Http on IT 运维小秋 /tags/http.html Recent content in Http on IT 运维小秋 Hugo -- gohugo.io zh-cn chenwx716@139.com chenwx716@139.com Fri, 10 Feb 2023 10:00:00 +0800 firewalld /p/tools-network-firewalld.html Fri, 10 Feb 2023 10:00:00 +0800 chenwx716@139.com /p/tools-network-firewalld.html <h2 id="基础">基础</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">systemctl stop firewalld </span></span><span class="line"><span class="cl">systemctl disable firewalld </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">firewall-cmd --reload <span class="c1"># 如果是 --permanent 持久化规则, 则还需要reload一次</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="show">show</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">firewall-cmd --state <span class="c1"># 查询运行状态</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">firewall-cmd --get-zone-of-interface<span class="o">=</span>eth0 <span class="c1"># 查看接口所属区域</span> </span></span><span class="line"><span class="cl">firewall-cmd --get-default-zone <span class="c1"># 获取默认区域</span> </span></span><span class="line"><span class="cl">firewall-cmd --get-active-zones <span class="c1"># 获取活动的区域</span> </span></span><span class="line"><span class="cl">firewall-cmd --permanent --zone<span class="o">=</span>public --get-target <span class="c1"># 获取此区域的默认动作</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>public --list-all <span class="c1"># 获取全部规则</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="管理">管理</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>public --add-port<span class="o">=</span>80/tcp --permanent </span></span><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>public --add-port<span class="o">=</span>100-500/tcp <span class="c1"># 临时添加端口范围</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>work --add-source<span class="o">=</span>10.2.1.200 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 更换网卡所匹配的区域</span> </span></span><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>drop --change-interface<span class="o">=</span>eth0 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">firewall-cmd --set-default-zone<span class="o">=</span>drop </span></span></code></pre></td></tr></table> </div> </div><h2 id="高级规则">高级规则</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 列出高级规则</span> </span></span><span class="line"><span class="cl">firewall-cmd --list-rich-rules </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 添加细化的规则</span> </span></span><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>public --permanent --add-rich-rule <span class="s1">&#39;rule family=&#34;ipv4&#34; source address=10.27.10.181 port port=26379 protocol=tcp accept&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>public --permanent --remove-rich-rule<span class="o">=</span><span class="s1">&#39;rule family=&#34;ipv4&#34; source address=&#34;10.27.10.0/24&#34; port port=&#34;22&#34; protocol=&#34;tcp&#34; accept&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 添加某个网段的访问策略</span> </span></span><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>drop --permanent --add-rich-rule <span class="s1">&#39;rule family=&#34;ipv4&#34; source address=10.27.10.0/24 port port=9001 protocol=tcp accept&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="示例-一般初始化">示例-一般初始化</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>public --remove-service<span class="o">=</span>ssh </span></span><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>public --remove-service<span class="o">=</span>ssh --permanent </span></span><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>public --remove-service<span class="o">=</span>dhcpv6-client --permanent </span></span><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>public --remove-service<span class="o">=</span>cockpit --permanent </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>public --add-icmp-block<span class="o">=</span>echo-request </span></span><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>public --add-icmp-block<span class="o">=</span>echo-reply </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">firewall-cmd --permanent --zone<span class="o">=</span>trusted --add-source<span class="o">=</span>10.2.2.0/24 </span></span><span class="line"><span class="cl">firewall-cmd --permanent --zone<span class="o">=</span>trusted --add-source<span class="o">=</span>10.3.0.1/32 </span></span><span class="line"><span class="cl">firewall-cmd --permanent --zone<span class="o">=</span>trusted --add-source<span class="o">=</span>192.168.0.175/32 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">firewall-cmd --permanent --zone<span class="o">=</span>trusted --remove-source<span