Shulou(Shulou.com)06/01 Report--

This article mainly shows you the "sample analysis of ip, ss, journalctl and firewall-cmd commands in Linux", which is easy to understand and clear. I hope it can help you solve your doubts. Let the editor lead you to study and study the "sample analysis of ip, ss, journalctl and firewall-cmd commands in Linux".

1 、 ip

Ip [OPTIONS] OBJECT COMMAND

Ip is a powerful network configuration tool in iproute2 software package. It can replace some traditional network management tools, such as ifconfig, route and so on.

OPTIONS is the option to modify the ip behavior or change its output.

OBJECT is the object to get the information. These include:

Address represents the device's protocol (IPv4 or IPv6) address link represents the network device monitor represents monitoring network connection information neighbour represents management ARP cache table netns represents management network namespace route indicates routing table interface tunnel represents IP tunnel.

The object name can be a full name or an abbreviated format, such as address can be abbreviated to addr or a.

COMMAND sets the action to be performed on the specified object, depending on the type of object.

Address

For example, the information of the network card ens33 is displayed:

[root@centos7 ~] # ip addr show ens33 3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:50:56:a4:a9:16 brd ff:ff:ff:ff:ff:ff inet 10.0.1.254 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:fea4:a916/64 scope link valid_lft forever preferred_lft forever 24 brd 10.0.1.255

The option-s means to output more information

[root@centos7] # ip-s addr show ens33 3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:50:56:a4:a9:16 brd ff:ff:ff:ff:ff:ff inet 10.0.1.254On24 brd 10.0.1.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:fea4:a916/64 scope link valid_lft forever preferred_lft forever RX: bytes packets errors dropped overrun mcast 133518854 1415841 0 0 0 TX: bytes packets errors dropped carrier collsns 14033474 59479 0 0 0

Add a new address to ens33

[root@centos7 ~] # ip addr add 192.168.0.193 ip a sh ens33 24 dev ens33 [root@centos7 ~] # ip a sh ens33 3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:50:56:a4:a9:16 brd ff:ff:ff:ff:ff:ff inet 10.0.1.254 qdisc pfifo_fast state UP qlen 24 brd 10.0.1.255 scope global ens33 valid_lft forever preferred_lft forever inet 192.168.0.193 / 24 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:fea4:a916/64 scope link valid_lft forever preferred_lft forever # Delete [root@centos7 ~] # ip addr del 192.168.0.193 Universe 24 dev ens33

Neighbour

For example, check the arp items (neighbour can be abbreviated to neigh or n)

[root@centos7 ~] # ip neigh 172.20.71.253 dev ens32 lladdr 68:8f:84:03:71:e6 STALE 10.0.1.102 dev ens33 lladdr 00:50:56:a4:18:9a STALE 10.0.1.1 dev ens33 lladdr 68:8f:84:01:f1:ff STALE 10.0.1.103 dev ens33 lladdr 00:1c:7f:3b:da:b0 STALE 10.0.1.104 dev ens33 lladdr 00:50:56:a4:37:a7 DELAY 10 .0.1.252 dev ens33 lladdr 00:50:56:a4:65:71 STALE

The COMMAND that neighbour can use include add addition, change modification, replace replacement, delete deletion, flush removal, and so on.

For example, add a * ARP entry for address 10.0.1.253 on the device ens33:

[root@centos7 ~] # ip nei add 10.0.1.253 lladdr 78:A3:51:14:F7:98 dev ens33 nud permanent [root@centos7 ~] # ip nei show dev ens33 10.0.1.103 lladdr 00:1c:7f:3b:da:b0 STALE 10.0.1.1 lladdr 68:8f:84:01:f1:ff STALE 10.0.1.104 lladdr 00:50:56:a4:37:a7 REACHABLE 10.0.1.102 lladdr 00:50:56:a4 : 18:9a STALE 10.0.1.253 lladdr 78:a3:51:14:f7:98 PERMANENT 10.0.1.252 lladdr 00:50:56:a4:65:71 STALE

