Linux Learning Summary (24) System Management 3

One ifconfig virtual network card DNS

View network card IP, subnet mask, MAC address, etc.
ifconfig ens33View a single network card information separately
When we modify the network configuration, we need to restart the network service, this time we can run the following command
service network restart
CentOS 7 can alsosyctemctl restart network
What if we just need to restart a network card?
can be usedifdown ens33 && ifup ens33
Configure the Virtual network card
1. You can useifonfig ens33:1 192.168.226.131 up
Temporarily Configure a
2 to take effect permanently, you must edit the configuration file to implement

cd /etc/sysconfig/network-scripts/cp ifcfg-ens33 ifcfg-ens33：1vim ens33:1

Modify the device name, and IP to
Restart the NIC and you'll find a more ens33:1.
mii-tool ens33You can view the connectivity of a network card, and link OK indicates that the connection is normal.
No link indicates that the NIC is not connected properly or the NIC is faulty.
hostname 查看主机名
hostname + Name change host name
To permanently take effect, edit the configuration file/etc/sysconfig/network
Add the following content

NETWORKING=yesHOSTNAME=lvlinux

Set up DNS
Specify a DNS server that needs to edit the configuration file/etc/resolv.conf, join the specified DNS to be able to add multiple, default to use the first row of DNS, resolve failed after using the second one.
Format: nameserver +dns address (nameserver as a fixed notation)
We can also set up temporary DNS
Edit/etc/hosts, add the format to
IP + domain 1 domain 2

Two SELinux

Red Hat unique security mechanism, due to the configuration of trouble, too many restrictions, usually we do not use it, turn him off can
SELinux has three states enforcing permissive disabled
getenforceView status
Enforcing indicates that the rule is on, limit some applications, and the status code is 1
Permissive tolerant mode, release restrictions, log exceptions to the logs, status code 0
If the enforce state performs a setenforce 0 temporary shutdown
To allow SELinux to be permanently closed, you need to edit the configuration file
/etc/selinux/config, modify the enforcing to disabled, and then restart the system.

Three iptables and NetFilter

If SELinux is too harsh and complex, then netfilter and firewall are more practical,
Centos7 both of these firewall mechanisms exist, we first learn netfilter,
The principle of netfilter I learned through the following article, I think the writing is in place.
http://www.zsythink.net/archives/1199
Then I directly refined a few more important points of knowledge, if we are still unfamiliar, it can only continue to read the above article to deepen understanding.
Iptables for the processing of the packet, according to the function of each of the respective, divided the raw, filter,
Nat,mangle,security5 a table.
Divides 5 chains from the path of the packet flow, prerouting, forward,postrouting,
Input,output

Let's look at the following table features:
Filter: Packet filter, firewall, input, forwad,output three chain
NAT: Network address translation, with prerouting, postrouting,output,inputs four chains
RAW: Packet Tracking
Mangle: Package Modification
Focus on the top two
According to our summary of the chain flow of the packet:

流入本机：  prerouting  ---->intput---->localhost (内核）流出本机：localhost（内核） ---->output ---->postrouting转发：   prerouting ----->forwad ------>postrouting

Priority of the table:
Raw----Magele----NAT-----Filter
Match criteria
SOURCE IPAddress and Destination ipaddess
Source Port and Destination port
Handling actions
Accept Acceptance
Drop drop
Rejiect refused
Snat Source Address Translation

Iptables Specific usage:
CENTOS7 is using the FIREWALLD firewall by default, and the previous version is NetFilter.
So we're going to turn off Firewalld and open netfilter.

systemctl stop firewalldsystemctl disable firewalldyum install -y iptables-servicessystemctl enable iptablessystemctl start iptables

IPTABLES-NVL View all rules, default is the filter table

Iptables-t NAT-NVL can view rules for NAT tables

service iptables saveSave current rule
iptables -FPurge rule
iptables -ZZeroing the counter
The counter is the number of packages accepted or rejected, policy accept
-T Specify table
-a adds to the last,-I inserts to the front
-d Delete rule is consistent with set rule
Easy to delete rules by number
View number
iptables -nvL --line-number
Delete Rule
iptables-d Chain number
Add by Nic
iptables -I INPUT -s 192.168.10.9/24 -i eth0 -j ACCEPT
The meanings of each paragraph are:

1说明要插入一条规则：iptables  -I2.指定要操作的链 ： INPUT 3.指定源ip地址： -s 192.168.10.9/244.指定网卡： -i eth05.指定处理动作：-j ACCEPT

-P Changing default rules
iptables -P OUTPUT DROPThe packet cannot be entered and the remote will be disconnected
Add by Port
iptables -A INPUT -s 192.168.10.9 -p tcp --sport 80 -d 192.168.11.9 --dport 80 -j REJECT
The meanings of each paragraph are:

1.说明要插入一条规则：iptables -A2.指定要操作的链：INPUT3.指定源ip地址：-s 192.168.10.94.指定使用的协议：-p tcp5.指定源端口：--sport 806.指定目标ip地址：-d 192.168.11.97.指定目标端口：--dport 808.指定处理动作：-j REJECT

The simple configuration is as follows
ptables -I INPUT -p tcp --dport 80 -j DROP

Linux Learning Summary (24) System Management 3