Shulou(Shulou.com)06/01 Report--

Linux network related

Ifconfig View Network Card ip (yum install net-tools)

Turn off the boot network card: ifup ens33/ifdown ens33

Set the virtual network card eth0:0

[root@mingming ~] # cd / etc/sysconfig/network-scripts/ [root@mingming network-scripts] # lsifcfg-eth0 ifdown-post ifup-eth ifup-routesifcfg-lo ifdown-ppp ifup-ippp ifup-sitifdown ifdown-routes ifup-ipv6 ifup-tunnelifdown-bnep ifdown-sit ifup-isdn ifup-wirelessifdown-eth ifdown-tunnel ifup-plip init.ipv6-globalifdown-ippp ifup ifup-plusb net.hotplugifdown-ipv6 ifup-aliases ifup -post network-functionsifdown-isdn ifup-bnep ifup-ppp network-functions-ipv6 [root@mingming network-scripts] # cp ifcfg-eth0 ifcfg-eth0\: 0 [root@mingming network-scripts] # vim ifcfg-eth0:0DEVICE=eth0:0HWADDR=00:0C:29:0F:AD:09TYPE=EthernetUUID=aa6b2038-bad7-4480-87ee-e462f8c6db6bONBOOT=yesNM_CONTROLLED=yesBOOTPROTO=staticIPADDR=192.168.23.133NETMASK=255.255.255.0GATEWAY=192.168.23.2

DEVICE=eth0:0

IPADDR=192.168.23.133 modifies these two lines and then closes the startup network card: ifup eth0 & & ifdown eth0

Mii-tool ens33 to see if the network card is connected.

Ethtool ens33 can also check whether the network card is connected.

Change the hostname hostnamectl set-hostname aminglinux

DNS profile / etc/resolv.conf

/ etc/hosts file

Firewalld and netfilterLinux Firewall-netfilter

Selinux temporarily shuts down setenforce 0

Selinux permanently shuts down vi / etc/selinux/config

Using netfilter Firewall before centos7

Centos7 starts using firewalld Firewall

Turn off firewalld and enable the netfilter method

Systemctl stop firewalld

Systemctl disable firewalled

Yum install-y iptables-services

Systemctl enable iptables

Systemctl start iptables

Linux Firewall-5 tables for netfilternetfilter

Filter table is used to filter packets. The most commonly used table has three chains: INPUT, FORWARD and OUTPUT.

INPUT: the chain through which packets come in

FORWARD: when you get to the machine but don't go into the kernel, forward it out.

OUTPUT: the chain through which the local package goes out.

Nat table is used for network address translation, which has three chains: PREROUTING, OUTPUT and POSTROUTING.

PREROUTING: change the packet when coming in

POSTROUTING: change packets when you go out

Packet flows to 5 chains with netfilter PREROUTING: before the packet enters the routing table

INPUT: after passing the routing table, the destination is the local machine

FORWARD: after passing the routing table, the destination is not local

OUTPUT: generated by this machine and sent out

POSTROUTING: before sending to the Nic interface

The managle table is used to mark packets, which is almost impossible to use.

The raw table does not track certain packets, but A Ming never uses it.

The security table does not exist in centos6. Network rules for mandatory access control (MAC) have not been used by A Ming.

Reference article http://www.cnblogs.com/metoy/p/4320813.html

Linux Firewall-netfilter

The default rule is / etc/sysconfig/iptables

View iptables rules: iptables-nvL

Iptables-F emptying rule

Service iptables save save rules

Iptables-t nat / /-t specification table

Iptables-Z can zero the counter.

Iptables-An INPUT-s 192.168.188.1-p tcp-sport 1234-d 192.168.188.128-- dport 80-j DROP

-An add rule

INPUT: INPUT chain

-s Source ip

-p: specify the protocol

-- sport: specify the source port

-d specify target ip

-- dport target port

-j handling method DROP: throw away REJECT: reject ACCEPT: accept

Iptables-I/-A/-D INPUT-s 1.1.1.1-j DROP

-I insert rule

-D Delete Rul

Iptables-I INPUT-s 192.168.1.0 iptables 24-I eth0-j ACCEPT

-I specify the network card

Iptables-nvL-- line-numbers

Print the serial number of the rule

Iptables-D INPUT 1

Delete the rule of sequence 1

Iptables-P INPUT DROP

-P change the default that there is no matching rule

Linux Firewall-netfilter

Small case of iptables

Vi / usr/local/sbin/iptables.sh / / add the following

#! / bin/bash

Ipt= "/ usr/sbin/iptables"

$ipt-F

$ipt-P INPUT DROP

$ipt-P OUTPUT ACCEPT

$ipt-P FORWARD ACCEPT

$ipt-An INPUT-m state-- state RELATED,ESTABLISHED-j ACCEPT

$ipt-An INPUT-s 192.168.133.0 tcp 24-p tcp-- dport 22-j ACCEPT

$ipt-An INPUT-p tcp-- dport 80-j ACCEPT

$ipt-An INPUT-p tcp-- dport 21-j ACCEPT

Icmp example

Iptables-I INPUT-p icmp--icmp-type 8-j DROP

Linux Firewall-netfilter

Application of nat table

Machine A has two network cards eth0 (192.168.23.135) and eth2 (192.168.100.1). Eth0 can be connected to the external network, eth2 is only the internal network, machine B has only eth2 (192.168.100.100), and the eth2 of machine A can communicate and interconnect.

