Four methods of bridging network in host mode only in linux virtual machine and details of using iptables!

Virtual machine bridge network

VMware provides us with three network working modes, they are: Bridged (bridge mode), NAT (network address translation mode), Host-Only (host only mode).

Open the vmware virtual machine, we can see VMnet0 (bridge mode), VMnet1 (host mode only), VMnet8 (NAT mode) in the "Virtual Network Editor" under "Edit" in the option bar, so what are these What is the role? In fact, the VMnet0 we see now represents the virtual switch used in bridge mode; VMnet1 represents the virtual switch used in host-only mode; VMnet8 represents the virtual switch used in NAT mode.

At the same time, there are two virtual network cards corresponding to the host, VMware Network Adapter VMnet1 and VMware Network Adapter VMnet8, which act in host-only mode and NAT mode respectively. We can see these two virtual network cards in "Network Connections". If you uninstall these two, you can click "Restore Default Settings" in the "Virtual Network Editor" under "Edit" of vmware, and you can reset The virtual network card is restored. This time select host only mode,


set the network segment of the ip address to 11, wait for the next test

Next, we will come to the actual operation, how to set up only the host.
First, after installing the system, click "Edit Virtual Machine Settings" to set the network card mode before turning on the system.

Click "Network Adapter", select "Host Only Mode", and then "OK"
Before entering the system, we first confirm the host's ip address, gateway, DNS and other information.

1. Configuration file method

Then, enter the system and edit the network card configuration file. The command is vim /etc/sysconfig/network-scripts/ifcfg-eno16777736 and the
configuration is as follows:

Use the systemctl restart neiwork command to reload the network card

. The test is successful in the external host!

2. Use nmtui command operation

The IP address of the frequency band used this time: 192.168.11.45 address for difference

The 45th segment of the host test is successful!

3. Use the nm-connection-editor command to modify the ip address

This time use the 192.168.11.84 address and

click Edit to add

the test successfully in the external host

4. Select save in the virtual machine peripherals, this time use 192.168.11.56

Choose Network Settings

Click Settings to change the address and try again.

Modify 192.168.11.84 to 1, 92.168.11.65, the experimental results are as follows:

The test was successful.

Firewall management tool

The firewall policy can be customized based on the source and destination address, port number, protocol, application and other information of the traffic, and then the firewall uses pre-customized policy rules to monitor the incoming and outgoing traffic. If the traffic matches a certain policy rule, the corresponding processing is performed. Otherwise, discard it. In this way, it can be ensured that only legitimate traffic flows between the corporate intranet and the external public network.

In RHEL 7 system, firewalld firewall replaces iptables firewall. Neither iptables nor firewalld are real firewalls. They are just firewall management tools used to define firewall policies, or in other words, they are just a service. The iptables service will pass the configured firewall policy to the kernel-level netfilter network filter for processing, and the firewalld service will pass the configured firewall policy to the kernel-level nftables packet filtering framework for processing. In other words, there are actually multiple firewall management tools in the Linux system, which are designed to facilitate the operation and maintenance personnel to manage the firewall policies in the Linux system. We only need to configure one of them properly.

iptables

In the early Linux system, the iptables firewall management service was used by default to configure the firewall. Although the new firewalld firewall management service has been put into use for many years, a large number of enterprises continue to use iptables in production environments for various reasons.

The configuration ideas of each firewall management tool are the same. It is also useful for reference when learning other firewall management tools after mastering iptables.

Strategy and Rule Chain

The firewall will read the configured policy rules in order from top to bottom. After finding a match, it will immediately end the matching work and execute the behavior defined in the match (that is, pass or block). If there is no match after reading all the policy rules, the default policy is executed. Generally speaking, there are two types of firewall policy rules: one is "pass" (that is, pass), and the other is "block" (that is, block). When the default policy of the firewall is deny (blocking), you must set an allow rule (pass), otherwise no one can enter; if the default policy of the firewall is allow, you must set a deny rule, otherwise anyone can enter, the firewall It also lost the role of prevention.

