Network-related, Firewalld and netfilter, NETFILTER5 table 5 chain introduction, Iptables language

One: Linux network-related

Ifconfig command, if not, install it with the following command
Yum Install-y Net-tools
If you want to disable a network card:
Ifdown Ens33
Enable NIC
Ifup Ens33
Restart the NIC
Ifdown ens33 && ifup ens33
Set the virtual NIC ens33:0
cd/etc/sysconfig/network-scripts/
CP Ifcfg-ens33 ifcfg-ens33\:0
VI!$
Modify name and device to ens33:0
Modify IPAddr
View NIC Connection Status
Mii-tool Ens33
Ethtool Ens33
Change host Name
Hostnamectl Set-hostname Leewill
Immediate effect requires re-login
DNS configuration file
Cat/etc/resolv.conf

Domain Name configuration file
Cat/etc/hosts
The same domain name is configured with a different IP, whichever is the last

II: FIREWALLD and NetFilter

Ways to turn off SELinux
Temporary: Setenforce 0
Permanent: Vim/etc/selinux/config
Change Selinux=enforcing to Selinux=disabled
Save, restart
Get SELinux Status: Getenforce

FIREWALLD and NetFilter all use the iptables command to implement the firewall function
Centos7 with FIREWALLD,CENTOS6 with NetFilter
Close the Firewalld on the Centos7 and turn on the NetFilter
Systemctl Disable FIREWALLD
Systemctl Stop Firewalld
Yum Install-y iptables-services
Systemctl Enable Iptables
Systemctl start iptables

Three: Netfilter5 table 5 Chain Introduction

Mans Iptables

Filter table
Mainly used to filter the package, is the System preset table. Built-in three bracelets, INPUT, OUTPUT, FORWARD.
Input is the package that enters the machine, output is the package sent by the native, and forward acts on the package that is not related to the machine.
Nat table
The main use is Network address translation, there are also three chains. The prerouting effect is that the package changes his destination address just as it arrives at the firewall. Output changes the destination address of the locally generated package. Postrouting changes the source address before the package leaves the firewall.
mangle table
It is used primarily to mark packets, and then to manipulate packages according to the tags.
Raw table
can be implemented without tracing some packets
Security table
Not in CENTOS6, a network rule for enforcing access to control Mac

Four: Iptables grammar

Iptables Basic Syntax:

1. View rules and Purge rules
   Iptables-t NAT-NVL
   
   -T followed by the table name, and the filter table information is printed without adding.
   -NVL is the rule that looks at the table
   -n means that the hostname is not resolved against IP
   -L indicates the meaning listed
   -V lists the information in more detail
   Clear the Filter table all rules: Iptables-f
   Set the package and flow counter 0: iptables-z
2. Add, delete a rule
   Added: iptables-a input-s 192.168.1.1-p tcp--sport 1234-d 192.168.1.2--dport 80-j DROP
   -A add a rule
   -I inserts a rule
   -D Delete a rule
   INPUT is the chain name
   -S followed by the source IP (can be an IP segment)
   -P Protocol (TCP,UDP,ICMP)
   --sport/--dport followed by Source port/Destination port (must be used with-p or error)
   -D followed by destination IP (can be an IP segment)
   -j Heel action (drop bag dropped, reject packet rejected, accept allow package)
   -I specify NIC
   -Z can clear the counter zero
   -P preset policy, followed by the chain name, the policy content is drop or accept, default is accept. (Remote disable!) ）
   Insert rule: iptables-i input-s 10.10.10.1-j DROP
   Throw away all the packets from 10.10.10.1.
   Delete: iptables-d input-s 10.10.10.1-j DROP
   Delete the rule you just inserted (when deleting a rule, it must be the same as the inserted rule, except for-I and-D are identical)

-the difference between a and-I:
The added rule is at the end of the list of rules, and the inserted rule is at the top of the list of rules and takes precedence.

How to delete a rule in a simple and effective way when there are too many rules.
To view the sequence of rules: IPTABLES-NVL--line-numbers
And then delete: iptables-d INPUT serial number

Backup and Recovery rules:
Copy the/etc/sysconfig/iptables file.
or Iptables-save-> 1.ipt
Iptables-restore < 1.ipt

Once the rules have been modified, they are only temporary and want to be permanently active and must be saved.
Service Iptables Save

Network-related, Firewalld and netfilter, NETFILTER5 table 5 chain introduction, Iptables language