Mission 25 October
10.11 Linux Network Related
10.12 firewalld and netfilter
10.13 Netfilter 5 Table 5 Chain Introduction
10.14 iptables grammar
Linux network related commands
View network card information: ifconfig
Installation: Yum install-y net-tools
[root@centos7 ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.65.130 netmask 255.255.255.0 broadcast 192.168.65.255 ... lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 ...
Manual Start/Close of Specific Network Cards
ifup/ifdown ens33
Setting up Virtual Network Card
- Copy network card files as new files
# Here in command line mode, escape: i.e. \: [root@centos7 network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:1
- Modify the new network card file
[root@centos7 network-scripts]# vim ifcfg-ens33:1 # Among them, only three columns of IPADDR, DEVICE and NAME need to be modified. # To delete UUID (uniqueness), DNS and GATEWAY lines can also be deleted (optional)
- Restart the ens33 network card, and the new virtual network card will be restarted.
[root@centos7 network-scripts]# ifdown ens33 && ifup ens33 Successful disconnection of the device'ens33'. Connection has been successfully activated (D-Bus activity path: / org/freedesktop/Network Manager/Active Connection/3)
- Verification with ifconfig
[root@centos7 network-scripts]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.65.133 netmask 255.255.255.0 broadcast 192.168.65.255 ... ens33:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.65.143 netmask 255.255.255.0 broadcast 192.168.65.255 ether 00:0c:29:94:84:1f txqueuelen 1000 (Ethernet) lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 ...
Testing ping on physical machine proves that the configuration is successful.
C:\Users\18367>ping 192.168.65.143
Ping 192.168.65.143 has 32 bytes of data:
Response from 192.168.65.143: byte = 32 time < 1ms TTL = 64
Response from 192.168.65.143: byte = 32 time < 1ms TTL = 64
Response from 192.168.65.143: byte = 32 time < 1ms TTL = 64
Response from 192.168.65.143: byte = 32 time < 1ms TTL = 64
Ping statistics of 192.168.65.143:
Packet: Sended = 4, received = 4, lost = 0 (0% lost),
Estimated time of round trip (in milliseconds):
The shortest = 0ms, the longest = 0ms, the average = 0ms
Check whether the network card is connected
mii-tool | ethtool
1. have access to mii-tool Command view [root@centos7 network-scripts]# mii-tool ens33 ens33: negotiated 1000baseT-FD flow-control, link ok 2. It can also be used ethtool Command view [root@centos7 network-scripts]# ethtool ens33 | tail -n 1 Link detected: yes
Change host name
The following commands only support centos7.x
hostnamectl set-hostname HOST
The above command will not take effect immediately under the current terminal. It needs to be restarted!
You can view the hostname of the system host in the / etc/hostname file.
The configuration file of host is / etc/hosts. Modifying its content will only take effect on the host.
If there are multiple IPS pointing to the same domain name, only the last line of IP is valid! That is, the IP with the same domain name set later will cover the previous ip!
In addition, the same ip can point to multiple domain names, which can be written in one line in the hosts file.
192.168.1.110 www.123.com www.qq.com www.baidu.com
modify hosts Documents, specify 2 ip Point to the same domain name [root@centos7 network-scripts]# vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.1.25 www.baidu.com 192.168.1.35 www.baidu.com ~
Only the latter ip192.168.1.35 takes effect after the above configuration; only the last IP takes effect when multiple IPS point to the same domain name.
[root@centos7 network-scripts]# ping www.baidu.com PING www.a.shifen.com (192.168.1.35) 56(84) bytes of data. 64 bytes from 192.168.1.35 (192.168.1.35): icmp_seq=1 ttl=128 time=29.6 ms ....
