10.11 Linux network related 10.12 firewalld and netfilter 10.13 netfilter5 table 5 chain introduction 10.14 iptables syntax

Linux network related

ifocnfig view network card ip (yum install net-tools)

ip add View network card

ip add = ifocnfig

 

ifconfig does not show down network cards, only those that are working.

ifconfig -a shows the network card currently in use and the network card that is down

 

ifdown enth0 shuts down the eth0 network card

ifup enth0 start eth0 network card

 

When the ifdown eth0 is executed first, the remote connection is disconnected. If you need to restart a network card, you can order two days.

Execute ifdown eth0 && ifup eth0 together

 

Add a virtual network card eth0:0

That is to set an IP for the virtual network card:

 

[root@centos7 ~]# cd /etc/sysconfig/network-scripts/

[root@centos7 network-scripts]# cp ifcfg-eth0 ifcfg-eth0:\0

 

ifcfg-eth0:\0 backslash means escaping

 

Modify the network card configuration file

vim  ifcfg-eth0:0

 

The modifications are as follows:

Edit NAME

NAME=eth0:0

Modify IP address

IPADDR=10.211.55.17

Modify device name

DEVICE=eth0:0

Only the subnet mask, gateway, DNS1 can be removed

NETMASK=255.255.0.0

 

:wq to save

[root@pantinglinux]# ifdown eth0 && ifup eth0

Successfully disconnected device 'eth0'.

Connection successfully activated (D-Bus Active Path: /org/freedesktop/NetworkManager/ActiveConnection/151)

 

Added a new IP address: 10.211.55.17

New network card eth0:0 that can be added by ifconfig

 

eth0:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 10.211.55.17  netmask 255.255.0.0  broadcast 10.211.255.255

        ether 00:1c:42:8c:25:09  txqueuelen 1000  (Ethernet)

 

You can also use the IP address of the virtual network card to log in to ssh [email protected]

 

 

 

mii-tool enth0 Check if the network card is connected

If it says not support

用ethtool eth0

[root@pantinglinux]# ethtool eth0

Settings for eth0:

Link detected: yes

 

change hostname hostnamectl set-hostname centos7

[root@pantinglinux]# hostnamectl set-hostname Centos7

[root@pantinglinux]# bash

[root@centos7 network-scripts]# cat /etc/hostname 

centos7

[root@centos7 network-scripts]# exit

exit

 

 

 

DNS configuration file /etc/resolv.conf

[root@pantinglinux]# cat /etc/resolv.conf 

# Generated by NetworkManager

nameserver 119.29.29.29

 

DNS is configured under /etc/sysconfig/eth0, you can add a DNS2 google DNS

[root@pantinglinux]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

DNS2:8.8.8.8

restart the network card

ifdown eth0 && ifup eth0

Then check /etc/resolv.conf

[root@pantinglinux]# cat /etc/resolv.conf 

# Generated by NetworkManager

nameserver 119.29.29.29

nameserver 8.8.8.8

 

 

 

/etc/hosts is a file available under windows and linux. Used to change a custom domain name

 

cat /etc/hosts

 

When pinging baidu.com, it is the IP address of Baidu, but I can also modify it to ping the local IP 10.211.55.17

 

vim  /etc/hosts

Add to

10.211.55.17 www.baidu.com

 

 

An IP address on a line can have multiple domain names.

Different IP addresses correspond to the same domain name, and the domain name corresponding to the last IP address shall prevail.

 

firewalld和netfilter 

Firewall 1: selinux

selinux temporarily disable setenforce 0

selinux permanently shuts down vi /etc/selinux/config

Revise

SELINUX=disabled

Check if selinux is closed:

getenforce

 

selinux is generally closed temporarily or permanently.

