Linux network-related, iptables syntax

Linux Network related ifconfig view network card and IP, subnet, gateway, MAC address

Yum Install Net-tools

Restart specified NIC Ifdown nic name && ifup NIC name add virtual network card

  [[email protected] ~]# cd/etc/sysconfig/network-scripts/[[email protected] network-scripts]# Lsifcfg-ens33 Ifdown-ib ifdown-ppp ifdown-tunnel ifup-ib ifup-plusb ifup-team network-functionsifc Fg-lo ifdown-ippp ifdown-routes ifup ifup-ippp ifup-post ifup-teamport network-functions-ipv6ifd Own Ifdown-ipv6 ifdown-sit ifup-aliases ifup-ipv6 ifup-ppp IFUP-TUNNELIFDOWN-BNEP ifdown-isdn Ifdown -team IFUP-BNEP ifup-isdn ifup-routes ifup-wirelessifdown-eth ifdown-post ifdown-teamport ifup-eth I Fup-plip Ifup-sit init.ipv6-global[[email protected] network-scripts]# CP ifcfg-ens33 Ifcfg-ens33\:0[[email&nbs P;protected] network-scripts]# VI! $VI ifcfg-ens33\:0  

TYPE=EthernetBOOTPROTO=staticDEFROUTE=yesPEERDNS=yesPEERROUTES=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_PEERDNS=yesIPV6_PEERROUTES=yesIPV6_FAILURE_FATAL=noIPV6_ADDR_GEN_MODE=stable-privacyNAME=ens33UUID=c6ff01b6-78d5-462c-b288-7acfafa4f5b5DEVICE=ens33:ONBOOT=yesIPADDR=192.168.245.130NETMASK=255.255.255.0~                           

Ens33:flags=4163<up,broadcast,running,multicast> MTU inet 192.168.245.128 netmask 255.255.255.0 Broa Dcast 192.168.245.255 inet6 fe80::d bd:48aa:6994:bf39 prefixlen-ScopeID 0x20<link> ether 00:0c:29: D6:6f:fa Txqueuelen (Ethernet) Rx packets 4396 Bytes 330121 (322.3 KiB) Rx Errors 0 dropped 0 over Runs 0 frame 0 TX packets 1291 bytes 122535 (119.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 Coll Isions 0ens33:: flags=4163<up,broadcast,running,multicast> MTU inet 192.168.245.130 netmask 255.255.25 5.0 broadcast 192.168.245.255 ether 00:0C:29:D6:6F:FA Txqueuelen (Ethernet) Lo:flags=73<up,loopback,runn        Ing> MTU 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6:: 1 prefixlen ScopeID 0x10

The virtual network card can ping through

• Check to see if a network cable is connected Mii-tool ENS33

Link OK stands for connection, no link is not connected

Or you can view it using Ethtool ens33.

• Change the computer name

• View DNS

Linux firewall NetFilter

SELinux temporary shutdown Setenforce 0

SELinux permanently shuts down Vi/etc/selinux/config

There is a firewall before CentOS 7 is NetFilter, Contos7 later instead of FIREWALLD

Close Firewalld:systemctl Disable FIREWALLD

Open NetFilter

yum install -y iptables-services

[[email protected] network-scripts]# systemctl enable iptablescreated symlink from/etc/systemd/system/ Basic.target.wants/iptables.service To/usr/lib/systemd/system/iptables.service. [[email protected] network-scripts]# systemctl start iptables[[email protected] network-scripts]# iptables -nvlchain INPUT (Policy ACCEPT 0 packets, 0 bytes) pkts bytes Target prot opt in Out source dest Ination 8 576 ACCEPT All – * * 0.0.0.0/0 0.0.0.0/0 State related,est   Ablished 0 0 Accept ICMP--* * 0.0.0.0/0 0.0.0.0/0 0 0 Accept All            --Lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT TCP--* * 0.0.0.0/0 0.0.0.0/0 State NEW TCP dpt:22 6 468 REJECT All--* * 0.0.0.0/0 0.0.0 .0/0 Reject-with Icmp-host-prohibitedchain FORWARD (policy ACCEPT 0 PacketS, 0 bytes) pkts bytes Target prot opt in out source destination 0 0 REJECT All--* * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedchain OUTPUT (Policy ACC EPT 8 Packets, 928 bytes) pkts bytes Target prot opt in Out source destination [[EMAIL&N  Bsp;protected] network-scripts]#

NetFilter of 5 Tables 5 links

• Five tables

  Filter is mainly used for filtering packets, is the System preset table, the table built 3 chain: Input,output,forward. The input chain acts on the package that enters the machine, and the output chain acts on the packet that is sent to the machine, and the forward chain acts on those packages that are not related to the machine.

The NAT table is primarily used for network address translation, and it also has three chains. The role of the prerouting chain is to change its destination address (if needed) when the packet has just arrived at the firewall, and the output chain is to change the destination address of the locally generated package, and the postrouting chain will change its source address when the package is about to leave the firewall.