Link

If you change the value of MTU (* transmission unit) of ens33 to 1600

[root@centos7 ~] # ip link set dev ens33 mtu 1600 [root@centos7 ~] # ip link show dev ens33 3: ens33: mtu 1600 qdisc pfifo_fast state UP mode DEFAULT qlen 1000 link/ether 00:50:56:a4:a9:16 brd ff:ff:ff:ff:ff:ff

Turn off the device ens32

[root@centos7 ~] # ip link set dev ens32 down [root@centos7 ~] # ip li ls dev ens32 2: ens32: mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT qlen 1000 link/ether 00:50:56:a4:f6:f8 brd ff:ff:ff:ff:ff:ff

Create a bridge associated with the ens32

[root@centos7 ~] # ip link add link ens32 name br1 type bridge [root@centos7 ~] # ip link show dev br1 8: br1: mtu 1500 qdisc noop state DOWN mode DEFAULT link/ether 0e:00:3a:f2:fa:ee brd ff:ff:ff:ff:ff:ff # enable [root@centos7 ~] # ip link set dev br1 up # disable [root@centos7 ~] # ip link set dev br1 down # delete [root@centos7 ~] # ip link del dev br1

Route

For example, the routing table is displayed (here the command column-t is used to format the output)

[root@centos7 ~] # ip route show | column-t default via 10.0.1.103 dev ens33 proto static metric 100 10.0.1.0 dev ens33 proto kernel scope link src 10.0.1.254 metric 100 172.20.71.0 dev ens32 proto kernel scope link src 172.20.71.254 metric 100 192.168.78.0 via 24 via 10.0.1.104 dev ens33

If you add a route to 192.168.0. 0. 0. 0. 16, the next hop is 10.0.1.101.

[root@centos7 ~] # ip route add 192.168.0.0dev ens33 proto kernel scope link src 16 via 10.0.1.101 dev ens33 [root@centos7 ~] # ip route show | column-t default via 10.0.1.103 dev ens33 proto static metric 100 10.0.1.0 dev ens33 proto kernel scope link src 24 dev ens33 proto kernel scope link src 10.0.1.254 metric 100 172.20.71.0 dev ens32 proto Kernel scope link src 172.20.71.254 metric 100 192.168.0 via 16 via 10.0.1.101 dev ens33 192.168.78.0 dev ens33 # delete [root@centos7 ~] # ip route del 192.168.0.0 dev ens33 16

You can also use change, replace, etc., to change / replace the original route entry.

For example, get a single route information

[root@centos7 ~] # ip rou get 10.0.1.0 ip rou get 24 broadcast 10.0.1.0 dev ens33 src 10.0.1.254 cache

2 、 ss

Ss [options] [FILTER]

The ss command can be used to get socket statistics, which can display something similar to netstat. But the advantage of ss is that it can display more detailed information about TCP and connection status, and is more efficient than netstat. When the number of socket connections to the server becomes very large, execution will be slow, whether using the netstat command or directly cat / proc/net/tcp. The ss command makes use of tcp_diag,tcp_diag in the TCP protocol stack as a module for analysis and statistics, which can obtain the hand information of the linux kernel, which ensures the speed and efficiency of ss.

Option-a displays all connection status information

The option-t indicates that TCP sockets is displayed

Option-u indicates that UDP sockets is displayed

The option-n means that the number is not converted to the service name

The option-p indicates the display process

[root@centos7 ~] # ss-antp | column-t State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *: 22 *: * users: (("sshd", pid=1355,fd=3)) LISTEN 0 100 127.0.1 pid=2214 25 *: * users: ("master", pid=2214) Fd=13)) ESTAB 0 0 10.0.1.254 users 22 192.168.78.141 users: (("sshd", pid=18294,fd=3)) ESTAB 052 10.0.1.254 sshd 22 192.168.78.178 sshd 51667 users: (("sshd", pid=18433) Fd=3)) LISTEN 0 128:: 5000: * users: ("exe", pid=5908,fd=7)) LISTEN 0 128:: 22: * users: (("sshd", pid=1355) Fd=4)) LISTEN 0 100:: 1:25: * users: (("master", pid=2214,fd=14))

