Linux Network Related | Firewall |NETFILTER5 table 5 chain

10.11 Linux Network related

Ifconfig if there is no ifconfig, you need to install the package

[[email protected] ~]# yum install net-tools

If you need to display all network card information, including down or no IP address, use the-a command

[[email protected] ~]# ifconfig -a

Sometimes make some changes to a network card (such as changing the gateway, or add DNS), but do not want to restart all network cards, only need to restart the specified network card, in order to avoid down the failed to start, we need 2 commands to execute together

[[email protected] ~]# ifdown ens33 && ifup ens33 成功断开设备 ‘ens33‘。 成功激活的连接（D-Bus 激活路 径：/org/freedesktop/NetworkManager/ActiveConnection/1）

Set the virtual network card 1, switch to the network card configuration file

[[email protected] ~]# cd /etc/sysconfig/network-scripts

2. Copy the NIC

[[email protected] network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:0

3. Edit the configuration file

[[email protected] network-scripts]# vi !$TYPE=EthernetBOOTPROTO=dhcpDEFROUTE=yesPEERDNS=yesPEERROUTES=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_PEERDNS=yesIPV6_PEERROUTES=yesIPV6_FAILURE_FATAL=noIPV6_ADDR_GEN_MODE=stable-privacyNAME=ens33:0UUID=584a55df-e887-4d4e-a11a-2ea0b5f6f5edDEVICE=ens33:0ONBOOT=YESIPADDR=192.168.187.150NETMASK=255.255.255.0

Description: Changed name, DEVICE, ipaddr, removed DNS and gateway, have been set previously.

4. Restart the System network card

[[email protected] network-scripts]# ifdown ens33 && ifup ens33成功断开设备 ‘ens33‘。成功激活的连接（D-Bus 激活路径：/org/freedesktop/NetworkManager/ActiveConnection/2）

5. View network card information

[[email protected] network-scripts]# ifconfigens33:flags=4163<up,broadcast,running,multicast> MTU 1500inet 192.168.187.130 netmask 255.255.255.0 broadcast 192.168.187.255inet6 fe80::9b87:5d89:4bd9:8e53 Prefixlen Copeid 0x20<link>ether 00:0c:29:02:6a:c4 txqueuelen (Ethernet) Rx packets 3124 Bytes 244651 (238.9 KiB) Rx Err ORS 0 dropped 0 overruns 0 frame 0TX packets 689 bytes 85729 (83.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 c Ollisions 0ens33:0: flags=4163<up,broadcast,running,multicast> MTU 1500inet 192.168.187.150 netmask 255.255.255.0 broadcast 192.168.187.255ether 00:0c:29:02:6a:c4 txqueuelen (Ethernet) Lo:flags=73<up,loopback, Running> MTU 65536inet 127.0.0.1 netmask 255.0.0.0inet6:: 1 prefixlen ScopeID 0x10

6, detect whether the virtual network card IP can ping through the cmd in the ping can see the NIC connection method 1:mii-tool [NIC name]

[[email protected] ~]# mii-tool ens33ens33: negotiated 1000baseT-FD flow-control, link ok查看：link ok说明网卡连接OK！

Method 2:ethtool [NIC name]

[[email protected] ~]# ethtool ens33Settings for ens33:Supported ports: [ TP ]Supported link modes:   10baseT/Half 10baseT/Full                     100baseT/Half 100baseT/Full  ……                            Wake-on: dCurrent message level: 0x00000007 (7)           drv probe linkLink detected: yes查看：Link detected: yes说明网卡连接OK！

Change host Name

 更改：[[email protected] ~]# hostnamectl set-hostname aminglinux-001查看主机名：[[email protected] ~]# hostnameaminglinux-001不重启的时候更改主机名[[email protected] ~]# bash[[email protected] ~]# exit exit

DNS Configuration

DNS configuration file:/etc/resolv.conf

 [[email protected] ~]# cat /etc/resolv.conf# Generated by NetworkManagersearch localdomainnameserver 192.168.187.2

Note: Change the network card configuration to change the DNS configuration file, after the changes need to restart the network card (IFDOWN/IFUP) to take effect, you can also edit the '/etc/resolv.conf ' temporarily change the DNS configuration, this method after restarting the NIC will be the network card configuration file in the DNS overwrite!

Local Domain name profile file:/etc/hosts

[[email protected] ~]# cat /etc/hosts127.0.0.1   localhost localhost.localdomain localhost4    localhost4.localdomain4 ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

Description: The use of the VI command can be customized under the IP address of the domain name (one IP corresponding to multiple domain names or a domain name for multiple IPs, separated by a space, when a domain name corresponds to multiple IPs, in the configuration file depends on the configuration in the back), but the domain name configuration only in the machine effective!

10.12 Firewalld and NetFilter permanently shut down the firewall

[[email protected] ~]# vi etc/setlinux/config # This file controls the state of SELinux on the system.#  SELINUX= can take one of these three values:#   enforcing - SELinux security policy is enforced.#   permissive - SELinux prints warnings instead of enforcing.#    disabled - No SELinux policy is loaded.SELINUX=disabled#  SELINUXTYPE= can take one of three two values:#   targeted - Targeted processes are protected,#   minimum - Modification of targeted policy. Only selected processes are protected.#   mls - Multi Level Security protection. SELINUXTYPE=targeted

Change selinux=enforcing to Disabled save, reboot the system!