The mangle table is used primarily to mark packets, and then to manipulate the corresponding packages according to the tags. This table is hardly used unless it is called an advanced network engineer.

Raw tables can be implemented without tracking some packets, the default system of packets will be traced, but the trace is bound to consume a certain amount of resources, so you can use the raw table to specify certain ports of the package is not tracked.

The security table, which is not in CENTOS6, is used to enforce access control (MAC) for network rules.

• 5 Chains of NetFilter

  Prerouting: Before the packet enters the routing table.

INPUT: The destination is native after routing the table.

FORWARDING: The destination is not native after routing the table.

OUTPUT: Generated by this machine, forwarded outward.

Postroutong: Before sending to the NIC interface.

iptables syntax

Iptables where the rules are stored

Empty iptables all rules iptables-f, after emptying the rules stored in the file is still configured. -T can be followed by a table name. If you do not add the-t option, the filter table is printed.

  [[email protected] ~]# iptables-f[[email protected] ~]# ^c[[email protected] ~]# iptables- Nvlchain INPUT (Policy ACCEPT packets, 948 bytes) pkts bytes Target prot opt in out source de               Stination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes Target prot opt in Out source     Destination Chain OUTPUT (policy ACCEPT packets, 1208 bytes) pkts bytes Target prot opt in Out source destination [[email protected] ~]#  

Iptables-nvl--line-number Show rule number

Purge package and traffic counter 0: iptables-z.

Save rule: Service iptables save

-a/-d: Indicates adding/removing a rule

-I: means inserting a rule that actually has the same effect as-a

-p: Indicates the specified protocol, which can be tcp,udp , or ICMP

--dport: Used with-p to indicate the specified destination port.

--sport: Used with-p to indicate the specified port.

-S: Indicates the specified source IP (which can be an IP segment).

-j: followed by the action, where accept represents the Allow package, drop represents the loss of the package, and REJECT represents a reject package.

-I: Specifies the network card (not commonly used: but can be used occasionally).

[[email protected] ~]# iptables-a input-s 192.168.188.1-p tcp--sport 1234-d 192.168.188.128--dport 80-j DROP[[     Email protected] ~]# iptables-nvlchain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes Target prot opt in Out source Destination 36272 ACCEPT All--* * 0.0.0.0/0 0.0              .0.0/0 State related,established 0 0 ACCEPT ICMP--* * 0.0.0.0/0 0.0.0.0/0 1472 Accept All-Lo * 0.0.0.0/0 0.0.0.0/0 2 104 Accept TC      P--* * 0.0.0.0/0 0.0.0.0/0 State NEW TCP dpt:22 7269 REJECT All--*      * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 DROP TCP--*  * 192.168.188.1 192.168.188.128 TCP spt:1234 dpt:80chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts Bytes Target Prot oPT in Out source destination 0 0 REJECT All--* * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedchain OUTPUT (Policy ACCEPT packets, 1288 bytes) pkts bytes T  Arget prot opt in Out source destination [[email protected] ~]#

Delete rule by number [[email protected] ~]# IPTABLES-NVL--line-numberchain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts by      TES target prot opt in Out source destination 1 531 42528 ACCEPT All--*        * 0.0.0.0/0 0.0.0.0/0 State related,established2 0 0 ACCEPT ICMP--* * 0.0.0.0/0 0.0.0.0/0 3 1472 ACCEPT All-Lo * 0.0.0.0/0 0  .0.0.0/0 4 2 104 ACCEPT TCP--* * 0.0.0.0/0 0.0.0.0/0 State NEW TCP dpt:225 7737 REJECT All--* * 0.0.0.0/0 0.0.0.0/0 reject-with icmp- Host-prohibited6 0 0 DROP TCP--* * 192.168.188.1 192.168.188.128 TCP spt:1234               Dpt:80chain FORWARD (Policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in Out source        Destination 1 0 0 REJECT All--* * 0.0.0.0/0 0.0.0.0/0 reject-with Icmp-host-prohi               Bitedchain OUTPUT (Policy ACCEPT packets, 7276 bytes) num pkts bytes target prot opt in Out source destination [[email protected] ~]# iptables-d INPUT 6[[email protected] ~]# IPTABLES-NVL--line               -numberchain INPUT (Policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in Out source Destination 1 585 46272 ACCEPT All--* * 0.0.0.0/0 0.0.0.0/0 Stat       E related,established2 0 0 ACCEPT ICMP--* * 0.0.0.0/0 0.0.0.0/0 3  1472 Accept All-Lo * 0.0.0.0/0 0.0.0.0/0 4 2 104 Accept TCP--        * * 0.0.0.0/0 0.0.0.0/0 State NEW TCP dpt:225 7737 REJECT All--* *        0.0.0.0/0    0.0.0.0/0 reject-with icmp-host-prohibitedchain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes       Target prot opt in Out source destination 1 0 0 REJECT All--* *  0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedchain OUTPUT (Policy ACCEPT 4 packets, 480 bytes) num pkts bytes target prot opt in Out source destination [[email protected  ] ~]#

Linux network-related, iptables syntax