The option-l indicates that only the sockets that displays the monitoring status is displayed

[root@centos7 ~] # ss-lt | column-t State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *: ssh *: * LISTEN 0 100 127.0.0.1:smtp *: * LISTEN 0 128: commplex-main: * LISTEN 0 128: ssh: * LISTEN 0 :: 1:smtp: *

Option-s indicates that summary information is displayed

[root@centos7] # ss-s Total: 270 (kernel 575) TCP: 8 (estab 1, closed 1, orphaned 0, synrecv 0, timewait 0 play 0) Ports 0 Transport Total IP IPv6 * 575-- RAW 2 02 UDP 0 0 TCP 7 3 4 INET 9 3 6 FRAG 0 0 0

You can also use state STATE-FILTER [EXPRESSION] to specify the filtering format

If a connection with a source or destination port of 8080 and a status of established is displayed:

Ss state established'(dport =: 8080 or sport =: 8080)'

For example, a http or https connection with a status of fin-wait-1 from 193.233.7Compact 24

Ss state fin-wait-1'(sport =: http or sport =: https) 'dst 193.233.7Universe 24

3 、 journalctl

Journalctl [OPTIONS...] [MATCHES...]

In systemd-based systems, a new tool, Journal, can be used to log instead of the original system service Syslog. The advantages of Journal are not described here, let's look directly at how it is used.

The configuration file of the Journal service is / etc/systemd/journald.conf. In the default configuration, the Journal log is saved in the directory / run/log/journal (tmpfs memory file system). System restart will not be retained. You can manually brush the log to (through the command journalctl-- flush) to the disk file system (/ var/log/journal).

The Journal service starts when the system starts, and the kernel and application logs are recorded by default from boot to shutdown.

# check service status [root@centos7 ~] # systemctl status-l systemd-journald ● systemd-journald.service-Journal Service Loaded: loaded (/ usr/lib/systemd/system/systemd-journald.service; static; vendor preset: disabled) Active: active (running) since II 2016-12-20 11:15:22 CST 1 weeks 0 days ago Docs: man:systemd-journald.service (8) man:journald.conf (5) Main PID: 539 (systemd-journal) Status: "Processing requests..." CGroup: / system.slice/systemd-journald.service └─ 539 / usr/lib/systemd/systemd-journald December 20 11:15:22 centos7 systemd-journal: Runtime journal is using 8.0m (max allowed 391.1m, trying to leave 586.7m free of 3.8G available → current limit 391.1m). 11:15:22 centos7 systemd-journal: Runtime journal is using 8.0m (max allowed 391.1m, trying to leave 586.7m free of 3.8G available → current limit 391.1m). Centos7 systemd-journal 20 11:15:22 centos7 systemd-journal: Journal started 20 December 11:15:22 centos7 systemd-journal: Runtime journal is using 8.0m (max allowed 391.1m, trying to leave 586.7m free of 3.8G available → current limit 391.1m).

When the command journalctl does not have any options, all logs of the system will be displayed in pages (from this boot to the present time)

Option-k indicates that the kernel kernel log is displayed

Option-u UNIT indicates that the log of the specified service unit UNIT is displayed

# as the ping252.timer and ping252.service logs configured in the previous article [root@centos7] # journalctl-u ping252.timer-- Logs begin at II 2016-12-20 11:15:19 CST, end at II 2016-12-27 20:39:54 CST. -- December 23 14:27:26 centos7 systemd [1]: Started ping 252 every 30s. December 23 14:27:26 centos7 systemd [1]: Starting ping 252 every 30s. December 23 14:36:57 centos7 systemd [1]: Stopped ping 252 every 30s. .... [root@centos7] # journalctl-u ping252-- Logs begin at II 2016-12-20 11:15:19 CST, end at II 2016-12-27 20:41:34 CST. -- December 23 14:28:28 centos7 systemd [1]: Started ping 252. December 23 14:28:28 centos7 systemd [1]: Starting ping 252. December 23 14:28:28 centos7 systemd [11428]: Failed at step EXEC spawning / root/temp/ping252.sh: Exec format error 23 14:28:28 centos7 systemd [1]: ping252.service: main process exited, code=exited, status=203/EXEC 23 14:28:28 centos7 systemd [1]: Unit ping252.service entered failed state. December 23 14:28:28 centos7 systemd [1]: ping252.service failed. December 23 14:29:03 centos7 systemd [1]: Started ping 252. ....

