ipconfig, selinux, netfilter, iptables, netfilter5 table 5 chain
Others
2022-04-28 00:14:12
views: 0
10.11 Linux Network Related
- ifconfig view network card ip (yum install net-tools)
- ip add
- ifconfig -a can view all network card information
- ifup ens33/ifdown ens33
- ifdown ens33 && ifup ens33 can down the network card, then restart the network card
- Add virtual network card
- cd /etc/sysconfig/network-scripts
- cp ifcfg-ens33 ifcfg-ens33/:0
- vi! $
- Modify NAME=ens33:0
- Modify DEVICE=ens33:0
- Modify IP
- mii-tool ens33 Check whether the network card is plugged in with a network cable, and check whether the link is ok
- ethtool ens33 Check whether the network card is connected to the network cable, and check the link detected in the last paragraph: yes
- hostnamectl set-hostname aminglinux-001 modify the hostname
- cat /etc/hostname hostname configuration file
- DNS configuration file in /etc/resolv.conf
- There is a file in both linux and windows. When accessing a custom domain name, the file /etc/hosts is accessed.
10.12 firewalld和netfilter
- The selinux temporary shutdown command is: setenforce 0
- Permanent shutdown requires editing the configuration file, in vim /etc/selinux/conifg, SELINUX-disabled
- getenforce View the status of selinux
- After being temporarily closed, when encountering a block, it will not be really blocked, but will pass through
- The firewall before CentOs7 is called netfilter; the firewall of CentOs 7 is called firewalld; both support iptables commands
- Open the firewall netfilter before CentOs 7
- systemctl disable firewalld
- systemctl stop firewalld
- yum install -y iptables-services
- systemctl enable iptables
- systemctl start iptables
- iptables -nvL
- Firewall is called netfilter, iptables is just a tool of netfilter.
10.13 netfilter5 table 5 chain introduction
- The five tables of netfilter, centos6, have only the first four tables, but no security table. 2. The filter table is used to filter packets. The most commonly used table has three chains of INPUT, FORWARD, and OUTPUT. , check the source IP, and find that the suspicious IP can be banned 2. FORWARD: determine whether the target address is the local machine, if not, it needs to go through the FORWARD chain to operate and forward 3. The local package, the outgoing package, go through OUTPUT chain 3. The nat table is used for network address translation. There are three chains: PREROUTING, OUTPUT, and POSTROUTING. POSTROUTING: 4. The managle table is used to mark data packets, which is rarely used. 5. The raw table can be used to not track certain data packets, and A Ming never uses it. (MAC) network rules, A Ming never used
- Reference article: http://www.cnblogs.com/metoy/p/4320813.html
10.14 iptables syntax
- linux firewall --netfilter
- 5 Practices of Packet Flow and Netfilter
- PREROUTING: Before the packet enters the routing table
- INPUT: The destination is this machine after passing the routing table
- FORWARD: After passing the routing table, the destination is not the machine
- OUTPUT: generated by the machine, sent out
- POSTTOUTING: before sending to the NIC interface
- iptables related commands and usage
- iptables -nvL default rules
- The restart command is:
# service iptables restart
# cat /etc/sysconfig/iptables
Default rules saved
# iptables -F
Temporarily clear the rules, and these rules are still saved in the file. If you want to save the current rules and save them to the configuration file, you need to execute them. # service iptables save
If not saved, these rules will be loaded after restarting
# iptables -t filter -nvL
It is equivalent to # iptables -nvL
viewing the filter table rules by default without parameters.
# iptables -t nat -nvL
View nat table rules
# iptables -Z
Clear the counter to zero. Example: Monitoring script, block IP, if there is no more than one amount within a period of time, then unblock the IP.
- Adding rules:
# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
without -t, the default is the filter table; -A means adding a rule, INPUT chain; -s source, IP; -p specifies the protocol, tcp, etc.; -sport source port, port value; -d destination IP, IP; -dport target port, port value; -j operation, DROP is thrown away, REJECT is rejected, DROP, just throw it away without looking at it, REJECT needs to be checked, and then judge whether it is rejected
- Insert rule:
# iptables -I INPUT -p tcp --dport 80 -j DROP
- -I insert rule will be inserted into the first row of the linked list, -A add rule will be added to the last row of the linked list
- When filtering, it starts from the first rule, so the first rule is filtered first.
- delete rules:
# iptables -D INPUT -p tcp --dport 80 -j DROP
-D delete rules
- If you remember the command of the rule at that time, you can directly -D, but if you forget the command at that time, you can delete it in the following way: first
# iptables -nvL --line-number
print out the number of rows in the table, and then execute# iptables -D INPUT 行数
# iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
Rules can be set for the network card
# iptables -P OUTPUT DROP
Modify the default rules of the table, and use the DROP of the OUTPUT table with caution. If the default rule of the OUTPUT table is changed to DROP, the data from the server cannot be sent, and no data can be received through xshell, and it will be disconnected immediately.
10.15 Small case of iptables filter table
Extension (selinux can understand)
- selinux tutorial http://os.51cto.com/art/201209/355490.htm
- selinux pdf e-book http://pan.baidu.com/s/1jGGdExK
Origin http://43.154.161.224:23101/article/api/json?id=325939202&siteId=291194637