- selinux command
selinux is a unique security mechanism of Redhat/CentOS system. However, because this thing has too many restrictions and the configuration is very cumbersome, almost no one actually uses it. So after installing the system, we generally have to turn off selinux to avoid unnecessary trouble. The way to turn off selinux is to make "SELINUX=disabled", the default is enforcing.
Enter the command vi /etc/selinux/config and press Enter, see the figure below,
After saving the configuration file, restart the machine to take effect. We can use the getenforce command to get the current selinux status
getenforce View selinux status
setenforce 0 temporarily disable selinux firewall
2. netfilter firewall
Both centos6 and centos7 have iptables, where iptables is a tool or a command. It is called netfilter in centos6, and the firewall in centos7 is called firewalld. The bottom layer is based on iptables.
The systemctl disable firewalld command means to stop the firewall service first
The systemctl stop firewalld command means to close the firewall service
Then open the netfilter firewall. Before opening, you need to install a package and enter the command yum install -y iptables-services
After the installation is complete, you can open the iptables service, that is, open the netfilter firewall service
systemctl enable iptables means to enable firewall service
systemctl start iptables means to start the firewall service
iptables -nvL View the default rules of iptables
10.12 netfilter5 table 5 chain introduction
The above are the 5 tables of the netfilter firewall, filter, nat, mangle, raw, security (there is no such table before Centos7).
The filter table is used to filter packets. The most commonly used tables are INPUT, FORWARD, and OUTPUT. The three chain
nat tables are used for network address translation. There are three chain
manager tables, PREROUTING, OUTPUT, and POSTROUTING, which are used to mark data packets, and then according to Mark to operate those packets, almost no
raw table can be used to not track some data packets, almost no
security table is not available in centos6, network rules for mandatory access control (MAC) are almost never used
Five chains: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
PREROUTING: the role is to change the destination address of the packet when it just reaches the firewall, if necessary
INPUT: for packets entering the machine
FORWARD: for those unrelated to the machine OUTPUT: Acts on the packets
sent by the machine, and changes the destination address of the locally generated packets.
POSTROUTING: Changes the source address of the packet before it leaves the firewall.
Introduction to iptables
Netfilter/iptables (abbreviated as iptables) constitutes a packet filtering firewall under the Linux platform. Like most Linux software, this packet filtering firewall is free. It can replace expensive commercial firewall solutions to complete packet filtering and packet filtering. Features such as redirection and network address translation (NAT).
The iptables basic
rules (rules) are actually the conditions predefined by the network administrator. The rules are generally defined as "if the packet header meets such conditions, process the packet like this". Rules are stored in the packet filtering table in kernel space. These rules specify the source address, destination address, transport protocol (such as TCP, UDP, ICMP) and service type (such as HTTP, FTP, and SMTP), etc. When packets match the rules, iptables processes the packets according to the methods defined by the rules, such as accept, reject, and drop. The main job of configuring a firewall is to add, modify, and delete these rules.
The relationship between iptables and netfilter:
This is the first place to say, the relationship between Iptables and netfilter is a very confusing issue. Many people know iptables but not netfilter. In fact, iptables is just a management tool for Linux firewalls, located in /sbin/iptables. What really implements the firewall function is netfilter, which is an internal structure that implements packet filtering in the Linux kernel.
The process of iptables transmitting data packets
① When a data packet enters the network card, it first enters the PREROUTING chain, and the kernel judges whether it needs to be forwarded according to the destination IP of the data packet.
② If the data packet is entering the machine, it will move down the graph to reach the INPUT chain. Once the packet reaches the INPUT chain, any process will receive it. Programs running on this machine can send data packets, which will pass through the OUTPUT chain and then reach the POSTROUTING chain output.
③ If the data packet is to be forwarded and the kernel allows forwarding, the data packet will move to the right as shown in the figure, pass through the FORWARD chain, and then reach the POSTROUTING chain output.
