Mastering the yum install Command: A Comprehensive Guide to Network Configuration and Management

10.11 Linux Network Related

ifconfig Command

• View Network Card IP

If the system does not have this command, you can use yum to install it:

[root@adai003 ~]# yum install -y net-tools

You can also use the command ip add to view the network card IP, but the display is a bit messy!

• ifconfig -a

Display all network card information (including those that are down or do not have an IP address)

Start/Stop Network Card

• ifup/ifdown [network card name]

Application scenario: After modifying the configuration of a specific network card, a restart is required for it to take effect. To avoid shutting down or restarting all network cards, you can execute this command on a single network card. Note: If the network card is in use, do not use the ifdown command alone! Solution: “# ifdown ens33 && ifup ens33” to execute both commands together!

Add a Network Card to Virtual Machine using yum install command

Shut down the virtual machine and operate in the following sequence:

Click Next:

Here you can specify the type of network adapter (network card) or choose it after adding:

Click “OK” to complete the addition!

Note: If the above operations are performed while the machine is powered on, you need to restart the network service after adding the network card!!!

Add Configuration File for New Network Card

View Configuration Information of New Network Card:

Here you can view its network segment.

Configure New Network Card Information: Perform the following operations after turning on the virtual machine:

View Network Information:

Location of network card configuration file (copy the existing network card and rename it):
/etc/sysconfig/network-scripts/  [root@localhost ~]# cd /etc/sysconfig/network-scripts/Create new network card configuration file:[root@localhost network-scripts]# cp ifcfg-ens33 ifcfg-ens37[root@localhost network-scripts]# vim ifcfg-ens37# Change the network card name in this configuration file to ens37# Delete UUIDRestart network service after configuration:[root@localhost network-scripts]# systemctl restart networkAt this point, the addition is complete, and you can configure the network card by editing this file!!!

Note: Since the network connection type of the network card added this time is host-only mode, its IP and ens33 are not in the same network segment.

Add a Virtual Network Card

• Steps:

1. Switch to the network card configuration file[root@adai003 ~]# cd /etc/sysconfig/network-scripts/2. Copy system network card[root@adai003 network-scripts]# cp ifcfg-ens33 ifcfg-ens33:0 3. Edit the copied configuration file[root@adai003 network-scripts]# vi ifcfg-ens33:0TYPE=EthernetBOOTPROTO=staticDEFROUTE=yesPEERDNS=yesPEERROUTES=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_PEERDNS=yesIPV6_PEERROUTES=yesIPV6_FAILURE_FATAL=noIPV6_ADDR_GEN_MODE=stable-privacyNAME=ens33:0DEVICE=ens33:0ONBOOT=yesIPADDR=192.168.8.138NETMASK=255.255.255.0GATEWAY=192.168.8.2DNS1=119.29.29.29Explanation: Change NAME, DEVICE, IPADDR, the gateway can be removed or retained, but if retained, it must be consistent with the system network card configuration!4. Restart the system network card[root@adai003 network-scripts]# ifdown ens33 && ifup ens33Successfully disconnected device 'ens33'.Successfully activated connection (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)5. View Network Card Information[root@adai003 network-scripts]# ifconfigens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 192.168.8.125  netmask 255.255.255.0  broadcast 192.168.8.255        ……ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 192.168.8.158  netmask 255.255.255.0  broadcast 192.168.8.255        ether 00:0c:29:61:7d:7a  txqueuelen 1000  (Ethernet)lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536        inet 127.0.0.1  netmask 255.0.0.0        inet6 ::1  prefixlen 128  scopeid 0x10        loop  txqueuelen 1  (Local Loopback)        ……6. Check if the virtual network IP is accessibleJust ping the IP under Windows system cmd!

Check if the Network Card is Connected

• Method 1: mii-tool [network card name]

[root@adai003 ~]# mii-tool ens33ens33: negotiated 1000baseT-FD flow-control, link ok

Check: link ok indicates the network card connection is OK!

• Method 2: ethtool [network card name]

[root@adai003 ~]# ethtool ens33Settings for ens33:	Supported ports: [ TP ]	Supported link modes:   10baseT/Half 10baseT/Full ……	Current message level: 0x00000007 (7)			       drv probe link	Link detected: yes

Check: Link detected: yes indicates the network card connection is OK!

Hostname

• Change Hostname & Hostname Configuration File

Change:[root@adai003 ~]# hostnamectl set-hostname adai0003View Hostname:[root@adai003 ~]# hostnameadai0003Note: The changed hostname will only display after the system is restarted!  Hostname Configuration File:[root@adai003 ~]# cat /etc/hostname adai003

DNS Configuration

• DNS Configuration File: /etc/resolv.conf

[root@adai003 ~]# cat /etc/resolv.conf # Generated by NetworkManagernameserver 119.29.29.29

Note: Change the network card configuration to change the DNS configuration file. Changes are effective after restarting the network card (ifdown/ifup), and you can also edit ‘/etc/resolv.conf’ to temporarily change the DNS configuration. This method will be overwritten by the DNS in the network card configuration file after restarting the network card.