class="o">=</span>192.168.0.175/24 </span></span><span class="line"><span class="cl">firewall-cmd --permanent --zone<span class="o">=</span>trusted --remove-source<span class="o">=</span>10.2.1.5/32 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">firewall-cmd --permanent --zone<span class="o">=</span>trusted --remove-source<span class="o">=</span>192.168.0.175/32 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">firewall-cmd --zone<span class="o">=</span>trusted --list-all </span></span></code></pre></td></tr></table> </div> </div> http-curl /p/tools-http-curl.html Fri, 10 Feb 2023 10:00:00 +0800 chenwx716@139.com /p/tools-http-curl.html <h2 id="跨域">跨域</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 跨域测试</span> </span></span><span class="line"><span class="cl">curl -i -X OPTIONS https://api.xxx.xyz/admin/captcha <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Origin: https://xxxxx1.xxx.xyz&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">curl -i -X POST https://api.xxx.xyz/admin/captcha <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Origin: https://xxxxx1.xxx.xyz&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -d <span class="s1">&#39;{&#34;a&#34;:&#34;1&#34;}&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="提交和上传">提交和上传</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># POST</span> </span></span><span class="line"><span class="cl">curl -d <span class="s2">&#34;name=abc&#34;</span> http://127.0.0.1:2000/echoback </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 表单提交</span> </span></span><span class="line"><span class="cl">curl -d <span class="s2">&#34;user=nickwolfe&amp;password=12345&#34;</span> http://10.248.13.7:18001/registerNameajax.htm </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># json</span> </span></span><span class="line"><span class="cl">curl -i -X POST -H <span class="s1">&#39;Content-type&#39;</span>:<span class="s1">&#39;application/json&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -d <span class="s2">&#34;userName=user1&amp;password=zz123456&#34;</span> http://192.168.183.100:8050/nature/login </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">curl -i -X POST -H <span class="s1">&#39;Content-type&#39;</span>:<span class="s1">&#39;multipart/form-data&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -d <span class="s2">&#34;userName=user1&amp;password=zz123456&#34;</span> http://192.168.183.100:8050/nature/login </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">curl -i -X POST -H <span class="s1">&#39;Content-type&#39;</span>:<span class="s1">&#39;application/x-www-form-urlencoded&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -d <span class="s2">&#34;userName=user1&amp;password=zz123456&#34;</span> http://192.168.183.100:8050/nature/login </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">curl -X POST http://localhost:8080/api -H <span class="s2">&#34;Content-Type: application/json&#34;</span> -d <span class="s1">&#39;{&#34;a&#34;:&#34;b&#34;}&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># json - file</span> </span></span><span class="line"><span class="cl">curl -X POST http://localhost:8080/api -H <span class="s2">&#34;Content-Type: application/json&#34;</span> -d @sendfile.json </span></span></code></pre></td></tr></table> </div> </div><h2 id="综合">综合</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="c1"># 添加 host 头</span> </span></span><span class="line"><span class="cl">curl -H <span class="s2">&#34;Host: minio.services.wait&#34;</span> http://10.2.1.75:80/static/css/style.css </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 修改 agent 和 xff</span> </span></span><span class="line"><span class="cl">curl -i --user-agent myagent <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;X-Forwarded-For: 1.1.1.1, 2.2.2.2&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Host: www.baidu.com&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> http://10.1.2.1:18001/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 请求 ipv6 服务</span> </span></span><span class="line"><span class="cl">curl -6 -g http://<span class="o">[</span>2409:8081:1120:6010:7002::12c<span class="o">]</span>:17101 </span></span><span class="line"><span class="cl">curl -6 -g -k https://<span class="o">[</span>2409:8081:1120:6010:7002::20<span class="o">]</span>:443/services/LoginForWap?wsdl </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># socket5</span> </span></span><span class="line"><span class="cl">curl --socks5 127.0.0.1:15733 http://myip.ipip.net </span></span><span class="line"><span class="cl">curl --socks5-h 192.168.5.9:20323 http://10.10.55.4:8000/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># http 