The DNS of the/etc/resolv.conf file storage system is generated by the DNS column definition in the configuration file of the network card.
netfilter(6.x) / firewalld(7.x)
Closing of selinux
selinux must be turned off when configuring, otherwise the firewall will not work properly
- Temporary closure: setenforce 0
- Permanent Close: Modify the / etc/selinux/config file - > SELINUX=disabled
- View: getenforce
service iptables start
- Close the default firewalld service for version 7.x
disable No startup is allowed. stop Shut down service [root@centos7 network-scripts]# systemctl disable firewalld Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service. [root@centos7 network-scripts]# systemctl stop firewalld
- Install the iptables service
[root@centos7 network-scripts]# yum install -y iptables-services
- Set up boot to start iptables and start iptables immediately
[root@centos7 network-scripts]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@centos7 network-scripts]# systemctl start iptables
- View the current rules
[root@centos7 network-scripts]# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 28 1848 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 ...
netfilter 5 table 5 chain
! There are only four tables (no security) in centos6, and five tables (and their chains) in version 7.x, as follows:
- Filter (mostly for filter packages)
- INPUT
- FORWARD
- OUTPUT
- nat (for network address translation)
- PREROUTING
- OUTPUT
- POSTROUTING
- mangle
- raw (does not track certain data packets)
- security (network rules for MAC)
There are five related chains.
- PREROUTING
- INPUT
- OUTPUT
- FORWARD
- POSTROUTING
Data passes through local PREROUTING - > FORWARD - > POSTROUTING
Data does not pass through native PREROUTING - > INPUT - > OUTPUT - > POSTROUTING
filter and nat tables are the main tables used in the work, but the last three tables are seldom used.
iptables Detailed explanation http://www.cnblogs.com/metoy/p/4320813.html
iptables grammar
Iptables default rule configuration file / etc/sysconfig/iptables
- View Rules: iptables -nvL
- Emptying Rules: iptables-F
- The default rule table will not be empty after execution, so the service iptables save operation needs to be executed.
- Specify table (default filter): iptables -t nat
- Cleanup counter (amount of data recorded by Cleanup rule): iptables-Z
Command parameter
- - A Add one or more rules at the end of the selected chain
- - I inserts a rule before the first rule of the selected chain; adds a rule ordinal number and inserts it before specifying the rule
- - D Deletes rules (or rule serial numbers) from the selected chain
- - R Replaces Rules in the Selected Chain
- - L lists all rules in the selected chain
- - S prints all the rules for the selected chain and defaults to print all the rules for the chain
- - F rules for clearing selected chains
- The protocol tcp/udp for specifying rules.
- -s Specifies the Source Address
- - d Specifies the Target Address
- - j Target DROP/REJECT/ACCEPT for specifying rules
- -i Designated Network Card
- - sport/dport specifies the source/destination port
Adding a rule at the end of the INPUT chain
[root@localhost network-scripts]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP
Do not specify the target ip, default represents all
# Insert rules in the first line [root@localhost network-scripts]# iptables -I INPUT -s 1.1.1.1 -j DROP # Add rules at the end of the line [root@localhost network-scripts]# iptables -A INPUT -s 1.1.1.1 -j DROP # Delete a rule (corresponding to the rule added) [root@localhost network-scripts]# iptables -D INPUT -s 1.1.1.1 -j DROP
Setting rules for specific network cards
# -i Designated Network Card [root@localhost network-scripts]# iptables -I INPUT -s 192.168.1.0/24 -i ens33 -j ACCEPT
Delete rules by rule number
[root@localhost network-scripts]# iptables -nvL --line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 184 13824 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 6 468 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 141 packets, 10976 bytes) num pkts bytes target prot opt in out source destination # Delete Article 1 [root@localhost network-scripts]# iptables -D INPUT 1
Setting the default policy for the specified chain
# The default INPUT policy is ACCEPT [root@localhost network-scripts]# iptables -P INPUT DROP # It should be noted here that once the default policy is changed to DROP, the data packets of your ssh communication will be discarded, unable to connect remotely, and can only be modified by a physical machine! So it's better not to modify it indiscriminately, just keep the default!