The following statement is the content of 4 tables and 5 chains. Now it is 5 tables and 5 chains, and the extra tables are hardly used.
The rule table and chain of iptables:
Tables provide specific functions. iptables has 4 built-in tables, namely filter table, nat table, mangle table and raw table, which are used to implement packet filtering, network address translation, and packet reconstruction respectively. (modified) and data tracking processing.
Chains are the paths through which data packets travel. Each chain is actually a checklist among many rules, and each chain can have one or several rules. When a packet arrives in a chain, iptables checks from the first rule in the chain to see if the packet meets the conditions defined by the rule. If it is satisfied, the system will process the packet according to the method defined by the rule; otherwise, iptables will continue to check the next rule. If the packet does not meet any of the rules in the chain, iptables will follow the pre-defined default of the chain. Policy to process packets.
Iptables adopts a hierarchical structure of "tables" and "chains". See the figure below for details.
Rule table:
1.filter table - three chains: INPUT, FORWARD, OUTPUT
function: filter packets Kernel module: iptables_filter.
2.Nat table - three chains: PREROUTING, POSTROUTING, OUTPUT
function: used for network address translation (IP, port) Kernel module:
iptable_nat 3.Mangle table - five chains: PREROUTING, POSTROUTING, INPUT, OUTPUT, FORWARD
Function: modify the service type, TTL of the data packet, and can configure routing to achieve QOS kernel module: iptable_mangle( Don't look at how troublesome this table is, we almost never use it when setting policies)
4. Raw table - two chains: OUTPUT, PREROUTING
Function: Determine whether the data packet is processed by the state tracking mechanism Kernel module: iptable_raw
Rule chain:
1.INPUT - incoming packets apply the policy in this rule chain
2.OUTPUT - outgoing data packets apply the policy in this rule chain
3.FORWARD - apply the policy in this rule chain when forwarding packets Strategy
4. PREROUTING - apply the rules in this chain before routing the packets
(remember! All packets are processed by this chain first when they come in)
5. POSTROUTING - after routing the packets Apply the rules in this chain
(all packets are processed by this chain first when they come out)
the priority order between the rule tables:
Raw-mangle-nat-filter
rule chain priority order (divided into three Cases):
The first case: the inbound data flow to
the data packets reaching the firewall from the outside world is first processed by the PREROUTING rule chain (whether to modify the data packet address, etc.), and then routing selection (to determine where the data packet should be sent) ), if the destination host of the data packet is the firewall itself (for example, the Internet user accesses the data packet of the web server in the firewall host), then the kernel will pass it to the INPUT chain for processing (decide whether to allow passage, etc.), after passing through It is then handed over to the upper-layer application of the system (such as the Apache server) to respond.
The second situation:
After the data packets from the outside world are forwarded to the firewall, they are first processed by the PREROUTING rule chain, and then route selection will be performed. data packet), the kernel passes it to the FORWARD chain for processing (whether to forward or intercept it), and then to the POSTROUTING rule chain (whether to modify the address of the data packet, etc.) for processing.
Case 3: Outbound Data Flow
The data packets sent by the firewall to the external address (such as when testing the public network DNS server in the firewall host) are first processed by the OUTPUT rule chain, then routed, and then passed to the POSTROUTING rule chain (whether to modify the address of the data packet, etc. ) to be processed.
For the above content, see http://www.cnblogs.com/metoy/p/4320813.html
Summary:
getenforce View the current status of selinux, Enforcing means open, Permissive means close.
setenforce 0 temporarily close selinux
vi /etc/selinux/config Enter the configuration selinux file, change SELINUX=disabled, you can permanently close selinux
systemctl disable firewalld means stop the firewall service first
systemctl stop firewalld means close the firewall service
5 tables: filter, nat, mangle , raw, security
5 chains: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
Native: PREROUTING → INPUT → OUTPUT → POSTROUTING
Non-native: PREROUTING → FORWARD → POSTROUTING