 

Firewall 2: netfilter

 

Firewall: netfilter, filrewalld--->configure iptbales

 

 

Before centos7 used netfilter firewall

close firewalld

systemctl disable firewalld(.service)

systemctl stop firewalld(.service)

 

 Enable netfilter method

(iptables is a tool for netfilter)

yum install -y iptables-services

systemctl enable iptables

systemctl start iptables

 

 

Firewall: netfilter and firewalld are all iptables at the bottom

is to configure iptables

 

 

 netfilter5 table 5 chain introduction

5 tables of netfilter (filter table, nat table, manager table, raw table, security table)

 

iptables manual:

More reference manual man iptables to find 5 tables (filter table, nat table, manager table, raw table, security table)

The process of iptables transmitting packets

http://www.cnblogs.com/metoy/p/4320813.html

① When a data packet enters the network card, it first enters the PREROUTING chain, and the kernel determines whether it needs to be forwarded according to the destination IP of the data packet. 

② If the data packet is entering the machine, it will move down the graph to reach the INPUT chain. Once the packet reaches the INPUT chain, any process will receive it. Programs running on this machine can send data packets, which will go through the OUTPUT chain and then reach the POSTROUTING chain output. 

③ If the data packet is to be forwarded and the kernel allows forwarding, the data packet will move to the right as shown in the figure, pass through the FORWARD chain, and then reach the POSTROUTING chain output.

 

 filter table (built-in table)

Used to filter packets, the most commonly used table, there are three chains of INPUT, FORWARD, OUTPUT

INPUT chain (incoming data chain)

FORWARD chain (judging whether the target address is local, or modifying the target address)

OUTPUT chain (packets generated by this machine, operations done before going out)

 

nat table (same as router iptables nat table port remapping)

For network address translation, there are three chains: PREROUTING, OUTPUT, and POSTROUTING

PREROUTING Changes made by incoming packets

Changes made before OUTPUT out the packet

Changes made by POSTROUTING outgoing packets

 

 

The following 3 tables are rarely used:

managle 表

Used to mark packets, almost never used

 

raw表

Can implement different tracking of certain packets (never used)

 

security table

Not in centos6, for mandatory access control

 

 

 iptables syntax

View iptables rules

iptbales -nvL

Rules are stored in /etc/sysconfig/iptables

[root@pantinglinux]# cat /etc/sysconfig/iptables

iptables -F clear rules

 

service iptables save save rules

 

service iptables restart restart iptables to load the rules in the original configuration file /etc/sysconfig/iptables

 

iptables -t nat //-t specifies the table

iptables -t filter -nvL View the rules in the filter (without -t, the filter is loaded by default)

iptables -t nat -nvL View the rules in the nat table

 

iptables -Z can clear the counter

 

 

Add a rule: (-A)

(without -t default filter table)

iptbales -A INPUT -s 192.168.188.1 -p tcp --sport 1234  -d 192.168.188.128 --dport 80 -j DROP

-A means add to add

-s source source

-p protocol protocol tcp /udp

-d destination destination ip

-dport destination port

-j reject reject

DROP Drop / REJECT Drop the data if it does not match

 

 

Insert a rule: (-I)

iptables -I INPUT -p tcp --dport 80 -j DROP

delete a rule (-D)

iptbales -D  INPUT -s 192.168.188.1 -p tcp --sport 1234  -d 192.168.188.128 --dport 80 -j DROP

iptables -D  INPUT -p tcp --dport 80 -j DROP

 

But I don't remember the specific rules, you can delete the rules like this, delete the rules according to the rule number:

iptables -nvL --line-numbers

 

iptables -D INPUT 1

 

 

-A adds to the end of the rule; -I (insert) inserts the rule to the front; -D (delete) deletes a rule

 

 

-i specifies the network card inferace

iptables -I /-A/-D INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT

 

iptables -I INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT

 

Set policy policy for all rules, the default policy is accept

DROP will reject all incoming data

iptables -P INPUT DROP

ACCEPT receives all packets

iptables -P INPUT ACCEPT