View firewall status

[[email protected] ~]# getenforce

Enforcing

Temporarily shut down the firewall

 [[email protected] ~]# setenforce 0  [[email protected] ~]# getenforce Permissive

The firewall in Centos7 is called FIREWALLD, and the firewall before 7 is called netfilter. The internal tool iptables is the same (can open or close the port)

Deactivate FIREWALLD

关闭防火墙 [[email protected] ~]# systemctl disable firewalldRemoved symlink /etc/systemd/system/dbus-  org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.停止服务 [[email protected] ~]# systemctl stop firewalld

Open NetFilter

开启前先安装iptables工具包：[[email protected] ~]# yum install -y iptables-services开启iptables服务：[[email protected] ~]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [[email protected] ~]# systemctl start iptables

View Iptables rules: IPTABLES-NVL

 [[email protected] ~]# IPTABLES-NVL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes Target prot opt i            N Out Source Destination PNS 2432 ACCEPT All--* * 0.0.0.0/0             0.0.0.0/0 State related,established 0 0 ACCEPT ICMP--* * 0.0.0.0/0 0.0.0.0/0 0 0 Accept All-Lo * 0.0.0.0/0 0.0.0.0/0 0 0 Accept TCP-       -* * 0.0.0.0/0 0.0.0.0/0 State NEW TCP dpt:22 1450 REJECT All--* * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 B  ytes) pkts bytes target prot opt in out source destination 0 0 REJECT All--  * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (Policy ACCEPT 21 Packets, 2204 bytes) pkTS bytes Target prot opt in Out source destination 

10.13 NETFILTER5 Table 5 Chain Introduction Table name

Filter: Packet filtering, for firewall rules. Nat: Address translation for the gateway router. Mangle: Used to mark a packet and then manipulate those tables according to the tag. There are also two less commonly used tables: raw and security, not much to tell here. Rule chain Name

Filter three types of chains:

Input chain : A packet that acts on the input native. Output chain: A packet that acts on the native output. Forward chain: Acts on a package that is not related to the machine. Three types of NAT links:

prerouting chain : The role is to change the destination address of the package just before it arrives at the firewall, if necessary. Output chain: Change the destination address of the locally generated package. Postrouting chain: Change the source address of a package before it leaves the firewall. NAT Table Application (Understanding content)

Environment: Suppose there are three machines (A,B,C), a machine on a network card connected to the public network Ip1;b machine has two network card B1, B2,B1, B2 respectively connected to the public network and private network IP2, IP3;C machine has a network card connection to the private network IP4. Obviously at this time between the a&b,b&c can be communicated, but between a and C is not directly connected, only with the help of a medium to connect. So how do you set up to make interoperability between A and C?

Method:

先打开路由转发功能：   [[email protected] ~]# echo "1" > /proc/sys/net/ipv4_forward然后对nat表做IP转发配置：      [[email protected] ~]# iptables -t nat -A POSTROUTING -s IP2(此处IP在同一个网段即可) -o ensA(A机器的网卡名称) -j MASQUERADE

Description: The-o option is followed by the device name, indicating the egress card, Masquerade is disguised, impersonating the meaning.

10.14 iptables Syntax

The Iptables command is a common firewall software on Linux and is part of the NetFilter project. Can be configured directly or through a number of front-end and graphical interfaces.

Syntax: iptables [options] [parameters]
Options:
-N: Host name not resolved against IP
-V: Show more detailed information
-T: Specifies the table (the iptables command defaults to the filter table)
-L: Display information
-F: Clears all rules
-a/d:=add/delete, add/remove a rule
-I: inserting a rule
-P: Specifies the protocol, which can be either TCP,UDP or ICMP--sport: Used with-P, specifying the source port
--dport: Used with-P, specifying the destination port
-S: Specify the source IP (can be an IP segment)
-D: Specify the destination IP (can be an IP segment)
-j: followed by action (accept means allow package; drop means drop packet; reject means reject package)
-I: Specify the NIC
-Z: Clear the Package and flow counter
-p:=pre, preset policy

• iptables command Option Input Order:

  IPTABLES-T table name <-A/I/D/R> rule chain name [rule number] <-I/O nic name >-P protocol name <-s source ip/Source Subnet >--sport source port <-d destination ip/target subnet >--d Port Target Ports-j action

• View Rules

  [Email protected] ~]# IPTABLES-NVL
  Iptables rule configuration file:/etc/sysconfig/iptables

• Purge rule

  [Email protected] ~]# iptables-f
  Note: This command does not clear the rules within the configuration file! After you change the rule, you need to execute the command ' service iptables save ' to save it to the configuration file.

• Add a rule (-a/i)

  [[email protected] ~]# iptables-a input-s 192.168.188.1-p tcp--sport 1234-d 192.168.188.128--dport 80-j DROP
  Note: Add a rule to perform an action when IP192.168.188.1, protocol TCP, Port ' 1234 ' to IP192.168.188.128, and port 80 machines Send packets: Drop (Discard package). Note: This command can also be changed to-I, the difference is similar to queuing and queue-jumping, the two methods of inserting a different rule priority.

• Delete a rule (-D)

• Method 1: Know the contents of the rule

  [[email protected] ~]# iptables-d input-s 192.168.188.1-p tcp--sport 1234-d 192.168.188.128--dport 80-j DROP
  Note: To delete a rule, you must match the inserted rule, that is, the two iptables commands are the same except for-a/i and-D.

• Method 2: Forget the rule content
  First, use the following command to view the rule number:

  [Email protected] ~]# IPTABLES-NVL--line-number
  Then execute the Delete command:

  [[email protected] ~]# iptables-d INPUT [serial number]
  Change the preset policy (-p)

Execute command:

  #iptables -P OUTPUT DROP

Note: Try not to change the configuration as much as possible, especially if you are performing a remote login and will be disconnected once the command is executed. This policy can only be restored to the original state with the command: ' iptables-p OUTPUT ACCEPT ' and cannot use the-f parameter.

Linux Network-related | Firewall |netfilter5 table 5 chain