The option-r indicates the reverse output log (from the current time to this boot)

The option-n N indicates that the N-line log output *

[root@centos7] # journalctl-n 5-u ping252-- Logs begin at II 2016-12-20 11:15:19 CST, end at II 2016-12-27 20:48:54 CST. -December 23 17:27:12 centos7 systemd [1]: Starting 252. December 23 17:29:12 centos7 systemd [1]: Started 252. December 23 17:29:12 centos7 systemd [1]: Starting 252. December 23 17:31:12 centos7 systemd [1]: Started 252. December 23 17:31:12 centos7 systemd [1]: Starting 252.

Option-f means to display 10 lines of logs of * * and continue to wait for new logs to be output (similar to the command tail-f)

The option-p n means to filter output logs at a specified level, where the value of n can be:

0 for emerg 1 for alert 2 for crit 3 for err 4 for warning 5 for notice 6 for info 7 for debug

Such as

[root@centos7] # journalctl-u ping252-p 3-- Logs begin at II 2016-12-20 11:15:19 CST, end at II 2016-12-27 21:13:34 CST. -December 23 14:28:28 centos7 systemd [11428]: Failed at step EXEC spawning / root/temp/ping252.sh: Exec format error December 23 14:29:03 centos7 systemd [11442]: Failed at step EXEC spawning / root/temp/ping252.sh: Exec format error December 23 14:30:32 centos7 systemd [11452]: Failed at step EXEC spawning / root/temp/ping252.sh: Exec format error

The options-- since= and-- until= show logs that are later than the specified time (--since=) and logs that are earlier than the specified time (--until=). The time format is shown in the previous systemd.timer:

[root@centos7] # journalctl-u ping252-- since "2016-12-20 11:15:19"-- until "now"-p 3-- Logs begin at II 2016-12-20 11:15:19 CST, end at II 2016-12-27 21:37:14 CST. -December 23 14:28:28 centos7 systemd [11428]: Failed at step EXEC spawning / root/temp/ping252.sh: Exec format error December 23 14:29:03 centos7 systemd [11442]: Failed at step EXEC spawning / root/temp/ping252.sh: Exec format error December 23 14:30:32 centos7 systemd [11452]: Failed at step EXEC spawning / root/temp/ping252.sh: Exec format error

Option-disk-usage indicates that the log disk usage is displayed

[root@centos7] # journalctl-- disk-usage Archived and active journals take up 104.8m on disk.

Option-vacuum-size= is used to set log * * disk usage (values can be suffixed with K, M, G, T, etc.).

Option-vacuum-time= is used to clear logs before the specified time (you can use suffixes such as "s", "m", "h", "days", "weeks", "months", "years", etc.)

[root@centos7] # journalctl-- vacuum-time= "1 days" Deleted archived journal/ run/log/journal/9.2e.journal (48.0m). Deleted archived journal/ run/log/journal/9.a1.journal (48.8m). Vacuuming done, freed 96.8M of archived journals on disk.

The option-o controls the output format and can take one of the following parameters:

The default format of short is similar to the traditional syslog format, with one line per log similar to short-iso and short, but displays the ISO 8601 timestamp short-precise and short, except that the number of seconds of the timestamp field is accurate to the microsecond level short-monotonic and short are similar, except that the zero value of the timestamp field is calculated from kernel startup. Short-unix is similar to short, except that the timestamp field displays the number of seconds since the UNIX time Origin (1970-1-1 00:00:00 UTC). Accurate to the microsecond level. Verbose displays all the fields of each log in a structured format. Export serializes the log into a binary byte stream (still mostly text) for backup and network transmission. Json formats the log entries according to the JSON data structure, with one line for each log. Json-pretty formats the log entries according to the JSON data structure, but each field has a row to make it easier for humans to read. Json-sse formats the log entries according to the JSON data structure, one line for each log, but surrounded by curly braces. Cat displays only the actual contents of the log and does not display any metadata (including timestamps) related to the log.

