iproute2 是 Linux 提供的一组管理网络连接的用户态工具。
ip [link|addr|route|rule] help
man ip [link|addr|route|rule]
ip
ip link
ip link # Show information for all interfaces
ip link show dev em1 # Display information only for device em1
ip link -d show dev em1 # show interface details
ip -s link # Display interface statistics
ip link set em1 up # Bring em1 online
ip link set em1 down # Bring em1 offline
ip link set em1 mtu 1492 # Set the MTU on em1 to 1492
ip link set em1 promisc on # Enable promiscuous mode for em1
ip addr
ip addr #Show information for all addresses
ip addr show dev em1
ip addr add 192.168.1.1/24 dev em1
ip addr del 192.168.1.1/24 dev em1
ip rule
ip rule # show all route rules
ip rule add from 192.168.1.0/24 table main prio 10
ip rule add fwmark 0x1/0x1 table 4 prio 4 # match fwmark bit(s) mark/mask
# 可以使用的所有条件:
# [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ] [ iif STRING ] [ oif STRING ] [ pref NUMBER ] [ l3mdev ]
Linux 系统默认的 ip rule 规则:
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
ip route
PS. "route" 可以简写为 "r"
ip route show table main # == ip route
ip route add default via 192.168.1.1 dev em1 # Add a default route (for all addresses) via the local gateway 192.168.1.1 that can be reached on device em1
ip route add 192.168.1.0/24 via 192.168.1.1 #Add a route to 192.168.1.0/24 via the gateway at 192.168.1.1
ip route add 192.168.1.0/24 dev em1 #Add a route to 192.168.1.0/24 that can be reached on
device em1
ip route add default via 192.168.1.1 [dev em1] [src 192.168.1.3] [table main]
ip route delete 192.168.1.0/24 via 192.168.1.1
ip route replace 192.168.1.0/24 dev em1 # Replace the defined route for 192.168.1.0/24 to use
device em1
ip route get 192.168.1.5 # Display the actual route taken for IP 192.168.1.5
More
# Display the actual route for a dst ip and fwmark
ip route get 1.2.3.4 mark 0x2
默认路由表:
- local (0) 表:系统自动维护的,存放所有网卡接口本地地址(local)和广播地址(broadcast)的路由,优先级最高无法覆盖。
- main (32766) : 默认使用的主路由表。也是route 等传统工具使用的表。
- default (32767) : 默认空。
常见 Linux 发行版通过 networking service 或 NetworkManager 等方式配置过网卡后,系统会自动生产 local 和 main 路由表条目。例如,假设配置 eth0 网卡为静态 IP 192.168.130.40/24, 网关 192.168.130.1。则自动生成的路由条目如下:
main 路由表条目:
default via 192.168.130.1 dev eth0 proto static metric 100
192.168.130.0/24 dev eth0 proto kernel scope link src 192.168.130.40 metric 100
local 路由表条目:
broadcast 192.168.130.0 dev eth0 proto kernel scope link src 192.168.130.40
local 192.168.130.40 dev eth0 proto kernel scope host src 192.168.130.40
broadcast 192.168.130.255 dev eth0 proto kernel scope link src 192.168.130.40
ip neigh
ip neigh # Display neighbour objects
ip neigh show dev em1 # Show the ARP cache for device em1
ip neigh add 192.168.1.1 lladdr 1:2:3:4:5:6 dev em1 nud permanent
ip neigh add 192.168.1.1 lladdr 1:2:3:4:5:6 dev em1 # Add address 192.168.1.1 with MAC 1:2:3:4:5:6 to em1
ip neigh del 192.168.1.1 dev em1 # Invalidate the entry for 192.168.1.1 on em1
ip neigh replace 192.168.1.1 lladdr 1:2:3:4:5:6 dev em1 # Replace the entry for address 192.168.1.1 to use MAC 1:2:3:4:5:6 on em1
ip maddr
ip maddr # Display multicast information for all devices
ip maddr show dev em1 # Display multicast information for device em1
ip maddr add 33:33:00:00:00:01 dev em1 # Add mutlicast address 33:33:00:00:00:01 to em1
ip maddr del 33:33:00:00:00:01 dev em1 # Delete address 33:33:00:00:00:01 from em1
ip tunnel
ip tunnel add tunnelName mode gre remote 2.3.4.5
ip addr add dev tunnelName 192.168.20.1/24
ip link set dev tunnelName up
gre 可以换成 ipip。ipip 模式 overhead 更低,性能更好,并且对中间网络节点 / 防火墙兼容更好。但某些网络环境的QoS策略对 gre 流量更友好。tunnel 默认无加密。如果需要加密必须配合 ipsec 之类的,很麻烦。
tunnel 的两端节点需要配置相同子网的 IP。防火墙需要允许入站的 ipip / gre 协议流量:
iptables -A INPUT -p ipip -j ACCEPT
可以通过隧道路由 Internet 流量
ip route add default dev tunnelName table 100
# 对特定流量走 tunnel
ip rule add iif tun0 table 100 prio 100
一般需要在隧道出口的 Internet 网卡做 MASQUERADE。根据网络环境,可能也需要在隧道入口的tunnel网卡上做 MASQUERADE。(关键是隧道两端的各自私有子网是否是 IP 层直通)
OpenWrt 上需要安装 kmod-iptunnel 和 kmod-gre / kmod-ipip。
Other ethtools
arping
arping -I eth0 192.168.1.1 # Send ARP request to 192.168.1.1 via interface eth0
arping -D -I eth0 192.168.1.1 # Check for duplicate MAC addresses at 192.168.1.1 on eth0
ethtool
ethtool -g eth0 # Display ring buffer for eth0
ethtool -i eth0 # Display driver information for eth0
ethtool -p eth0 # Identify eth0 by sight, typically by causing LEDs to blink on the network port
ethtool -S eth0 # Display network and driver statistics for eth0
ss
Display socket statistics. The below options can be combined
ss -a # Show all sockets (Without this flag, will only show non-listening sockets)
ss -e # Show detailed socket information
ss -o # Show timer information
ss -n # Do not resolve addresses
ss -p # Show process using the socket
ss -neopa # show above all
Compare NET-TOOLS vs. IPROUTE commands
NET-TOOLS | IPROUTE |
---|---|
arp -a | ip neigh |
arp -v | ip -s neigh |
arp -s 192.168.1.1 1:2:3:4:5:6 | ip neigh add 192.168.1.1 lladdr 1:2:3:4:5:6 dev eth1 |
arp -i eth1 -d 192.168.1.1 | ip neigh del 192.168.1.1 dev eth1 |
ifconfig -a | ip addr |
ifconfig eth0 down | ip link set eth0 down |
ifconfig eth0 up | ip link set eth0 up |
ifconfig eth0 192.168.1.1 | ip addr add 192.168.1.1/24 dev eth0 |
ifconfig eth0 netmask 255.255.255.0 | ip addr add 192.168.1.1/24 dev eth0 |
ifconfig eth0 mtu 9000 | ip link set eth0 mtu 9000 |
ifconfig eth0:0 192.168.1.2 | ip addr add 192.168.1.2/24 dev eth0 |
netstat | ss |
netstat -neopa | ss -neopa |
netstat -g | ip maddr |
route | ip route |
route add -net 192.168.1.0 netmask 255.255.255.0 dev eth0 | ip route add 192.168.1.0/24 dev eth0 |
route add default gw 192.168.1.1 | ip route add default via 192.168.1.1 |