第 04 章:网络配置
第 04 章:网络配置
配置和管理 Alpine Linux 的网络功能,包括基础网络、防火墙、无线网络和 VPN。
4.1 基础网络配置
网络接口管理
Alpine 使用 ifupdown 包管理网络接口,配置文件位于 /etc/network/interfaces。
# 查看网络接口
ip link show
ip addr show
# 查看路由
ip route show
# 配置文件
vi /etc/network/interfaces
静态 IP 配置
# /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.100/24
gateway 192.168.1.1
hostname web-server
# 带 VLAN 的配置
auto eth0.100
iface eth0.100 inet static
address 10.0.100.10/24
vlan-raw-device eth0
DHCP 配置
# /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
hostname alpine-dhcp
# 使用 dhcpcd(更现代的 DHCP 客户端)
apk add dhcpcd
rc-update add dhcpcd
多网卡绑定(Bonding)
# 安装 bonding 模块
apk add ifenslave
# /etc/network/interfaces
auto bond0
iface bond0 inet static
address 192.168.1.100/24
gateway 192.168.1.1
bond-slaves eth0 eth1
bond-mode 802.3ad
bond-miimon 100
bond-xmit-hash-policy layer3+4
# bond-mode 选项:
# 0 - balance-rr (轮询)
# 1 - active-backup (主备)
# 2 - balance-xor (XOR)
# 3 - broadcast (广播)
# 4 - 802.3ad (LACP)
# 5 - balance-tlb (自适应传输)
# 6 - balance-alb (自适应负载)
网桥配置
# 安装网桥工具
apk add bridge
# /etc/network/interfaces
auto br0
iface br0 inet static
address 192.168.1.100/24
gateway 192.168.1.1
bridge-ports eth0 eth1
bridge-stp on
bridge-fd 0
# 使用 ip 命令临时配置
ip link add name br0 type bridge
ip link set eth0 master br0
ip link set eth1 master br0
ip addr add 192.168.1.100/24 dev br0
ip link set br0 up
网络服务管理
# 重启网络服务
rc-service networking restart
# 重启单个接口
ifdown eth0 && ifup eth0
# 查看网络状态
rc-status
# 开机启动网络
rc-update add networking boot
4.2 DNS 配置
# /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 223.5.5.5 # 阿里 DNS
search example.com
# 国内公共 DNS 服务
# 阿里 DNS: 223.5.5.5 / 223.6.6.6
# 腾讯 DNS: 119.29.29.29
# 百度 DNS: 180.76.76.76
# 114 DNS: 114.114.114.114
# 使用 systemd-resolved 替代(不推荐 Alpine)
# Alpine 使用简单的 resolv.conf 方式
# 本地 hosts 文件
cat >> /etc/hosts << 'EOF'
192.168.1.100 web-server
192.168.1.101 db-server
192.168.1.102 cache-server
EOF
# 安装 DNS 工具
apk add bind-tools
# DNS 查询
dig example.com
dig @8.8.8.8 example.com MX
nslookup example.com
host example.com
4.3 防火墙配置(iptables / nftables)
iptables 基础
# 安装 iptables
apk add iptables ip6tables
# 开机启动
rc-update add iptables
rc-update add ip6tables
# 查看规则
iptables -L -n -v
iptables -L -n -v --line-numbers
# 保存规则
/etc/init.d/iptables save
# 恢复规则
/etc/init.d/iptables restart
常用 iptables 规则
# 基础防火墙脚本
cat > /etc/iptables/rules.sh << 'SCRIPT'
#!/bin/sh
# 清空规则
iptables -F
iptables -X
iptables -t nat -F
# 默认策略
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# 允许回环接口
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# 允许已建立的连接
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 允许 SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# 允许 HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# 允许 ICMP (ping)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# 限制 SSH 连接速率
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
# NAT 转发(用于网关)
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Firewall rules applied."