4 、 firewall-cmd

Like iptables, firewalld also implements firewall functions through kernel netfilter (introduction to netfilter). What is more advanced than iptables is that firewalld can dynamically modify a single rule, instead of having to refresh all the rules to take effect, as iptables does. And firewalld is more user-friendly in use, and most functions can be achieved without understanding the principles of netfilter.

Firewalld needs to open the daemon to check the firewall service status:

[root@idc-v-71252] # systemctl status firewalld ● firewalld.service-firewalld-dynamic firewall daemon Loaded: loaded (/ usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since three 2016-12-14 14:07:04 CST 1 weeks 4 days ago Main PID: 898 (firewalld) CGroup: / system.slice/firewalld.service └─ 898 / usr/bin/python-Es / usr/sbin/firewalld-- nofork-- nopid December 14 14:07:03 centos7 systemd [1]: Starting firewalld-dynamic firewall daemon... December 14 14:07:04 centos7 systemd [1]: Started firewalld-dynamic firewall daemon.

Or view it through your own firewall-cmd

[root@centos7] # firewall-cmd-- stat running [root@centos7 ~] #

The configuration files for firewalld are mainly in xml format (except for the main configuration file firewalld.conf), and they have two storage locations:

1 、 / etc/firewalld

2 、 / usr/lib/firewalld

The rule for use is this: when a file is needed, firewalld will first look in * * directories, and if it can be found, then use it directly, otherwise it will continue to search in the second directory. It is not recommended to modify the configuration file directly in the directory / usr/lib/firewalld. * copy a configuration file in / usr/lib/firewalld to the corresponding directory in / etc/firewalld, and then modify it. This way, when you restore the default configuration, you can simply delete the files in / etc/firewalld.

Two concepts have been introduced into firewalld: service (service) and zone (region).

The service-to-port mapping is defined in the service universal configuration file (located in the directory / usr/lib/firewalld/services), and firewalld can refer directly to the service name instead of the port number as iptables does (just as DNS services map domain names to IP addresses).

By default, firewalld provides nine zone configuration files, which are located in / usr/lib/firewalld/zones:

[root@centos7 ~] # ls / usr/lib/firewalld/zones block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml

A set of rules, or judgment schemes, is defined in each file. Firewalld determines which package to use to filter the package by judging the following three places in the configuration file:

1. Original address of source

2. The network card on which the interface receives packets

3. Default zone (can be configured in / etc/firewalld/firewalld.conf)

The three priorities are reduced in order, that is, if you can find them by source, you will no longer press interface to find them, and if you can't find the first two, you will use the third.

Zone

Public.xml content:

[root@centos7] # cat / usr/lib/firewalld/zones/public.xml Public For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. [root@centos7 ~] #

Items that can be configured in the zone configuration file include:

Zone defines the start and end of zone tags, which can only be used in zone configuration files. You can set two attributes: version version of the default rule of target this zone, including four optional values: default, ACCEPT,%% REJECT%%, DROP. If it is not set, it means the default value default. If the default rule is not default, other rule items except source and interface configuration items will be ignored and jump directly to the default rule. Short area brief description description area description interface binds a local interface to this zone source bind one or a group of source addresses to this zone service represents a service port port, use port to directly set icmp-block icmp message blocking on the port without going through service, you can set masquerade ip address camouflage according to icmp type, that is, NAT forwarding forward-port port forwarding rule custom rules according to the source network card address

In the firewalld default zone, ACCEPT is used in the trusted area,% REJECT%% is used in the block area, and DROP is used in the drop area. When you use it, you can copy a required file to / etc/firewalld/zones, and then configure the required source address or interface in the corresponding file.

Configure source.

