Software firewall iptables under linux – definition and deletion of rules – linux operation and maintenance

The introduction of the ipitables firewall, and how to view the rules and clear the rules, etc. have been described in a previous article. Today, here is a demonstration of how to formulate firewall rules. Because in the work, the rules are mainly formulated for the filter chain, so here we mainly use the fitler chain for demonstration. Preparation Before formulating the rules, we first shut down the firewalld service, open the iptables service, and then clear the existing rules. # systemctl stop firewalld # systemctl start iptables # iptables -F #iptables -X # iptables -Z New rule chain About the addition of iptables Rule chain, there are many options, let’s see the basic usage below: iptables [-t tables] -A|I chain name[-i|o network interface ] [-m state] [–state packet state] \ > [-p network-protocol] [-s source-address –sport port-range] [-d destination-address –dport port-range] \ > -j [ACCEPT|DROP|REJECT] Options and parameters: -A|I The chain name A means to add rules after the existing rules, and I means to insert rules at the front -i|o network interface i means the network interface where the data packet enters , needs to be used in conjunction with the INPUT or PREROUTING chain; o indicates the…

Software firewall iptables under linux – setting of nat table rules – linux operation and maintenance

In addition to the most commonly used filter table, iptables also occasionally uses the nat table. Nat is network address translation, which is used to modify the source ip address or destination ip address. Now let’s look at the process of a simple data packet passing through iptables to the table and chain of the back-end host. 1. Through the PREROUTING chain of the NAT table 2. After routing to determine whether the data packet is going to enter the machine, if not, perform the next step p>3. Pass the FORWARD chain of Filter 4. Pass the POSTROUTING chain of the NAT table, and finally send it out The first step and the last step are related to NAT, that is, PREROUTING chain and POSTROUTING chain. The PREROUTING chain modifies the destination IP, referred to as DNAT POSTROUTING The source IP is modified by the chain, referred to as SNAT DNAT So which scenarios need to use DNAT, and what are the common applications of SNAT? For DNAT, the most common is to map the port of the internal network to the external network, so that other users can access it. In this way, the security of the internal network…

Software firewall iptables under linux – firewall design – linux operation and maintenance

In the previous articles, I have introduced the tables and chains of iptables, and how to add rule chains. Here, I want to share a simple firewall rule with you. Here I mainly set the rules for the input chain of the filter. This article is equivalent to a practical iptables rule to help you deepen and consolidate the knowledge you have learned. The application rules are as follows: Clear the existing rules and clear all the original rules. Set the default policy, set the default policy of the input chain of the filter to drop, and set the others to accept. Trust this machine, for the loopback network card lo must be set to trustworthy. Response data packet, the data packet that responds to the host’s active external request can enter the machine (establish/related) Reject invalid data packets, reject invalid data packets (INVALID) White list, trust certain ip or network addresses, etc. Blacklist, untrusted ip or network address, etc. Allow icmp packets, release icmp packets Open some ports, some service ports must be opened to the outside world, such as 80, 443, 22 and other ports We are going to make 3 shell scripts Files: iptables.rule, iptables.allow (whitelist), iptables.deny…

Introduction to lvm software under linux – the size of the flexible file system – linux operation and maintenance

We often encounter such a situation. With the operation of the system, it is found that the remaining space of a certain partition is insufficient, so the partition needs to be expanded. How to expand it? A common strategy is to Add a new hard disk, and then partition and format a new usable partition. Copy the content of the previous file system to another partition, and then unmount the original partition (if the original file system is mounted in the /www directory) Mount the new partition to the original directory /www, and then copy the previous content to the /www directory. Does the whole process feel troublesome? If the original file system space is very large, dozens of G or even hundreds of G, then it will be a big project quantity. In addition, the previous partition has no use for the time being, and it is also a waste! lvm introduction lvm logical volume is used to solve the above problems Yes, it can be very convenient to scale the size of the file system. For lvm, there are several special terms that need to be known: Physical Volume, referred to as PV: physical volume Volume Group, referred…

Demonstration of the production process of lvm software under linux-linux operation and maintenance

The previous article introduced lvm, and today I will demonstrate the process of making lvm here. The production process of lvm has the following steps: Disk partition Use partitions to make pv Create vg with pv Split lv from vg Format lv and mount it to the directory for use Next, let’s complete the above process. Partition First, let’s look at the partition of the disk. # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 40G 0 disk ├─sda1 8:1 0 2M 0 part ├─sda2 8:2 0 1G 0 part /boot ├─sda3 8:3 0 1G 0 part [SWAP] ├─sda4 8:4 0 10G 0 part / └─sda5 8:5 0 100M 0 part sdb 8:16 0 1G 0 disk sdc 8:32 0 1G 0 disk sdd 8:48 0 1G 0 disk sde 8:64 0 1G 0 disk As you can see, there are 5 disks on my host, except for the sda ​​disk, the other disks have not been partitioned yet, and the sda ​​disk still has remaining space. Now, partition the other 4 disks as well. Use fdisk or gdisk tools for partitioning, and the specific process is omitted here. The information after partitioning is as follows: #…

How to expand the partition capacity under linux-linux operation and maintenance

In daily work, we often encounter the problem of insufficient remaining capacity of a certain partition, so we need to know how to expand the partition under the Linux server. For partition expansion, there are two cases here LVM partition expansion Expansion of non-LVM partition Expansion of LVM partition Generally, we recommend using LVM, which facilitates the elastic scaling of partitions. Regarding the introduction of LVM, physical volumes, logical groups, logical volumes, etc. will not be detailed here. You can read my other two articles about LVM. Scenario: The /www directory is our website-related directory. The partition mounted on this directory uses LVM. Originally, this directory has a space of 1G, but with the operation of the system, the remaining space is only Less than 100M left. Now the partition needs to be expanded. Preparation work, realize the scene # pvcreate /dev/sdb1 # vgcreate vgwww /dev/sdb1 # lvcreate -l 255 vgwww # mkfs.ext4 /dev/vgwww/lvol0 # mount /dev/vgwww/lvol0 /www # dd if=/dev/zero of=/www/bigfile bs=1M count=900 # df -h … /dev/mapper/vgwww-lvol0 988M 903M 19M 98% /www Partition expansion First, we need to see if there is any remaining space in vgwww, If not, you need to add pv in vgwww first. #…

What is ssh and how does it encrypt information-linux operation and maintenance

In the early days, the remote connection server used plaintext transmission software, such as telnet and RSH, and later they were all replaced by the ssh protocol. The SSH service can provide information encryption and then transmit the data, which greatly improves the security. SSH has two main functions: Ability to connect to remote hosts and manage host resources Able to transfer files, similar to ftp service SSH encryption Technology SSH uses asymmetric encryption technology. Readers who want to know more about symmetric encryption and asymmetric encryption, please Google. Asymmetric encryption is mainly accomplished through the public key and private key. The public key encrypts the information sent, and after receiving the information, the private key is used to decrypt the information. Public key (Public key): The act of encrypting the information sent to the host of the other party, so your host public key Can be given to another host that wants to communicate. Private key (Private key): When the remote host sends the information encrypted with the public key to the current host, the current host uses its own private key to decrypt the information . Remember, your private key must not be known to other hosts. The…

Contact Us

Contact us

181-3619-1160

Online consultation: QQ交谈

E-mail: [email protected]

Working hours: Monday to Friday, 9:00-17:30, holidays off

Follow wechat
Scan wechat and follow us

Scan wechat and follow us

Follow Weibo
Back to top
首页
微信
电话
搜索