SCRIPT
chmod +x /etc/iptables/rules.sh
# 应用规则
sh /etc/iptables/rules.sh
# 保存到系统
/etc/init.d/iptables save
iptables 端口转发
# 端口转发:将外部 8080 转发到内部 192.168.1.101:80
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.101:80
iptables -A FORWARD -p tcp -d 192.168.1.101 --dport 80 -j ACCEPT
# 开启 IP 转发
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
nftables(现代替代)
# nftables 是 iptables 的继任者
apk add nftables
# /etc/nftables.conf
cat > /etc/nftables.conf << 'EOF'
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# 允许回环
iif lo accept
# 允许已建立连接
ct state established,related accept
# 允许 ICMP
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# 允许 SSH
tcp dport 22 accept
# 允许 HTTP/HTTPS
tcp dport { 80, 443 } accept
# 日志并拒绝其他
log prefix "nft-drop: " drop
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
EOF
# 启动 nftables
rc-update add nftables
rc-service nftables start
# 查看规则
nft list ruleset
4.4 无线网络配置
# 安装无线工具
apk add wpa_supplicant wireless-tools iw
# 查看无线接口
iw dev
# 扫描可用网络
iw dev wlan0 scan | grep SSID
# WPA/WPA2 配置
cat > /etc/wpa_supplicant/wpa_supplicant.conf << 'EOF'
ctrl_interface=/var/run/wpa_supplicant
update_config=1
country=CN
network={
ssid="MyWiFi"
psk="password123"
key_mgmt=WPA-PSK
proto=RSN WPA
pairwise=CCMP TKIP
group=CCMP TKIP
}
EOF
# 生成加密密码(不显示明文)
wpa_passphrase "MyWiFi" "password123" >> /etc/wpa_supplicant/wpa_supplicant.conf
# /etc/network/interfaces 无线配置
auto wlan0
iface wlan0 inet dhcp
wireless-essid MyWiFi
wireless-mode managed
# 开机启动
rc-update add wpa_supplicant boot
rc-update add networking boot
# 手动连接
ifconfig wlan0 up
wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf
udhcpc -i wlan0
4.5 WireGuard VPN
# 安装 WireGuard
apk add wireguard-tools
# ---- 服务端配置 ----
# 生成密钥对
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key
# 生成客户端密钥
wg genkey | tee /etc/wireguard/client_private.key | wg pubkey > /etc/wireguard/client_public.key
# 服务端配置
cat > /etc/wireguard/wg0.conf << EOF
[Interface]
PrivateKey = $(cat /etc/wireguard/server_private.key)
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = $(cat /etc/wireguard/client_public.key)
AllowedIPs = 10.0.0.2/32
EOF
# 启动 WireGuard
chmod 600 /etc/wireguard/wg0.conf
ip link add wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
ip addr add 10.0.0.1/24 dev wg0
ip link set wg0 up
# 开机启动
rc-update add local default
cat > /etc/local.d/wireguard.start << 'EOF'
#!/bin/sh
ip link add wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
ip addr add 10.0.0.1/24 dev wg0
ip link set wg0 up
EOF
chmod +x /etc/local.d/wireguard.start
WireGuard 客户端配置
# 客户端 wg0.conf
[Interface]
PrivateKey = <客户端私钥>
Address = 10.0.0.2/24
DNS = 8.8.8.8
[Peer]
PublicKey = <服务端公钥>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
4.6 OpenVPN
# 安装 OpenVPN
apk add openvpn easy-rsa
# 初始化 CA
cd /etc/openvpn
easy-rsa init-pki
easy-rsa build-ca
# 生成服务端证书
easy-rsa build-server-full server nopass
easy-rsa gen-dh
# 生成客户端证书
easy-rsa build-client-full client1 nopass
# 生成 TLS 认证密钥
openvpn --genkey secret /etc/openvpn/ta.key
# 服务端配置
cat > /etc/openvpn/server.conf << 'EOF'
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/server.crt
key /etc/openvpn/pki/private/server.key
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/ta.key 0
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-GCM
user nobody
group nobody
persist-key
persist-tun
verb 3
EOF
rc-update add openvpn
rc-service openvpn start
4.7 网络诊断工具
| 工具 | 安装命令 | 用途 |
|---|---|---|
ping | 内置 | 测试连通性 |
traceroute | apk add traceroute | 路由追踪 |
mtr | apk add mtr | 综合路由诊断 |
nmap | apk add nmap | 端口扫描 |
tcpdump | apk add tcpdump | 抓包分析 |
iperf3 | apk add iperf3 | 带宽测试 |
dig | apk add bind-tools | DNS 诊断 |
curl | apk add curl | HTTP 测试 |
nethogs | apk add nethogs | 进程流量监控 |
iftop | apk add iftop | 接口流量监控 |
# 带宽测试
apk add iperf3
# 服务端
iperf3 -s
# 客户端
iperf3 -c 192.168.1.100
# 抓包
tcpdump -i eth0 -nn port 80
tcpdump -i any -nn host 192.168.1.100 -w capture.pcap
# 连通性诊断脚本
cat > /usr/local/bin/netcheck << 'SCRIPT'
#!/bin/sh
echo "=== 网络诊断 ==="
echo "--- 接口 ---"
ip -4 addr show | grep inet
echo "--- 路由 ---"
ip route show default
echo "--- DNS ---"
cat /etc/resolv.conf
echo "--- 连通性测试 ---"
ping -c 2 -W 2 8.8.8.8 && echo "Internet: OK" || echo "Internet: FAIL"
ping -c 2 -W 2 223.5.5.5 && echo "AliDNS: OK" || echo "AliDNS: FAIL"
SCRIPT
chmod +x /usr/local/bin/netcheck
4.8 注意事项
⚠️ 安全提示
- 生产环境防火墙默认策略应为 DROP(拒绝所有)
- WireGuard 私钥权限必须为 600
- VPN 服务应配置自动重连
- 定期检查防火墙规则和开放端口
💡 性能优化
- 对于高并发场景,调整内核参数:
cat >> /etc/sysctl.conf << 'EOF' net.core.somaxconn = 65535 net.ipv4.tcp_max_syn_backlog = 65535 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_fin_timeout = 30 net.ipv4.ip_local_port_range = 1024 65535 EOF sysctl -p
扩展阅读
上一章:第 03 章:基础操作 下一章:第 05 章:存储管理