The format of source in the xml file of zone is

It should be noted that the same source entry can only be configured in one zone, that is, the same source address can only correspond to one zone. In addition, after editing the xml file directly, you need to execute the command firewall-cmd-reload to take effect.

Of course, you can also use the firewall-cmd command to configure (optional-- permanent indicates whether to save it to the configuration file.-- reload is required to take effect after use;-- zone means to specify zone, and if not specified means to use the default zone):

# list all bound source addresses of the specified zone firewall-cmd [--permanent] [--zone=zone]-- list-sources # query whether the specified zone is bound to the specified source address firewall-cmd [--permanent] [--zone=zone]-- query-source= source [/ mask] # bind a source address to the specified zone (only once The second time you bind to a different zone, you will get an error) firewall-cmd [--permanent] [--zone=zone]-- add-source= Source [/ mask] # change the zone firewall-cmd bound to the source address [--zone=zone]-- change-source= Source [/ mask] # remove the binding firewall-cmd between the source address and zone [--permanent] [--zone=zone]-- remove-source= Source [/ mask]

If you add the source address 192.168.0.0plus 16 to the default zone

[root@centos7 zones] # firewall-cmd-- add-source=192.168.0.0/16 success [root@centos7 zones] # firewall-cmd-- list-sources 192.168.0.0 firewall-cmd 16 [root@centos7 zones] # firewall-cmd-- remove-source=192.168.0.0/16 success [root@centos7 zones] #

Configure interface.

The same as the source configuration item, only one zone can correspond to the same interface. The format of interface in zone's xml file is:

You can also configure zone in the network card configuration file (ifcfg-* file) to bind the interface to the specified zone:

ZONE=public

Corresponding command:

# list the binding interface firewall-cmd of the specified zone [--permanent] [--zone=zone]-- list-interfaces # bind the interface to the specified zone firewall-cmd [--permanent] [--zone=zone]-- add-interface=interface # change the interface binding zone firewall-cmd [--zone=zone]-- change-interface=interface # query whether the interface is bound to the specified zone binding firewall-cmd [--permanent] [--zone=zone]-- query-interface=interface # delete the binding Firewall-cmd [--permanent] [--zone=zone]-- remove-interface=interface

Such as removing ens32 from the default zone

[root@centos7 zones] # firewall-cmd-list-interfaces ens32 ens33 [root@centos7 zones] # [root@centos7 zones] # firewall-cmd-remove-interface=ens32 success [root@centos7 zones] # firewall-cmd-list-interfaces ens33 [root@centos7 zones] #

Configure service

The same service can be configured in multiple different zone

Corresponding command:

Firewall-cmd [--permanent] [--zone=zone]-- list-services #-- timeout=seconds indicates the effective time, which is automatically deleted when it expires. Cannot use firewall-cmd [--permanent] [--zone=zone]-- add-service=service [--timeout=seconds] firewall-cmd [--permanent] [--zone=zone]-- remove-service=service firewall-cmd [--permanent] [--zone=zone]-- query-service=service # to list all available services firewall-cmd-- get-service

For example, add http service to the default zone

[root@centos7 zones] # firewall-cmd-- add-service=http success [root@centos7 zones] # firewall-cmd-- remove-service=http success [root@centos7 zones] #

Configure port.

You need to specify both the protocol and the port number, which can represent a range with a-connection.

Command

Firewall-cmd [--permanent] [--zone=zone]-- list-ports firewall-cmd [--permanent] [--zone=zone]-- add-port=portid [- portid] / protocol [--timeout=seconds] firewall-cmd [--permanent] [--zone=zone]-- remove-port=portid [- portid] / protocol firewall-cmd [--permanent] [--zone=zone]-- query-port=portid [- portid] / protocol

For example, a time limit of 10 seconds allows access to port 80.

[root@centos7 zones] # firewall-cmd-- add-port=80/tcp-- timeout=10 success [root@centos7 zones] #

Configure icmp-block.