The iptables service calls the policy entries used to process or filter traffic as rules. Multiple rules can form a rule chain, and the rule chain is classified according to the location of data packet processing, as follows:

在进行路由选择前处理数据包（PREROUTING）；
处理流入的数据包（INPUT）；     *外网-->内网
处理流出的数据包（OUTPUT）；    *外网<--内网
处理转发的数据包（FORWARD）；   *通过第三方
在进行路由选择后处理数据包（POSTROUTING）。

Actions taken by matching policy rules:

ACCEPT（允许）：允许流量通过
LOG（登记）：允许流量通过，但记录日志信息
REJECT（拒绝）：拒绝流量通过且明确给予拒绝的响应（考试时务必用REJECT，让系统明确知道流量被拒绝）
DROP（丢弃）：拒绝流量通过但不响应

Basic command parameters

iptables is a command line-based firewall policy management tool with a large number of parameters.

The iptables command can be matched according to the source address, destination address, transmission protocol, service type and other information of the traffic. Once the match is successful, iptables will process the traffic according to the actions preset by the policy rules. In addition, I would like to remind you once again that the matching order of firewall policy rules is from top to bottom, so the stricter and higher priority policy rules must be put first to avoid errors.

Commonly used parameters and functions in iptables

iptables -L                                                         #查看已有的防火墙规则链
iptables -F                                                         #清空已有的防火墙规则链
iptables -L                                                         #再次查看防火墙规则链，发现之前存在的规则链均已被删除
iptables -P INPUT DROP                                              #把INPUT规则链的默认策略设置为拒绝，规则链的默认拒绝动作只能是DROP，不能是REJECT
iptables -L                                                         #查看规则链，显示Chain INPUT (policy DROP)
iptables -I INPUT -p icmp -j ACCEPT                                 #向INPUT链头部中添加允许ICMP流量进入的策略规则
ping -c 4 192.168.10.10                                             #此时可以ping通，但是其余的ssh什么的是不行的
iptables -D INPUT 1                                                 #删除INPUT规则链的第1条规则（即刚刚允许ICMP那条）
iptables -P INPUT ACCEPT                                            #把INPUT规则链默认策略设置为允许
iptables -L                                                         #查看规则链，显示Chain INPUT (policy ACCEPT),ping,ssh什么的都允许
iptables -I INPUT -s 192.168.10.0/24 -p tcp --dport 22 -j ACCEPT    #将INPUT规则链设置为只允许指定网段的主机访问本机的22端口（必须先指明协议才能指明端口号）
iptables -A INPUT -p tcp --dport 22 -j REJECT                       #向INPUT规则链尾部添加拒绝来自所有主机访问本机22端口的规则（结合上一条规则的效果就是只允许指定网段主机访问本机22端口，拒绝其他主机访问）
iptables -L                                                         #查看已有规则链，此时应有2条，一条允许一条拒绝
iptables -I INPUT -p tcp --dport 12345 -j REJECT                    #向INPUT规则链中添加拒绝所有人访问本机12345端口（tcp+udp）的策略规则
iptables -I INPUT -p udp --dport 12345 -j REJECT
iptables -L
iptables -I INPUT -p tcp -s 192.168.10.5 --dport 80 -j REJECT       #向INPUT规则链中添加拒绝192.168.10.5主机访问本机80端口（Web服务）的策略规则
iptables -L
iptables -A INPUT -p tcp --dport 1000:1024 -j REJECT                #向INPUT规则链中添加拒绝所有主机访问本机1000～1024端口的策略规则
iptables -A INPUT -p udp --dport 1000:1024 -j REJECT
iptables -L
service iptables save                                               #让配置的防火墙策略永久生效（防火墙规则默认会在系统下一次重启时失效）

Problem Description:

[root@lizhiqiang Desktop]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
[root@lizhiqiang Desktop]# iptables -F
[root@lizhiqiang Desktop]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
[root@lizhiqiang Desktop]# iptables -P INPUT DROP
[root@lizhiqiang Desktop]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)

[root@lizhiqiang Desktop]# iptables -I INPUT -p icmp -j ACCEPT
[root@lizhiqiang Desktop]# iptables -D INPUT 1

[root@lizhiqiang Desktop]# iptables -P INPUT ACCEPT

root@lizhiqiang Desktop]# iptables -I INPUT -s 192.168.11.1/24 -p tcp --dport 22 -j ACCEPT
[root@lizhiqiang Desktop]# iptables -I INPUT -s 192.168.11.1/24 -p tcp --dport 22 -j ACCEPT

Simulated virtual machine successfully

service iptables save save to startup item