[System security protection, user environment configuration, advanced connection configuration, firewall policy management]
【System Security Protection】
"SELinux Security Mechanism"
Security-Enhanced Linux
Developed by the US NSA National Security Agency, a set of mandatory access control systems to enhance Linux system security
Integrated into the Linux kernel (2.6 and above) to run
RHEL7 based on the SELinux system for users, processes, directories and Documentation
provides preset protection strategies, as well as management tools
SELinux operating mode
enforcing Forced to enable
permissive Loosely enabled
disabled Completely disabled
Temporarily switch mode
setenforce 1 Temporarily switch to enforcing state
setenforce 0 Temporarily switch to permissive state
getenforce View current status
Fixed configuration (reboot takes effect)
/etc/selinux/config
--->
SELINUX=enforcing is set to mandatory
--->
reboot reboot takes effect
[configure user environment]
"Custom command"
define alias
alias name = 'executed command line'
cancel alias
unalias [name]
view alias
alias [name]
"User initialization file"
User personalized configuration
~/.bashrc ~student/bashrc Only valid for student
Affects the specified user, and takes effect every time the bash terminal is opened. The
global configuration
/etc/bashrc
affects all users and takes effect every time the bash terminal is opened.
【Configure advanced connection】
"Configure IPv6 address"
IPv4 address means
-- 32 binary digits, dot-separated decimal numbers
-- 172.25.0.11 , 127.0.0.1
IPv6 address means
-- 128 binary digits, colon-separated hexadecimal numbers
-- each Consecutive leading 0s in a segment can be omitted, and multiple consecutive: can be simplified to::
2003:ac18:0000:0000:0000:0000:0000:0305
---> 2003:ac18::305/64
Basic configuration method
1. Modify the connection parameters
nmcli con show to get the connection name
--->
NAME DEVICE
System eth0 eth0
connection name Network card name
nmcli connection modify "System eth0" ipv6.method
manual ipv6.addresses "2003:ac18::305/64 "
2. Activate the connection (down and then up if necessary)
nmcli connection up "System eth0" to
view the IPv6 address
ifconfig eth0 | grep inet6
"Configure aggregation connection"
Advantages of link aggregation
team, aggregation connection (also known as link aggregation)
- -A virtual network card formed by multiple network cards (team-slave) together, that is, "teaming" --Function 1: Roundrobin
traffic load balancing
--Function 2: Active backup (activebackup) connection redundancy I
Achieve the link aggregation condition with
2 or more physical network cards
. Query the network card ifconfig -a | grep ^eth
to configure the aggregation connection
HSRP active router backup router
virtual router
eth1 eth2
aggregate connection team (192.168.1.1)
1. New aggregate connection
---type, connection name, runner
nmcli con add con-name team0 type team ifname team0
config '{ "runner":{ "name":"activebackup" } }'
skill---> man teamd.conf , press G to the end of the full text, look up EXAMPLES,
copy "runner": {"name": "activebackup"}
2. Configure IPv4 address
--connection name, IP address
nmcli con mod team0 ipv4.method manual
ipv4 .addresses '172.16.3.20/24' connection.autoconnect yes
3. New aggregate member connection
---type, connection name, main connection
nmcli con add con-name team0-p1 type team-slave
ifname eth1 master team0
nmcli con add con -name team0-p2 type team-slave
ifname eth2 master team0
4.activate aggregate connection
1) activate aggregate connection
nmcli connection up team0
2) activate aggregate member connection
nmcli connection up team0-p1
nmcli connection up team0-p2
5. Confirm aggregate connection status
1) View aggregate connection address
ifconfig team0
2) View aggregate connection running status
teamdctl team0 state ---> activebackup
[Firewall policy management]
"Firewall configuration"
-- system service: firewalld
-- management tools: firewall-cmd, firewall-config
view list
firewall-cmd --list-all [--zone=zone name]
firewall-cmd -- list-all-zones
firewall-cmd --get-zones
firewall-cmd --get-services
view status
firewall-cmd --get-default-zone
set status
firewall-cmd --set-default-zone=?
public allow section , sshd and other
trusted Allow all
blocks to block all
drops and discard all
Specify the default security zone
firewall-cmd --set-default-zone=zone name
Default public, strict restrictions
For open environments, it is recommended to modify the default zone to trusted to
block IP network segments
firewall-cmd --permanent --zone=block --add-source=network segment
open service http
firewall-cmd --permanent --zone=public --add-service=http
Open service ftp
firewall-cmd --permanent --zone=public --add-service=ftp
reload configuration
firewall-cmd --reload
statement delete
add ---> remove
Port mapping configuration
1. Enable firewall service
systemctl restart firewalld
systemctl enable firewalld
2. Default setting trusted
firewall-cmd --set-default-zone=trusted
2. Block network segment
firewall-cmd --permanent --zone=block --add -
source=172.35.0.0/24
firewall-cmd --reload
3. Configure port forwarding---5423--->80
1) The server is ready to test the
website Package yum -y install httpd
web page vim /var/www/html /index.html
to serve systemctl restart httpd
2) client access test
package yum -y install elinks
access elinks -dump http://server0.example.com/
3) configure port forwarding
firewall-cmd --permanent --zone =trusted --
add-forward-port=port=5423:proto=tcp:toport=80
firewall-cmd --reload
4. Verify the port forwarding policy
elinks -dump http://server0.example.com:5423/
elinks -dump http://server0.example.com/
firefox http://server0.example.com/
FTP sharing service
vsftpd Default FTP share path: /var/ftp
Rules for Firewall Judgment, Matching and Stopping
1. First look at the source IP address in the client request, query all areas that have the policy with the source IP address in that area, and then enter the area
2. Enter the default area
Typical application methods:
Strict, method 1: keep the default zone as block, and add a policy to the trusted zone for the access that needs to be released
Loose, method 2: keep the default zone as trusted, and add a policy to the block zone for the access that needs to be blocked