Iptables basic usage and Linux network related

Source: Internet
Author: User
Tags symlink iptables aliyun

Ifconfig command

Ifconfig is installed by default in CENTOS6, the CENTOS7 version does not have this command by default and requires Yum to install it: Yum install Net-tools
Use Ifdown and ifup to start individual network cards individually

[[email protected] /]# ifdown enp0s3 && ifup enp0s3成功断开设备 ‘enp0s3‘。成功激活的连接(D-Bus 激活路径:/org/freedesktop/NetworkManager/ActiveConnection/2)

Set up the virtual network card, copy the original network card file, modify the network card profile in the network card name restart after the virtual network card is generated, the resulting virtual network card is a separate IP device, you can use this IP and other hosts to communicate

[[email protected] network-scripts]# CP ifcfg-enp0s3 ifcfg-enp0s3\:0[[email protected] network-scripts]# Vim ifcfg-enp0s3\:0type=ethernetbootproto=staticdefroute=yespeerroutes=yesipv4_failure_fatal=noname=enp0s3:0 Uuid=bf8adc16-a9c3-494a-b47e-f572fad38639device=enp0s3:0[[email protected] network-scripts]# Ifdown enp0s3 && Ifup ENP0S3 successfully disconnected the device ' ENP0S3 '. Successfully activated connection (D-bus activation path:/ORG/FREEDESKTOP/NETWORKMANAGER/ACTIVECONNECTION/3) [[email protected] network-scripts]# Ifconfigenp0s3:flags=4163<up,broadcast,running,multicast> MTU inet 192.168.1.223 netmask 255.255.255.0 Broadcast 192.168.1.255 ether 08:00:27:a7:f9:c2 Txqueuelen (Ethernet) RX packets 20698 bytes 21236657 (  20.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9509 bytes 924400 (902.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0enp0s3:0: flags=4163<up,broadcast,running,multicast> MTU I NET 192.168.1.233 netmask 255.255.255.0 broadcast 192.168.1.255 ether 08:00:27:a7:f9:c2 Txqueuelen (Ethernet) 

Temporarily modify the hostname hostname hostname, permanently modify the Linux hostname Vim/etc/hostname, restart, or source/etc/profile reload the system environment variable file
DNS profile:/etc/resolv.conf The DNS file priority here is lower than the DNS specified in the NIC configuration file, if a restart occurs that is overwritten by the DNS configuration in the NIC
Simple parse file in Linux:/etc/hosts, the resolution of the modification only takes effect on the native computer, one IP in a row can be configured with multiple corresponding domain names

[[email protected] network-scripts]# vim /etc/hosts::1 localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.1.233 www.bilibili.com www.abc.com www.123.com[[email protected] network-scripts]# ping www.bilibili.comPING www.bilibili.com (192.168.1.233) 56(84) bytes of data.64 bytes from www.bilibili.com (192.168.1.233): icmp_seq=1 ttl=64 time=0.219 ms
Firewalld and NetFilter Tools

The SELinux tool is turned off, SELinux is on by default, some services are installed and SELinux will affect the normal start of the service, temporarily shutdown SELinux:

[[email protected] network-scripts]# setenforce 0[[email protected] network-scripts]# getenforce Disabled

Permanently close SELinux

[[email protected] ~]# vim /etc/selinux/config # This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:#     enforcing - SELinux security policy is enforced.#     permissive - SELinux prints warnings instead of enforcing.#     disabled - No SELinux policy is loaded.SELINUX=disabled# SELINUXTYPE= can take one of three two values:#     targeted - Targeted processes are protected,#     minimum - Modification of targeted policy. Only selected processes are protected. #     mls - Multi Level Security protection.SELINUXTYPE=targeted

Disable FIREWALLD instead of using the NetFilter tool, you need to install the Iptables-services Yum package file

