Software firewall iptables under linux – definition and deletion of rules – linux operation and maintenance
The introduction of the ipitables firewall, and how to view the rules and clear the rules, etc. have been described in a previous article. Today, here is a demonstration of how to formulate firewall rules. Because in the work, the rules are mainly formulated for the filter chain, so here we mainly use the fitler chain for demonstration. Preparation Before formulating the rules, we first shut down the firewalld service, open the iptables service, and then clear the existing rules. # systemctl stop firewalld # systemctl start iptables # iptables -F #iptables -X # iptables -Z New rule chain About the addition of iptables Rule chain, there are many options, let’s see the basic usage below: iptables [-t tables] -A|I chain name[-i|o network interface ] [-m state] [–state packet state] \ > [-p network-protocol] [-s source-address –sport port-range] [-d destination-address –dport port-range] \ > -j [ACCEPT|DROP|REJECT] Options and parameters: -A|I The chain name A means to add rules after the existing rules, and I means to insert rules at the front -i|o network interface i means the network interface where the data packet enters , needs to be used in conjunction with the INPUT or PREROUTING chain; o indicates the…
Software firewall iptables under linux – setting of nat table rules – linux operation and maintenance
In addition to the most commonly used filter table, iptables also occasionally uses the nat table. Nat is network address translation, which is used to modify the source ip address or destination ip address. Now let’s look at the process of a simple data packet passing through iptables to the table and chain of the back-end host. 1. Through the PREROUTING chain of the NAT table 2. After routing to determine whether the data packet is going to enter the machine, if not, perform the next step p>3. Pass the FORWARD chain of Filter 4. Pass the POSTROUTING chain of the NAT table, and finally send it out The first step and the last step are related to NAT, that is, PREROUTING chain and POSTROUTING chain. The PREROUTING chain modifies the destination IP, referred to as DNAT POSTROUTING The source IP is modified by the chain, referred to as SNAT DNAT So which scenarios need to use DNAT, and what are the common applications of SNAT? For DNAT, the most common is to map the port of the internal network to the external network, so that other users can access it. In this way, the security of the internal network…
Software firewall iptables under linux – firewall design – linux operation and maintenance
In the previous articles, I have introduced the tables and chains of iptables, and how to add rule chains. Here, I want to share a simple firewall rule with you. Here I mainly set the rules for the input chain of the filter. This article is equivalent to a practical iptables rule to help you deepen and consolidate the knowledge you have learned. The application rules are as follows: Clear the existing rules and clear all the original rules. Set the default policy, set the default policy of the input chain of the filter to drop, and set the others to accept. Trust this machine, for the loopback network card lo must be set to trustworthy. Response data packet, the data packet that responds to the host’s active external request can enter the machine (establish/related) Reject invalid data packets, reject invalid data packets (INVALID) White list, trust certain ip or network addresses, etc. Blacklist, untrusted ip or network address, etc. Allow icmp packets, release icmp packets Open some ports, some service ports must be opened to the outside world, such as 80, 443, 22 and other ports We are going to make 3 shell scripts Files: iptables.rule, iptables.allow (whitelist), iptables.deny…
Introduction to lvm software under linux – the size of the flexible file system – linux operation and maintenance
We often encounter such a situation. With the operation of the system, it is found that the remaining space of a certain partition is insufficient, so the partition needs to be expanded. How to expand it? A common strategy is to Add a new hard disk, and then partition and format a new usable partition. Copy the content of the previous file system to another partition, and then unmount the original partition (if the original file system is mounted in the /www directory) Mount the new partition to the original directory /www, and then copy the previous content to the /www directory. Does the whole process feel troublesome? If the original file system space is very large, dozens of G or even hundreds of G, then it will be a big project quantity. In addition, the previous partition has no use for the time being, and it is also a waste! lvm introduction lvm logical volume is used to solve the above problems Yes, it can be very convenient to scale the size of the file system. For lvm, there are several special terms that need to be known: Physical Volume, referred to as PV: physical volume Volume Group, referred…
