强曰为道
与天地相似,故不违。知周乎万物,而道济天下,故不过。旁行而不流,乐天知命,故不忧.
文档目录

Alpine Linux 完全指南 / 第 04 章:网络配置

第 04 章:网络配置

配置和管理 Alpine Linux 的网络功能,包括基础网络、防火墙、无线网络和 VPN。

4.1 基础网络配置

网络接口管理

Alpine 使用 ifupdown 包管理网络接口,配置文件位于 /etc/network/interfaces

# 查看网络接口
ip link show
ip addr show

# 查看路由
ip route show

# 配置文件
vi /etc/network/interfaces

静态 IP 配置

# /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address 192.168.1.100/24
    gateway 192.168.1.1
    hostname web-server

# 带 VLAN 的配置
auto eth0.100
iface eth0.100 inet static
    address 10.0.100.10/24
    vlan-raw-device eth0

DHCP 配置

# /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
    hostname alpine-dhcp

# 使用 dhcpcd(更现代的 DHCP 客户端)
apk add dhcpcd
rc-update add dhcpcd

多网卡绑定(Bonding)

# 安装 bonding 模块
apk add ifenslave

# /etc/network/interfaces
auto bond0
iface bond0 inet static
    address 192.168.1.100/24
    gateway 192.168.1.1
    bond-slaves eth0 eth1
    bond-mode 802.3ad
    bond-miimon 100
    bond-xmit-hash-policy layer3+4

# bond-mode 选项:
# 0 - balance-rr    (轮询)
# 1 - active-backup (主备)
# 2 - balance-xor   (XOR)
# 3 - broadcast     (广播)
# 4 - 802.3ad       (LACP)
# 5 - balance-tlb   (自适应传输)
# 6 - balance-alb   (自适应负载)

网桥配置

# 安装网桥工具
apk add bridge

# /etc/network/interfaces
auto br0
iface br0 inet static
    address 192.168.1.100/24
    gateway 192.168.1.1
    bridge-ports eth0 eth1
    bridge-stp on
    bridge-fd 0

# 使用 ip 命令临时配置
ip link add name br0 type bridge
ip link set eth0 master br0
ip link set eth1 master br0
ip addr add 192.168.1.100/24 dev br0
ip link set br0 up

网络服务管理

# 重启网络服务
rc-service networking restart

# 重启单个接口
ifdown eth0 && ifup eth0

# 查看网络状态
rc-status

# 开机启动网络
rc-update add networking boot

4.2 DNS 配置

# /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 223.5.5.5      # 阿里 DNS
search example.com

# 国内公共 DNS 服务
# 阿里 DNS:    223.5.5.5 / 223.6.6.6
# 腾讯 DNS:    119.29.29.29
# 百度 DNS:    180.76.76.76
# 114 DNS:     114.114.114.114

# 使用 systemd-resolved 替代(不推荐 Alpine)
# Alpine 使用简单的 resolv.conf 方式

# 本地 hosts 文件
cat >> /etc/hosts << 'EOF'
192.168.1.100 web-server
192.168.1.101 db-server
192.168.1.102 cache-server
EOF

# 安装 DNS 工具
apk add bind-tools

# DNS 查询
dig example.com
dig @8.8.8.8 example.com MX
nslookup example.com
host example.com

4.3 防火墙配置(iptables / nftables)

iptables 基础

# 安装 iptables
apk add iptables ip6tables

# 开机启动
rc-update add iptables
rc-update add ip6tables

# 查看规则
iptables -L -n -v
iptables -L -n -v --line-numbers

# 保存规则
/etc/init.d/iptables save

# 恢复规则
/etc/init.d/iptables restart

常用 iptables 规则

# 基础防火墙脚本
cat > /etc/iptables/rules.sh << 'SCRIPT'
#!/bin/sh
# 清空规则
iptables -F
iptables -X
iptables -t nat -F

# 默认策略
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# 允许回环接口
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# 允许已建立的连接
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# 允许 SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# 允许 HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# 允许 ICMP (ping)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# 限制 SSH 连接速率
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

# NAT 转发(用于网关)
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Firewall rules applied."
SCRIPT
chmod +x /etc/iptables/rules.sh

# 应用规则
sh /etc/iptables/rules.sh

# 保存到系统
/etc/init.d/iptables save

iptables 端口转发

# 端口转发:将外部 8080 转发到内部 192.168.1.101:80
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.101:80
iptables -A FORWARD -p tcp -d 192.168.1.101 --dport 80 -j ACCEPT

# 开启 IP 转发
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

nftables(现代替代)

# nftables 是 iptables 的继任者
apk add nftables

# /etc/nftables.conf
cat > /etc/nftables.conf << 'EOF'
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # 允许回环
        iif lo accept