[[email protected] network-scripts]# systemctl disable firewalldremoved symlink/etc/systemd/system/ Dbus-org.fedoraproject.firewalld1.service.removed symlink/etc/systemd/system/basic.target.wants/ Firewalld.service. [[email protected] network-scripts]# systemctl stop firewalld[[email protected] network-scripts]# yum Install-y iptables-services loaded plugin: fastestmirrorloading mirror speeds from cached Hostfile * base:mirrors.aliyun.com * EPE l:mirrors.ustc.edu.cn * extras:mirrors.aliyun.com * updates:mirrors.sohu.com is resolving dependencies-checking transactions---> Packages Iptables-services.x86_64.0.1.4.21-24.1.el7_5 will be installed--processing dependencies iptables = 1.4.21-24.1.el7_5, which is the package iptables-services-1.4.21-24.1.el7_5.x86_64 required--Checking transaction---> Package IPTABLES.X86_64.0.1.4.21-17.EL7 will be upgraded--->                                                                                   Package Iptables.x86_64.0.1.4.21-24.1.el7_5 will be updated--Resolve dependency completion installed: iptables-services.x86_64 0:1.4.21-24.1.el7_5 Be upgraded as dependency: iptables.x86_64 0:1.4.21-24.1.el7_5 finished! [[email protected] network-scripts]# systemctl enable iptablescreated symlink from/etc/systemd/system/ Basic.target.wants/iptables.service To/usr/lib/systemd/system/iptables.service. [[email protected] network-scripts]# systemctl start iptables[[email protected] network-scripts]# iptables -nvlchain INPUT (Policy ACCEPT 0 packets, 0 bytes) pkts bytes Target prot opt in Out source dest Ination 3496 ACCEPT All--* * 0.0.0.0/0 0.0.0.0/0 State related,est   Ablished 0 0 Accept ICMP--* * 0.0.0.0/0 0.0.0.0/0 0 0 Accept All            --Lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT TCP--* * 0.0.0.0/0   0.0.0.0/0 State NEW TCP dpt:22 8 699 REJECT All--* *    0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedchain FORWARD (policy ACCEPT 0 packets, 0 by   TES) pkts bytes target prot opt in out source destination 0 0 REJECT All-- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedchain OUTPUT (Policy ACCEPT 29  Packets, 2876 bytes) pkts bytes Target prot opt in Out source destination

Iptables is just a tool used by NetFilter and is used only when we are often called iptables

NETFILTER5 Table 5 Chain Introduction

Filter table: A default table with input, output, and forward chains in the table
Input represents the filter chain that enters the native traffic, detects the port or source IP
Forward forwarding chain, check whether it is native traffic, non-native traffic will be forwarded
Output native outbound traffic, can prohibit packets to an IP

NAT table: Traffic packet forwarding
Change Source IP when prerouting packet enters
Postrouting packet forwarding out is to modify the destination IP
The realization of communication between intranet server and public network server requires port mapping on an egress device, i.e. using prerouting and postrouting chain

Mangle table: Marking packets, such as data types
Raw tables: Some packets can be implemented without tracing
Security table: Enhanced access Control (MAC) network rules

iptables syntax
IPTABLES-NVL to view the default filter table rules

[[email protected] network-scripts]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination           984 83612 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED    0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0               0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0               0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 3211 287K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination             

Iptables-f emptying rules
Iptables-t NAT-NVL Specifying table view rules

[[email protected] network-scripts]# iptables -t nat -nvLChain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination         Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination         Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination         

Iptables-z Clear 0 counter
Record Data flow accumulation information through the rule chain, you can determine the size of the data by the number of records, can be based on the amount of data sent receive size to limit

Iptables-a input-s 192.168.1.112-p tcp--sport 1234-d 192.168.1.223--dport 80-j drop/reject prohibit 1.112 send data to 223 via 1234 port

[[email protected] network-scripts]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination          1142 95952 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED    0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0               0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0               0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 4450 397K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited    0 0 DROP tcp -- * * 192.168.1.112 192.168.1.223 tcp spt:1234 dpt:80Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination             0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 17 packets, 1676 bytes) pkts bytes target prot opt in out source destination

-a adds a new rule after the existing rule
-I inserts a rule at the front of the existing rule
The difference between-I and-a: matching rules will take precedence from the first rule, and will not match when the rule is matched.

Delete Iptables rule
iptables-d INPUT Rule number

[[email protected] network-scripts]# iptables -D INPUT 6[[email protected] network-scripts]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination          1200 100K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED    0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0               0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0               0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 4606 409K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination             0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 4 packets, 512 bytes) pkts bytes target prot opt in out source destination   

Modify the default matching rules for the chain, note that if you write a deny statement, release the port you want to use, or you will break the communication (such as Port 22 of the SSH service)
Iptables-p INPUT DROP

[[email protected] ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT[[email protected] ~]# iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT[[email protected] ~]# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT[[email protected] ~]# iptables -A INPUT -p tcp --sport 22 -j ACCEPT[[email protected] ~]# iptables -P INPUT DROP[[email protected] ~]# iptables -nvLChain INPUT (policy DROP 0 packets, 0 bytes)

Iptables basic usage and Linux network related

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.