Configure ICMP type commands that need to be blocked at string

# list all ICMP types firewall-cmd-- get-icmptypes firewall-cmd [--permanent] [--zone=zone]-- list-icmp-blocks firewall-cmd [--permanent] [--zone=zone]-- add-icmp-block=icmptype [--timeout=seconds] firewall-cmd [--permanent] [--zone=zone]-- remove-icmp-block=icmptype firewall-cmd [--permanent] [--zone=zone]-- query-icmp-block=icmptype

If ping is prohibited

[root@centos7 zones] # firewall-cmd-- add-icmp-block=echo-request success # ping on another machine: [root@idc-v-71252 ~] # ping 10.0.1.254 PING 10.0.1.254 (10.0.1.254) 56 (84) bytes of data. From 10.0.1.254 icmp_seq=1 Destination Host Prohibited From 10.0.1.254 icmp_seq=2 Destination Host Prohibited From 10.0.1.254 icmp_seq=3 Destination Host Prohibited ^ C # cancel [root@centos7 zones] # firewall-cmd-- remove-icmp-block=echo-request success [root@centos7 zones] #

Configure masquerade.

NAT forwarding sets the source address of the received request to the address of the forwarding request network card. Command

Firewall-cmd [--permanent] [--zone=zone]-- add-masquerade [--timeout=seconds] firewall-cmd [--permanent] [--zone=zone]-- remove-masquerade firewall-cmd [--permanent] [--zone=zone]-- query-masquerade

Configure forward-port.

Command (where the forwarding rule FORWARD is port=portid [- portid]: proto=protocol [: toport=portid [- portid]] [: toaddr= address [/ mask]])

Firewall-cmd [--permanent] [--zone=zone]-- list-forward-ports firewall-cmd [--permanent] [--zone=zone]-- add-forward-port=FORWARD [--timeout=seconds] firewall-cmd [--permanent] [--zone=zone]-- remove-forward-port=FORWARD firewall-cmd [--permanent] [--zone=zone]-- query-forward-port=FORWARD

If the request received on port 80 is forwarded to port 8080 of this machine (if you need to forward it to another address, add: to-addr= address [/ mask]):

[root@centos7 zones] # firewall-cmd-add-forward-port=port=80:proto=tcp:toport=8080 success [root@centos7 zones] # firewall-cmd-list-forward-ports port=80:proto=tcp:toport=8080:toaddr= [root@centos7 zones] # firewall-cmd-remove-forward-port=port=80:proto=tcp:toport=8080 success [root@centos7 zones] #

Configure rule.

Rule can be used to define a complex rule that is defined in a file as follows:

[] [] [|] [[]] [[]] [| |]

The rule here is equivalent to a rule when using iptables.

Command

Firewall-cmd [--permanent] [--zone=zone]-- list-rich-rules firewall-cmd [--permanent] [--zone=zone]-- add-rich-rule='rule' [--timeout=seconds] firewall-cmd [--permanent] [--zone=zone]-- remove-rich-rule='rule' firewall-cmd [--permanent] [--zone=zone]-- query-rich-rule='rule'

If the http connection with the source address of 192.168.10.0 and 24 is drop-dropped:

[root@centos7 zones] # firewall-cmd-- add-rich-rule='rule family= "ipv4" source address= "192.168.10 firewall-cmd 24" service name= "http" drop' success [root@centos7 zones] # firewall-cmd-- query-rich-rule='rule family= "ipv4" source address= "192.168.10.0 Universe 24" service name= "http" drop' yes [root@centos7 zones] # firewall-cmd-remove-rich-rule='rule family= "ipv4" source address= "192.168.10. 0peed 24 "service name=" http "drop' success [root@centos7 zones] #

Service

The format of the service configuration file is:

[short description] [description] []

The most important configuration item is port, which binds the port to the specified service. When the port receives a packet, it indicates the request for the service. Thus, the firewall looks up the rules in the corresponding zone to determine whether to release or not.

Multiple port entries can be configured in a service, a single port or a port segment can be configured in a single port entry, for example, port=80-85 represents a port number between 80 and 85.

Destination indicates that the service is bound according to the destination address, which can be an ipv4 address or an ipv6 address, and a mask can be used.