        # 允许已建立连接
        ct state established,related accept

        # 允许 ICMP
        ip protocol icmp accept
        ip6 nexthdr icmpv6 accept

        # 允许 SSH
        tcp dport 22 accept

        # 允许 HTTP/HTTPS
        tcp dport { 80, 443 } accept

        # 日志并拒绝其他
        log prefix "nft-drop: " drop
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}
EOF

# 启动 nftables
rc-update add nftables
rc-service nftables start

# 查看规则
nft list ruleset

4.4 无线网络配置

# 安装无线工具
apk add wpa_supplicant wireless-tools iw

# 查看无线接口
iw dev

# 扫描可用网络
iw dev wlan0 scan | grep SSID

# WPA/WPA2 配置
cat > /etc/wpa_supplicant/wpa_supplicant.conf << 'EOF'
ctrl_interface=/var/run/wpa_supplicant
update_config=1
country=CN

network={
    ssid="MyWiFi"
    psk="password123"
    key_mgmt=WPA-PSK
    proto=RSN WPA
    pairwise=CCMP TKIP
    group=CCMP TKIP
}
EOF

# 生成加密密码(不显示明文)
wpa_passphrase "MyWiFi" "password123" >> /etc/wpa_supplicant/wpa_supplicant.conf

# /etc/network/interfaces 无线配置
auto wlan0
iface wlan0 inet dhcp
    wireless-essid MyWiFi
    wireless-mode managed

# 开机启动
rc-update add wpa_supplicant boot
rc-update add networking boot

# 手动连接
ifconfig wlan0 up
wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf
udhcpc -i wlan0

4.5 WireGuard VPN

# 安装 WireGuard
apk add wireguard-tools

# ---- 服务端配置 ----

# 生成密钥对
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

# 生成客户端密钥
wg genkey | tee /etc/wireguard/client_private.key | wg pubkey > /etc/wireguard/client_public.key

# 服务端配置
cat > /etc/wireguard/wg0.conf << EOF
[Interface]
PrivateKey = $(cat /etc/wireguard/server_private.key)
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = $(cat /etc/wireguard/client_public.key)
AllowedIPs = 10.0.0.2/32
EOF

# 启动 WireGuard
chmod 600 /etc/wireguard/wg0.conf
ip link add wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
ip addr add 10.0.0.1/24 dev wg0
ip link set wg0 up

# 开机启动
rc-update add local default
cat > /etc/local.d/wireguard.start << 'EOF'
#!/bin/sh
ip link add wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
ip addr add 10.0.0.1/24 dev wg0
ip link set wg0 up
EOF
chmod +x /etc/local.d/wireguard.start

WireGuard 客户端配置

# 客户端 wg0.conf
[Interface]
PrivateKey = <客户端私钥>
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = <服务端公钥>
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

4.6 OpenVPN

# 安装 OpenVPN
apk add openvpn easy-rsa

# 初始化 CA
cd /etc/openvpn
easy-rsa init-pki
easy-rsa build-ca

# 生成服务端证书
easy-rsa build-server-full server nopass
easy-rsa gen-dh

# 生成客户端证书
easy-rsa build-client-full client1 nopass

# 生成 TLS 认证密钥
openvpn --genkey secret /etc/openvpn/ta.key

# 服务端配置
cat > /etc/openvpn/server.conf << 'EOF'
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/server.crt
key /etc/openvpn/pki/private/server.key
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/ta.key 0
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-GCM
user nobody
group nobody
persist-key
persist-tun
verb 3
EOF

rc-update add openvpn
rc-service openvpn start

4.7 网络诊断工具

工具 安装命令 用途
ping 内置 测试连通性
traceroute apk add traceroute 路由追踪
mtr apk add mtr 综合路由诊断
nmap apk add nmap 端口扫描
tcpdump apk add tcpdump 抓包分析
iperf3 apk add iperf3 带宽测试
dig apk add bind-tools DNS 诊断
curl apk add curl HTTP 测试
nethogs apk add nethogs 进程流量监控
iftop apk add iftop 接口流量监控 
# 带宽测试
apk add iperf3
# 服务端
iperf3 -s
# 客户端
iperf3 -c 192.168.1.100

# 抓包
tcpdump -i eth0 -nn port 80
tcpdump -i any -nn host 192.168.1.100 -w capture.pcap

# 连通性诊断脚本
cat > /usr/local/bin/netcheck << 'SCRIPT'
#!/bin/sh
echo "=== 网络诊断 ==="
echo "--- 接口 ---"
ip -4 addr show | grep inet
echo "--- 路由 ---"
ip route show default
echo "--- DNS ---"
cat /etc/resolv.conf
echo "--- 连通性测试 ---"
ping -c 2 -W 2 8.8.8.8 && echo "Internet: OK" || echo "Internet: FAIL"
ping -c 2 -W 2 223.5.5.5 && echo "AliDNS:   OK" || echo "AliDNS:   FAIL"
SCRIPT
chmod +x /usr/local/bin/netcheck

4.8 注意事项

⚠️ 安全提示

  • 生产环境防火墙默认策略应为 DROP(拒绝所有)
  • WireGuard 私钥权限必须为 600
  • VPN 服务应配置自动重连
  • 定期检查防火墙规则和开放端口

💡 性能优化

  • 对于高并发场景,调整内核参数:
cat >> /etc/sysctl.conf << 'EOF'
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.ip_local_port_range = 1024 65535
EOF
sysctl -p

扩展阅读

上一章第 03 章:基础操作 下一章第 05 章:存储管理