Increase intranet 1, increase network card

2 set ip: ifconfig eth2 192.168.100.1

Requirement 1: machine B can be connected to the external network

Route forwarding echo "1" > / proc/sys/net/ipv4/ip_forward is opened on machine A

Execute iptables-t nat-A POSTROUTING-s 192.168.100.0 MASQUERADE 24-o eth0-j on A

Set the gateway to 192.168.100.1 on B

Route add default gw 192.168.100.1

Route-n view

Demand 2RV C machine can only communicate with A, so that C machine can directly connect to the 22 port of B machine.

Open route forwarding echo "1" > / proc/sys/net/ipv4/ip_forward on the

Execute iptables-t nat-A PREROUTING-d 192.168.23.135-p tcp-- dport 1122-j DNAT-- to 192.168.100.100 on A

Execute iptables-t nat-A POSTROUTING-s 192.168.100.100-j SNAT-- to 192.168.23.135 on A

Set the gateway to 192.168.100.1 on B

Save and back up iptables rules

Service iptables save / / saves the rules to / etc/sysconfig/iptables

Backup the iptables rules to the my.ipt file

Iptables-save > my.ipt

Restore the rules you just backed up

Iptables-restore < my.ipt

Linux Firewall-firewalled

9 zone of firewalld

Open firewalld

Systemctl disable iptables

Systemctl stop iptables

Systemctl enable firewalld

Systemctl start firewalld

Firewalld has 9 zone by default

Drop (drop): any received network packet is discarded, there is no reply, only the network sent out

Connect.

Block (restriction): any received network connection is affected by IPv4's icmp-host-prohibited information and IPv6's

Rejected by icmp6-adm-prohibited information.

Public (public): when used in a public area, you can't trust that other computers on the network will not cause damage to your computer.

Harm, only selected connections can be received.

External (external): especially extranets with camouflage enabled for routers, you cannot trust them from the network

His computer, can not think of him, they will not cause harm to your computer, can only accept the selected connection.

Dmz (demilitarized zone): computers used in your demilitarized zone, which are publicly accessible and have limited access

Your internal network only receives selected connections.

Work (work): in the workspace, you can basically trust that other computers in the network will not harm your computer, just

Receives the selected connection.

Home (home): for home networks, you can basically trust that other computers in the network will not harm your computer

To receive only selected connections

Internal (internal): for internal networks, you can basically trust that other computers in the network will not endanger your plan.

The computer receives only the selected connection.

Trusted (trust): all network connections are acceptable.

The default zone is public

Firewall-cmd-- get-zones / / View all zone

Firewall-cmd-- get-default-zone// view the default zone

Firewalld's operation on zone

Firewall-cmd-- set-default-zone=work / / sets the default zone

Firewall-cmd-- get-zone-of-interface=ens33 / / check the specified network card

Firewall-cmd-- zone=public-- add-interface=lo / / set zone to the specified network card

Firewall-cmd-- zone=dmz-- change-interface=lo / / change zone for network card

Firewall-cmd-- zone=dmz-- remove-interface=lo / / Delete zone for Nic

Firewall-cmd-- get-active-zones / / View the zone of all network cards in the system

Firewalld's operation on service

Firewall-cmd-- get-services to view all servies

Firewall-cmd-- list-services / / check what service are under the current zone

Firewall-cmd-- zone=public-- add-service=http / / add http under public zone

Firewall-cmd-zone=public-remove-service=http

Profile template for ls / usr/lib/firewalld/zones/ zone

Firewall-cmd-- zone=public-- add-service=http-- permanent / / changes the configuration file, which is then generated under the / etc/firewalld/zones directory

Requirements: ftp service custom port 1121, ftp needs to be released under work zone

Cp / usr/lib/firewalld/services/ftp.xml / etc/firewalld/services

Vi / etc/firewalld/services/ftp.xml / / change 21 to 1121

Cp / usr/lib/firewalld/zones/work.xml / etc/firewalld/zones/

Vi / etc/firewalld/zones/work.xml / / add a line

Firewall-cmd-- reload / / reload

Firewall-cmd-zone=work-list-services

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.