Module is used to set up the netfilter connection tracking module

Firewall-cmd provides two options for creating and deleting service,--new-service and-- delete-service. However, editing the xml file directly is a better choice.

Direct

Directly use the filtering rules of the firewall. The configuration file is / etc/firewalld/direct.xml (which can be created manually or generated by command). The file structure is as follows:

[] [args] [args]

You can configure iptables rules directly in the configuration file, where:

Ipv means ip version table means that table chain in iptables represents chain in iptables, which can be a custom priority priority, similar to the order before and after the rules in iptables. The smaller the number, the higher the priority. Args represents specific rules, or it can be a custom chain.

For example, customize a chain called blacklist, and then point all packets from 192.168.1.0 blacklisted 24 and 192.168.5.0 hand 24 to this chain, specifying the rules for this chain: first log with the prefix 'log:' (recorded every minute), and then drop.

-s 192.168.1.0 blacklist-s 192.168.5.0 DROP 24-j blacklist-m limit-- limit 1/min-j LOG-- log-prefix "blacklisted:"-j DROP

Related commands:

Firewall-cmd [--permanent]-- direct-- get-all-chains firewall-cmd [--permanent]-- direct-- get-chains {ipv4 | ipv6 | eb} table firewall-cmd [--permanent]-- direct-- add-chain {ipv4 | ipv6 | eb} table chain firewall-cmd [--permanent]-- direct-- remove-chain {ipv4 | ipv6 | eb} table chain firewall-cmd [--permanent]-- direct-- query-chain {ipv4 | ipv6 | eb} Table chain firewall-cmd [--permanent]-- direct-- get-all-rules firewall-cmd [--permanent]-- direct-- get-rules {ipv4 | ipv6 | eb} table chain firewall-cmd [--permanent]-- direct-- add-rule {ipv4 | ipv6 | eb} table chain priority args firewall-cmd [--permanent]-- direct-- remove-rule {ipv4 | ipv6 | eb} table chain priority args firewall-cmd [--permanent]-- direct-- remove-rules {ipv4 | ipv6 | eb} table chain firewall-cmd [--permanent]-- direct-- query-rule {ipv4 | ipv6 | eb} table chain priority args firewall-cmd-- direct-- passthrough {ipv4 | ipv6 | eb} args firewall-cmd-- permanent-- direct-- get-all-passthroughs firewall-cmd-- permanent-- direct-- get-passthroughs {ipv4 | ipv6 | eb} firewall-cmd-permanent-- direct-- add-passthrough {ipv4 | ipv6 | eb} args firewall-cmd-permanent- -direct-remove-passthrough {ipv4 | ipv6 | eb} args firewall-cmd-- permanent-- direct-- query-passthrough {ipv4 | ipv6 | eb} args

The conversion of the above example into a command is:

Firewall-cmd-- permanent-- direct-- add-chain ipv4 raw blacklist firewall-cmd-- permanent-- direct-- add-rule ipv4 raw PREROUTING 0-s 192.168.1.0 blacklist firewall-cmd 24-j blacklist firewall-cmd-- permanent-- direct-- add-rule ipv4 raw PREROUTING 1-s 192.168.5.0 blacklist firewall-cmd-- permanent-- direct-- add-rule ipv4 raw blacklist 0-m limit-- limit 1/min-j LOG-- log-prefix "blacklisted: "firewall-cmd-- permanent-- direct-- add-rule ipv4 raw blacklist 1-j DROP # overload effective firewall-cmd-- reload

In the actual production environment, if the firewall rules are only set by root, * restrict the permission of firewall-cmd (this file is a python script) to only root:

[root@centos7] # ls-l / usr/bin/firewall-cmd-rwxr-xr-x. 1 root root 62012 November 20 2015 / usr/bin/firewall-cmd [root@centos7 ~] # file / usr/bin/firewall-cmd / usr/bin/firewall-cmd: Python script, ASCII text executable [root@centos7 ~] # chmod 750 / usr/bin/firewall-cmd is all the contents of this article entitled "sample Analysis of ip, ss, journalctl and firewall-cmd commands in Linux". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.