The relationship between Iptables and NetFilter:
NetFilter the code in the kernel space completes the analysis and disposition of the packet according to the Rules in table. However, the specific firewall rules in these table must be written personally by the system administrator. The netfilter in the kernel simply provides a mechanism that does not know how to use this mechanism to write the appropriate rules to implement a network firewall.
So, how does the system administrator write rules that go into the NetFilter maintained table in kernel space? This task is done by the Iptables tool.
Plainly, NetFilter is located in the kernel, and iptables is a management tool located in the user space. With Iptables, the user space can communicate with the netfilter in the kernel, maintaining the firewall rules in the table.
[[email protected] ~]# Ifconfig-a when the NIC is down or no IP is displayed
Ifup Ens33 Open NIC
Ifdown Ens33 turn off the NIC
When you generally add DNS or gateways, you can use the Ifdown command.
[[email protected] ~]# ifdown ens33 && ifup Ens33 If it is necessary to operate on the remote terminal, you can put 2 commands together to execute.
To set up a virtual network card, you need to change the network card configuration file name to Ens33:0,ip address change one.
Added virtual network card IP also can be ping through the ↑
[[email protected] network-scripts]# Mii-tool ENS33 See if the network cable is connected
[[email protected] network-scripts]# Ethtool Ens33 can also see if the NIC is connected
[[email protected] network-scripts]# hostnamectl set-hostname abc-001 Modify host Name
Change DNS directly to modify the DNS configuration file, you can also temporarily edit this file/etc/resolv.conf
[Email protected] network-scripts]# cat/etc/hosts
This file is available in both Linux and Windows, and can be resolved at native change addresses, only for native.
The format is the IP on the left, the right is the domain name, can support an IP for multiple domain names, separated by a space.
If a domain name is modified to correspond to multiple IPs, the last line will prevail.
10.12 Firewalld and NetFilter
Setenforce 0 can temporarily close SELinux
If you want to permanently turn selinux off, you need to modify the configuration file Vi/etc/selinux/config and then restart the system.
You can use Getenforce to view the SELinux status, if enforcing is on, if permissive indicates a temporary shutdown.
NetFilter used before CentOS6, CentOS7 inside the default use of FIREWALLD, of course, can also be CentOS7 inside the FIREWALLD, and then open NetFilter, the same can be used CentOS6 firewall mechanism.
To close the Firewalld method:
# systemctl Disable FIREWALLD
# Systemctl Stop Firewalld
Then, before turning on netfilter, you need to install a package first.
# yum Install-y iptables-services
When the installation is complete, open it again
# Systemctl Enable Iptables
# Systemctl Start iptables
# IPTABLES-NVL View the default rules after Iptables service startup
10.13 NETFILTER5 Table 5 Chain Introduction
1.netfilter of 5 tables filter:input FORWARD outputnat:prerouting postrouting O Utput mangle:prerouting INPUT OUTPUT postroutingraw:prerouting outputsecurity : Secmark and Connsecmark INPUT OUTPUT FORWARD
There are only 4 tables in CentOS6, and you can view the 5 tables of netfilter with the Man command.
[email protected] ~]# man iptables
The relationship between Iptables and NetFilter:
This is the first place to say that the relationship between Iptables and NetFilter is a problem that is easily confusing. A lot of know iptables but don't know netfilter. In fact, Iptables is just a Linux firewall management tool, located in/sbin/iptables. The real firewall function is NetFilter, which is the internal structure of implementing packet filtering in the Linux kernel.
Iptables the process of transmitting packets
① when a packet enters the network card, it first enters the prerouting chain, and the kernel determines whether it needs to be forwarded based on the packet destination IP.
② if the packet is in the native, it will move down the graph to reach the input chain. After the packet has been sent to the input chain, any process will receive it. Programs running on this computer can send packets that go through the output chain and then reach the postrouting chain.
③ if the packet is to be forwarded out and the kernel allows forwarding, the packet will move to the right, through the forward chain, and then to the postrouting chain output.
Iptables rules tables and chains:
Table (tables) provides specific functionality, the Iptables contains 4 tables, the filter table, the NAT table, the Mangle table, and the raw table, respectively, to implement packet filtering, network address translation, packet refactoring (modification), and data tracking processing.
Chain (chains) is the path of packet propagation, each chain is actually a checklist in many rules, each chain can have one or several rules. When a packet arrives at a chain, the iptables starts checking from the first rule in the chain to see if the packet satisfies the conditions defined by the rule. If satisfied, the system processes the packet according to the method defined by the rule, otherwise iptables will continue to check the next rule, and if the packet does not conform to any of the rules in the chain, Iptables will process the packet based on the default policy defined by the chain.
Iptables uses a hierarchical structure of "table" and "chain". In REHL4 is three sheets of five chains. Now REHL5 into four table five chain, but the more out of the table with not too much, so basically still the same as before. Here is a list of these four tables and five chains. Note that the relationships and roles of these tables and chains must be understood.
