Linux network related
ifocnfig view network card ip (yum install net-tools)
ip add View network card
ip add = ifocnfig
ifconfig does not show down network cards, only those that are working.
ifconfig -a shows the network card currently in use and the network card that is down
ifdown enth0 shuts down the eth0 network card
ifup enth0 start eth0 network card
When the ifdown eth0 is executed first, the remote connection is disconnected. If you need to restart a network card, you can order two days.
Execute ifdown eth0 && ifup eth0 together
Add a virtual network card eth0:0
That is to set an IP for the virtual network card:
[root@centos7 ~]# cd /etc/sysconfig/network-scripts/
[root@centos7 network-scripts]# cp ifcfg-eth0 ifcfg-eth0:\0
ifcfg-eth0:\0 backslash means escaping
Modify the network card configuration file
vim ifcfg-eth0:0
The modifications are as follows:
Edit NAME
NAME=eth0:0
Modify IP address
IPADDR=10.211.55.17
Modify device name
DEVICE=eth0:0
Only the subnet mask, gateway, DNS1 can be removed
NETMASK=255.255.0.0
:wq to save
[root@pantinglinux]# ifdown eth0 && ifup eth0
Successfully disconnected device 'eth0'.
Connection successfully activated (D-Bus Active Path: /org/freedesktop/NetworkManager/ActiveConnection/151)
Added a new IP address: 10.211.55.17
New network card eth0:0 that can be added by ifconfig
eth0:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.211.55.17 netmask 255.255.0.0 broadcast 10.211.255.255
ether 00:1c:42:8c:25:09 txqueuelen 1000 (Ethernet)
You can also use the IP address of the virtual network card to log in to ssh [email protected]
mii-tool enth0 Check if the network card is connected
If it says not support
用ethtool eth0
[root@pantinglinux]# ethtool eth0
Settings for eth0:
Link detected: yes
change hostname hostnamectl set-hostname centos7
[root@pantinglinux]# hostnamectl set-hostname Centos7
[root@pantinglinux]# bash
[root@centos7 network-scripts]# cat /etc/hostname
centos7
[root@centos7 network-scripts]# exit
exit
DNS configuration file /etc/resolv.conf
[root@pantinglinux]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 119.29.29.29
DNS is configured under /etc/sysconfig/eth0, you can add a DNS2 google DNS
[root@pantinglinux]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DNS2:8.8.8.8
restart the network card
ifdown eth0 && ifup eth0
Then check /etc/resolv.conf
[root@pantinglinux]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 119.29.29.29
nameserver 8.8.8.8
/etc/hosts is a file available under windows and linux. Used to change a custom domain name
cat /etc/hosts
When pinging baidu.com, it is the IP address of Baidu, but I can also modify it to ping the local IP 10.211.55.17
vim /etc/hosts
Add to
10.211.55.17 www.baidu.com
An IP address on a line can have multiple domain names.
Different IP addresses correspond to the same domain name, and the domain name corresponding to the last IP address shall prevail.
firewalld和netfilter
Firewall 1: selinux
selinux temporarily disable setenforce 0
selinux permanently shuts down vi /etc/selinux/config
Revise
SELINUX=disabled
Check if selinux is closed:
getenforce
selinux is generally closed temporarily or permanently.
Firewall 2: netfilter
Firewall: netfilter, filrewalld--->configure iptbales
Before centos7 used netfilter firewall
close firewalld
systemctl disable firewalld(.service)
systemctl stop firewalld(.service)
Enable netfilter method
(iptables is a tool for netfilter)
yum install -y iptables-services
systemctl enable iptables
systemctl start iptables
Firewall: netfilter and firewalld are all iptables at the bottom
is to configure iptables
netfilter5 table 5 chain introduction
5 tables of netfilter (filter table, nat table, manager table, raw table, security table)
iptables manual:
More reference manual man iptables to find 5 tables (filter table, nat table, manager table, raw table, security table)
The process of iptables transmitting packets
http://www.cnblogs.com/metoy/p/4320813.html
① When a data packet enters the network card, it first enters the PREROUTING chain, and the kernel determines whether it needs to be forwarded according to the destination IP of the data packet.
② If the data packet is entering the machine, it will move down the graph to reach the INPUT chain. Once the packet reaches the INPUT chain, any process will receive it. Programs running on this machine can send data packets, which will go through the OUTPUT chain and then reach the POSTROUTING chain output.
③ If the data packet is to be forwarded and the kernel allows forwarding, the data packet will move to the right as shown in the figure, pass through the FORWARD chain, and then reach the POSTROUTING chain output.
filter table (built-in table)
Used to filter packets, the most commonly used table, there are three chains of INPUT, FORWARD, OUTPUT
INPUT chain (incoming data chain)
FORWARD chain (judging whether the target address is local, or modifying the target address)
OUTPUT chain (packets generated by this machine, operations done before going out)
nat table (same as router iptables nat table port remapping)
For network address translation, there are three chains: PREROUTING, OUTPUT, and POSTROUTING
PREROUTING Changes made by incoming packets
Changes made before OUTPUT out the packet
Changes made by POSTROUTING outgoing packets
The following 3 tables are rarely used:
managle 表
Used to mark packets, almost never used
raw表
Can implement different tracking of certain packets (never used)
security table
Not in centos6, for mandatory access control
iptables syntax
View iptables rules
iptbales -nvL
Rules are stored in /etc/sysconfig/iptables
[root@pantinglinux]# cat /etc/sysconfig/iptables
iptables -F clear rules
service iptables save save rules
service iptables restart restart iptables to load the rules in the original configuration file /etc/sysconfig/iptables
iptables -t nat //-t specifies the table
iptables -t filter -nvL View the rules in the filter (without -t, the filter is loaded by default)
iptables -t nat -nvL View the rules in the nat table
iptables -Z can clear the counter
Add a rule: (-A)
(without -t default filter table)
iptbales -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
-A means add to add
-s source source
-p protocol protocol tcp /udp
-d destination destination ip
-dport destination port
-j reject reject
DROP Drop / REJECT Drop the data if it does not match
Insert a rule: (-I)
iptables -I INPUT -p tcp --dport 80 -j DROP
delete a rule (-D)
iptbales -D INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
iptables -D INPUT -p tcp --dport 80 -j DROP
But I don't remember the specific rules, you can delete the rules like this, delete the rules according to the rule number:
iptables -nvL --line-numbers
iptables -D INPUT 1
-A adds to the end of the rule; -I (insert) inserts the rule to the front; -D (delete) deletes a rule
-i specifies the network card inferace
iptables -I /-A/-D INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
Set policy policy for all rules, the default policy is accept
DROP will reject all incoming data
iptables -P INPUT DROP
ACCEPT receives all packets
iptables -P INPUT ACCEPT