Demonstration of the production process of lvm software under linux-linux operation and maintenance
The previous article introduced lvm, and today I will demonstrate the process of making lvm here. The production process of lvm has the following steps: Disk partition Use partitions to make pv Create vg with pv Split lv from vg Format lv and mount it to the directory for use Next, let’s complete the above process. Partition First, let’s look at the partition of the disk. # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 40G 0 disk ├─sda1 8:1 0 2M 0 part ├─sda2 8:2 0 1G 0 part /boot ├─sda3 8:3 0 1G 0 part [SWAP] ├─sda4 8:4 0 10G 0 part / └─sda5 8:5 0 100M 0 part sdb 8:16 0 1G 0 disk sdc 8:32 0 1G 0 disk sdd 8:48 0 1G 0 disk sde 8:64 0 1G 0 disk As you can see, there are 5 disks on my host, except for the sda disk, the other disks have not been partitioned yet, and the sda disk still has remaining space. Now, partition the other 4 disks as well. Use fdisk or gdisk tools for partitioning, and the specific process is omitted here. The information after partitioning is as follows: #…
What is ssh and how does it encrypt information-linux operation and maintenance
In the early days, the remote connection server used plaintext transmission software, such as telnet and RSH, and later they were all replaced by the ssh protocol. The SSH service can provide information encryption and then transmit the data, which greatly improves the security. SSH has two main functions: Ability to connect to remote hosts and manage host resources Able to transfer files, similar to ftp service SSH encryption Technology SSH uses asymmetric encryption technology. Readers who want to know more about symmetric encryption and asymmetric encryption, please Google. Asymmetric encryption is mainly accomplished through the public key and private key. The public key encrypts the information sent, and after receiving the information, the private key is used to decrypt the information. Public key (Public key): The act of encrypting the information sent to the host of the other party, so your host public key Can be given to another host that wants to communicate. Private key (Private key): When the remote host sends the information encrypted with the public key to the current host, the current host uses its own private key to decrypt the information . Remember, your private key must not be known to other hosts. The…
What are the functions of the ssh service-login to remote hosts, sftp, and backup of files in different places-linux operation and maintenance
Today, I will introduce several applications of ssh to you. Common applications include using ssh to connect to remote servers, using sftp to transfer files, and using ssh to perform remote backup. Connect to remote host Connect to a remote server This is our most commonly used function, connect to a remote server, and then manage the server. If your client is windows, then you need to install terminal tools, such as xshell, Terminator, Tmux, etc., and then use these terminal tools to connect to the remote server. If the client is Linux, you can use the ssh command directly. Common command usage is given below Connect to remote host ssh [account@]IP [- p specified port] Do not log in, directly send a command to the remote server to execute the ssh -f [account@]IP [-p specified port] command Let’s demonstrate the remote connection server # ssh 121.196.12.64 The authenticity of host '121.196.12.64 (121.196.12.64)' can't be established. ECDSA key fingerprint is SHA256:wx0RHE8fcCoad6YKw0Ex4NE+QjwRiTYxC2s2g/DqPUU. ECDSA key fingerprint is MD5:43:2c:7a:12:24:1d:86:3a:b0:a0:b7:95:c2:cf:7b:ab. Are you sure you want to continue connecting (yes/no)? When connecting for the first time, you will be asked if you want to continue connecting, enter yes here. After entering yes, you will be…
How to configure the ssh service so that you can connect to the remote host without entering the account password-linux operation and maintenance
We know that the ssh protocol can connect to a remote server by entering the account name and password. So, can you log in directly without entering the account number and password? The answer is yes, and in daily work, this requirement is also common. For example, if you use scp to do remote backup, and want to write scp into crontab, but you must not be able to enter the account password in crontab, then you need to log in without account password. ssh is an asymmetric encryption protocol with public and private keys. The public key is used to encrypt information. Each host will store the public keys of other hosts in the known_hosts file under the .ssh directory of its own home directory. If you want to do account-free password, the key point is this public key. Suppose a server host SERVER, a client CLIENT, the client wants to connect to SERVER without login. Then just append the client’s public key to the end of ~/.ssh/authorized_keys of the SERVER machine. The following two situations demonstrate how to log in without a password: The client is a windows system The client is a linux system The client is…