获取返回码</span> </span></span><span class="line"><span class="cl">curl -sL -w <span class="s2">&#34;%{http_code}\\n&#34;</span> www.baidu.com -o /dev/null </span></span><span class="line"><span class="cl">curl -i -s -o /dev/null -w <span class="s2">&#34;%{http_code}\n&#34;</span> http://blog.services.wait </span></span><span class="line"><span class="cl">curl -s --connect-timeout <span class="m">5</span> -o /dev/null -w <span class="s2">&#34;%{http_code}&#34;</span> <span class="s2">&#34;https://www.baidu.com&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># GET 请求多条参数的情况下对中文进行 urlencode 转码</span> </span></span><span class="line"><span class="cl">curl -G --data-urlencode <span class="s1">&#39;phone=1111111,222222&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> --data-urlencode <span class="s1">&#39;body= 【服务器故障】 10.26.2.20 故障, 请及时检查处理 &#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="s1">&#39;http://10.1.2.1:9002/api/v1/sms/send&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="curl-其它参数">curl 其它参数</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">curk -k # 跳过 https 证书 </span></span><span class="line"><span class="cl">-e referer </span></span><span class="line"><span class="cl"> -e http://shop.10086.cn </span></span><span class="line"><span class="cl">--interface eth0 </span></span><span class="line"><span class="cl"> 使用指定网卡 </span></span></code></pre></td></tr></table> </div> </div><h2 id="执行网络脚本">执行网络脚本</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="c1"># 执行网络脚本, 不需要下载</span> </span></span><span class="line"><span class="cl">curl http://xxx.com/xx/xx.sh <span class="p">|</span> bash </span></span><span class="line"><span class="cl"><span class="c1"># 传递参数方式</span> </span></span><span class="line"><span class="cl">curl -s http://xxx.com/xx/xx.sh <span class="p">|</span> bash -s arg1 arg2 </span></span><span class="line"><span class="cl">bash &lt;<span class="o">(</span>curl -s http://xxx.com/xx/xx.sh<span class="o">)</span> arg1 arg2 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 具名参 - 区分是 bash 的参数, 还是 脚本的参数, 使用 -- 作为区分</span> </span></span><span class="line"><span class="cl"><span class="c1"># -- 前面的比如 -s 属于 bash, 后面的 -x abc -y xyz 属于远程脚本的参数</span> </span></span><span class="line"><span class="cl">curl -L http://xxx.com/xx/xx.sh <span class="p">|</span> bash -s -- -x abc -y xyz </span></span></code></pre></td></tr></table> </div> </div><h2 id="小技巧">小技巧</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="c1"># 压缩请求</span> </span></span><span class="line"><span class="cl">curl -i -H <span class="s2">&#34;Accept-Encoding: gzip&#34;</span> http://xxxxx.xxx </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 跟踪 url 重定向后的链接</span> </span></span><span class="line"><span class="cl">curl -i -L http://10.35.18.166:8050/naturalMan/userQuit </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 超时控制, tcp 2s 超时, 数据包 20s 超时</span> </span></span><span class="line"><span class="cl">curl -i --connect-timeout <span class="m">2</span> -m <span class="m">20</span> http://10.230.88.61:11003/services </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查询耗时情况</span> </span></span><span class="line"><span class="cl">-w <span class="s1">&#39;time_connect %{time_connect}\ntime_starttransfer %{time_starttransfer}\ntime_total %{time_total}\n&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 不输出正文</span> </span></span><span class="line"><span class="cl">-o /dev/null </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 设置 cookie</span> </span></span><span class="line"><span class="cl">curl -b <span class="s2">&#34;sign=UnbvXIf06L3wtSwHMw3C&#34;</span> http://127.0.0.1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 循环测试某接口</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> i in <span class="k">$(</span>seq 2000<span class="k">)</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">do</span> </span></span><span class="line"><span class="cl"> curl -sL -w <span class="s2">&#34;%{http_code}\\n&#34;</span> --connect-timeout <span class="m">3</span> http://10.1.170.1:9086/uac -o /dev/null &gt;&gt; ~/a.log </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="nv">$i</span> </span></span><span class="line"><span class="cl"> sleep <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 测试 tcp 端口的开放</span> </span></span><span class="line"><span class="cl">curl -v telnet://192.168.5.9:22 </span></span></code></pre></td></tr></table> </div> </div> iptables /p/tools-network-iptables.html Fri, 10 Feb 2023 10:00:00 +0800 chenwx716@139.com /p/tools-network-iptables.html <h2 id="base">base</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">iptables-save &gt; conf <span class="c1"># 持久化配置</span> </span></span><span class="line"><span class="cl">iptables-restore &lt; conf <span class="c1"># 恢复配置</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="show">show</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">iptables -L -n --line-number <span class="c1"># 查看规则</span> </span></span><span class="line"><span class="cl">iptables -L -n <span class="c1"># 查看规则</span> </span></span><span class="line"><span class="cl">iptables -t nat -nL <span class="c1"># 查看转发表规则</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="管理">管理</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">iptables -D INPUT <span class="m">6</span> <span class="c1"># 删除规则</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">iptables -I INPUT -p tcp --dport <span class="m">17105</span> -j DROP <span class="c1"># 拒绝</span> </span></span><span class="line"><span class="cl">iptables -I INPUT -p tcp --dport <span class="m">8080</span> -j ACCEPT <span class="c1"># 允许</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 多端口</span> </span></span><span class="line"><span class="cl">iptables -I INPUT -p tcp -m multiport --destination-ports 2022,20022 -s 10.1.136.43 -j ACCEPT -m comment --comment <span class="s1">&#39;local network&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 允许单个IP</span> </span></span><span class="line"><span class="cl">iptables -I INPUT -p tcp --dport <span class="m">9092</span> -s 10.24.10.100 -j ACCEPT -m comment --comment <span class="s1">&#39;log app&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># IP范围</span> </span></span><span class="line"><span class="cl">iptables -A INPUT -p tcp --dport <span class="m">22</span> -m iprange --src-range 10.255.246.53-10.255.246.57 -j ACCEPT -m comment --comment <span class="s1">&#39;ssh manager&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 允许网段</span> </span></span><span class="line"><span class="cl">iptables -I INPUT -p tcp --dport <span class="m">9092</span> -s 10.24.10.0/24 -j ACCEPT -m comment --comment <span class="s1">&#39;log app&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 记录日志</span> </span></span><span class="line"><span class="cl">iptables -I cali-tw-cali03efd0d9a4d -s 10.20.4.241 -j LOG --log-prefix <span class="s2">&#34;test-2&#34;</span> </span></span><span class="line"><span class="cl">iptables -D cali-tw-cali03efd0d9a4d -s 10.20.4.241 -j LOG --log-prefix <span class="s2">&#34;test-2&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="docker-network">docker network</h2> <p>因为没有直接走 filter 表, 所以需要在 manager 或 raw 表上进行限制</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="c1"># 拒绝某IP</span> </span></span><span class="line"><span class="cl">iptables -t mangle -I PREROUTING -s 114.254.171.148 -j DROP </span></span><span class="line"><span class="cl">iptables -t raw -I PREROUTING -p tcp -m tcp --dport <span class="m">80</span> -j DROP </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">iptables -t mangle -I PREROUTING -D <span class="m">1</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="ip_conntrack">ip_conntrack</h2> <h3 id="el5">el5</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">cat /etc/sysconfig/iptables </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sysctl -a <span class="p">|</span> grep ip_conntrack_max </span></span><span class="line"><span class="cl">cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">wc -l /proc/net/ip_conntrack </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">awk <span class="s1">&#39;{print $3}&#39;</span> /proc/net/ip_conntrack <span class="p">|</span> sort -n <span class="p">|</span> head </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s1">&#39;net.ipv4.ip_conntrack_max = 1024000&#39;</span> &gt;&gt; /etc/sysctl.conf </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s1">&#39;net.ipv4.netfilter.ip_conntrack_max = 1024000&#39;</span> &gt;&gt; /etc/sysctl.conf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sysctl -p </span></span></code></pre></td></tr></table> </div> </div><h3 id="el6">el6</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">cat /etc/sysconfig/iptables </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sysctl -a <span class="p">|</span> grep net.nf_conntrack_max </span></span><span class="line"><span class="cl">wc -l /proc/net/nf_conntrack </span></span><span class="line"><span class="cl">cat /proc/sys/net/netfilter/nf_conntrack_count </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s1">&#39;net.nf_conntrack_max = 1024000&#39;</span> &gt;&gt; /etc/sysctl.conf </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s1">&#39;net.netfilter.nf_conntrack_max = 1024000&#39;</span> &gt;&gt; /etc/sysctl.conf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sysctl -p </span></span></code></pre></td></tr></table> </div> </div><h2 id="端口转发">端口转发</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"><span class="c1"># 80 端口转 8080</span> </span></span><span class="line"><span class="cl">iptables -t nat -A PREROUTING -p tcp --dport <span class="m">80</span> -j REDIRECT --to-port <span class="m">8080</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">iptables -t nat -A PREROUTING -p tcp --dport <span class="m">80</span> -j DNAT --to:8088 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sysctl -w net.ipv4.ip_forward<span class="o">=</span><span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 清空nat表</span> </span></span><span class="line"><span class="cl">iptables -F -t nat </span></span></code></pre></td></tr></table> </div> </div> ipv6 /p/ipv6.html Fri, 10 Feb 2023 10:00:00 +0800 chenwx716@139.com /p/ipv6.html <h2 id="检测">检测</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">ping -4 </span></span><span class="line"><span class="cl">ping -6 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ping6 -I eth1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查看路由</span> </span></span><span class="line"><span class="cl">/sbin/ip -6 route show dev br0 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">route -A inet6 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">telnet 2408:400a:6c:3cff:d219:5fcd:9528:535 <span class="m">80</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="http">http</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">curl -6 http://<span class="o">[</span>2409:8089:1111:6010:7001::0021<span class="o">]</span>:10002/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">curl -6 -g -i -L <span class="s1">&#39;http://[2409:8089:1111:6010:7001::0021]:443&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># LocalLink:</span> </span></span><span class="line"><span class="cl">curl -g -6 http://<span class="o">[</span>fe80::5054:ff:feab:185%eth0<span class="o">]</span>:8080/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># curl v7.61.0+ 无论本地是否启用 ipv6, 都会先尝试 ipv6 连接, 不需要显式使用 -6 参数</span> </span></span><span class="line"><span class="cl">curl -i http://<span class="o">[</span>2408:400a:6c:1111:d219:5fcd:9528:535<span class="o">]</span> </span></span><span class="line"><span class="cl">curl -i -6 http://<span class="o">[</span>2408:400a:6c:1111:d219:5fcd:9528:535<span class="o">]</span> </span></span><span class="line"><span class="cl">curl -i -6 https://<span class="o">[</span>2408:400a:6c:1111:d219:5fcd:9528:535<span class="o">]</span>:443/ </span></span></code></pre></td></tr></table> </div> </div><h2 id="nginx">nginx</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">listen 80; </span></span><span class="line"><span class="cl">listen [::]:80; </span></span></code></pre></td></tr></table> </div> </div> 抓包 /p/tools-tcpdump.html Fri, 10 Feb 2023 10:00:00 +0800 chenwx716@139.com /p/tools-tcpdump.html <h2 id="抓包">抓包</h2> <h3 id="tcpdump">tcpdump</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">tcpdump -i bond0 port <span class="m">8716</span> </span></span><span class="line"><span class="cl">tcpdump -i bond0 host 10.248.13.11 and port <span class="m">18009</span> -w 20150804.pcap </span></span><span class="line"><span class="cl">tcpdump -i bond0 host 10.27.10.140 or 10.27.10.141 or 10.27.10.142 -w new_memc.pcap </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 解析报文 - 只能简单解析</span> </span></span><span class="line"><span class="cl">tcpdump -i bond0 port <span class="m">8716</span> -A </span></span></code></pre></td></tr></table> </div> </div><h3 id="wireshark">wireshark</h3> <p><strong>常用规则</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">http.response.code==500 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">http.request.method==&#34;GET&#34; # 请求方法类型 </span></span><span class="line"><span class="cl">http.request.method==POST </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">http.request.uri matches &#34;V4=..1&#34; # 正则 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">http.request # 过滤所有的http请求 </span></span><span class="line"><span class="cl">http.request==1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">http.request.uri==&#34;/online/setpoint&#34; </span></span><span class="line"><span class="cl">http.request.uri contains &#34;/dll/test.htm?&#34; </span></span><span class="line"><span class="cl">http.request.full_uri==&#34;http://task.xxxx.xxxx.cn/online/setpoint&#34; </span></span></code></pre></td></tr></table> </div> </div>