3. Set up the virtual NIC 1. [[email protected] ~]# cd/etc/sysconfig/network-scripts/ &NB sp; #进入网卡配置的目录2. [[email protected] network-scripts]# cp ifcfg-ens33 ifcfg-ens33\:1 # Copy a profile of the NIC and rename it to Ens33:1 & nbsp The backslash indicates the de-righteousness 3. [[email protected] network-scripts]# VI ifcfg-ens33:1 #编辑配置文件 name=ens33:1 d evice=ens33:1 can delete gateways and dns reset IP in a network segment 4. [[email protected] network-scripts]# ifdown ens33:1 && ifup ens33:1 #重启网卡配置生效 4. mii-tool ethtool Both commands can see if the NIC is connected successfully, mii-tool can be used when it is not available ethtool[[email protected] Network-scripts]# mii-tool ens33siocgmiiphy on ' ens33 ' failed: Operation not supported #提示不支持  [[EMAIL PROtected] network-scripts]# ethtool ens33 #使用ethtool命令Settin GS for Ens33: current message level:0x00000007 (7) drv Probe link Link detected:yes &NBSP ; #Link detected yes indicates a successful connection and no is a bit connected 5. Edit /etc/hosts file, add IP and domain name, implement the domain name jump 1. [[email protected] network-scripts]# ping www.qq.com &N Bsp #ping www.qq.com can be normal p ing PING www.qq.com (14.17.42.40) bytes of data. bytes from 14.17.42.40 (14.17.42.40): Icmp_seq=1 ttl=128 time=11.0 ms ---www.qq.com ping statistics--- 3 packets transmitted, 3 received, 0% packet loss, time 11028ms &nbs P RTT Min/avg/max/mdev = 7.342/42.114/107.962/46.586 ms 2. [[email protected] network-scripts]# vim/etc/hosts #编辑配置文件, REDIRECT the domain name to 192.168.177.66 Add the following line: 192.168.177.66 www.qq.com 3 in the configuration file. [[email protected] network-scripts]# ping www.qq.com ping www.qq.com (192.168.177.66) (+) bytes of data. 64 bytes from www.qq.com (192.168.177.66): icmp_seq=1 ttl=64 time=0.049 ms & nbsp; #可以看到ping www.qq.com jump to 192.168.177.66 ---www.qq.com ping statistics--- 3 Packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 0.049/0.094/0.179/0.060 ms Ii. Firewalld and Netfilter1. Permanently shut down the selinux firewall [[email protected] ~]# vi/etc/selinux/config # Edit Profile Add selinux=Enforcing change to disabled2. getenforce and setenforce 01. [[email protected] ~]# getenforce #使用getenforce可以查看selinux的状态, enforcing is open meaning Enforcing2. [[email protected] ~]# setenforce 0 #使用setenforce 0 temporarily close selinux,3. [[email protected] ~]# getenforce Permissive # temporarily off SELinux, the status changes to permissive, to block, will not block, warning and record 3. netfilter and FIREWALLD are all Linux firewalls, using NetFilter before Centos7, followed by Firewalld. Today is netfilter, so you have to turn off the FIREWALLD and then turn on NetFilter. 1.[[email protected] ~]# systemctl disable FIREWALLD & nbsp # #暂停 firewalld services removed symlink/etc/systemd/system/ multi-user.target.wants/firewalld.service. removed Symlink/etc/sysTemd/system/dbus-org.fedoraproject.firewalld1.service.2. [[email protected] ~]# systemctl stop firewalld &N Bsp # #停止进程3. [[email protected] ~]# yum install-y iptables-services # # Install Iptables-services 4. [[email protected] ~]# systemctl enable iptables & nbsp # #启动服务 created symlink from/etc/systemd/system/basic.target.wants/iptables.service to/usr/ Lib/systemd/system/iptables.service.5. [[email protected] ~]# systemctl start iptables &N Bsp # #启动进程
10.14 iptables Syntax
# IPTABLES-NVL View Iptables rules
# Service Iptables Restart check the rules again after restarting
Rule save Path/etc/sysconfig/iptables
If you do not want the default rules, you can use iptables-f to clear them.
After the rule is emptied, the contents of the configuration file of the saved path will not be emptied, and if you want to save the new rule, you need to execute the command service Iptables save to store the new rule content to the configuration file.
# iptables-t FILTER-NVL not plus-T is the filter table
# Iptables-t NAT-NVL can also view NAT table
# iptables-z; IPTABLES-NVL can clear the counter
# iptables-a input-s 192.168.188.1-p tcp--sport 1234-d 192.168.188.128--dport 80-j DROP
-A represents and adds a rule to the chain that is input chain,-s specifies a source ip,-p specifies a protocol, source port 1234, destination IP and destination port-j
# iptables-i input-p TCP--dport 80-j DROP-The size letter I indicates that insert is inserted into the first row, and-A is added to the last line.
# iptables-d input-s 192.168.188.1-p tcp--sport 1234-d 192.168.188.128--dport 80-j drop delete rule for last row
# iptables-d input-p TCP--dport 80-j drop delete the rule of the first row
If you forget the previous rule, you can delete it by the following method, first showing the number of rows of the rule, and then deleting the rule for the specified row.
# IPTABLES-NVL--line-number shows the number of lines of the rule
# iptables-d INPUT 7 For example, delete rules for line 7th
# iptables-p OUTPUT DROP rule for Default policy, do not recommend action, keep it by default.
Linux network-related commands Firewalld and netfilter, iptables use (6/22)