%81traceroute/|在-centos-7-中所不見的命令-round-1:-ifconfig、route、netstat、traceroute/]]
 +  * https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-ipv6/
 +
 +{{tag>centos7 network}}