• Local Domain Name Configuration File: /etc/hosts

[root@adai003 ~]# cat /etc/hosts127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

Explanation: Use the vi command to customize the domain name corresponding to the IP in this configuration file (one IP can correspond to multiple domain names or one domain name can correspond to multiple IPs, separated by spaces. If a domain name corresponds to multiple IPs, the configuration closer to the end of the file takes precedence), but this domain name configuration only takes effect on this machine!

10.12 Using the yum install command to Set Up Firewalld and Netfilter

SELinux Firewall

• Temporarily Disable SELinux Firewall:

[root@adai003 ~]# setenforce 0

• Permanently Disable SELinux Firewall:

Edit the configuration file ‘/etc/selinux/config’

[root@adai003 ~]# vim /etc/selinux/config……#     disabled - No SELinux policy is loaded.SELINUX=disabled# SELINUXTYPE= can take one of two values:……#     mls - Multi Level Security protection.SELINUXTYPE=targeted

Change SELINUX=enforcing to disabled, save, and restart the system!

• Check SELinux Firewall Status

[root@adai003 ~]# getenforceDisabled

netfilter (Firewalld)

Centos7 upgraded the original netfilter firewall to firewalld. iptables is the tool used to implement firewall functions.

To facilitate learning, temporarily stop firewalld and enable the netfilter firewall mechanism of Centos6/5.

• Disable firewalld

1. Disable firewalld (prevent it from starting on boot)[root@adai003 ~]# systemctl disable firewalldRemoved symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.2. Stop firewalld service[root@adai003 ~]# systemctl stop firewalld

• Enable netfilter

Install iptables tools before enabling it:[root@adai003 ~]# yum install -y iptables-services  Enable iptables service:[root@adai003 ~]# systemctl enable iptablesCreated symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.[root@adai003 ~]# systemctl start iptables

Explanation: By default, the iptables service is enabled after installation.

• View iptables Rule: iptables -nvL

[root@adai003 ~]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination             7   536 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0               0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0               0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination             0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 5 packets, 684 bytes) pkts bytes target     prot opt in     out     source               destination         

10.13 Introduction to netfilter’s 5 Tables and Chains

Table Names

• filter: Packet filtering for firewall rules.
• nat: Address translation for gateway routers.
• mangle: For marking packets, then operations based on marks. (not commonly used)
• There are two other less commonly used tables: raw and security, which are not discussed here.

Rule Chain Name Formats: yum install command

• Three Chains for filter:
  • INPUT Chain: Acts on packets directed to the machine.
  • OUTPUT Chain: Acts on packets generated by the machine.
  • FORWARD Chain: Acts on packets unrelated to the machine.
• Three Chains for nat:
  • PREROUTING Chain: Acts on packets upon arrival at the firewall to change their destination address if necessary.
  • OUTPUT Chain: Changes the destination address of packets generated locally.
  • POSTROUTING Chain: Changes the source address before packets leave the firewall.

Application of nat Table (Understanding Required)

Scenario:Suppose there are three machines (A, B, C). Machine A has one network card connected to public IP1; Machine B has two network cards b1, b2 connected to public and private networks IP2, IP3, respectively; Machine C has one network card connected to private IP4. Obviously, A&B, B&C can communicate with each other, but A and C cannot directly communicate and can only do so via B. How to set up to enable communication between A and C?

Method:

First, enable routing forwarding feature:[root@adai003 ~]# echo "1" > /proc/sys/net/ipv4_forwardThen do IP forwarding configuration for the nat table:[root@adai003 ~]# iptables -t nat -A POSTROUTING -s IP2 (this IP should be in the same network segment) -o ensA(machine A's network card name) -j MASQUERADE

Explanation: The -o option is followed by a device name, indicating the outgoing network card; MASQUERADE means disguise or impersonation.

“Syntax of iptables in 10.14 using yum install command”

iptables is a commonly used firewall software in Linux and part of the netfilter project. It can be configured directly or through many front-end and graphical interfaces.

Syntax: iptables [options] [parameters]Options:-n: Do not reverse resolve IPs to hostnames-v: Display more detailed information-t: Specify table (iptables command defaults to affect the filter table)-L: Display information-F: Clear all rules-A/D: =add/delete, Add/Delete a rule-I: Insert a rule-p: Specify protocol, can be tcp, udp or icmp–sport: Use with -p to specify source port–dport: Use with -p to specify destination port-s: Specify source IP (can be a segment)-d: Specify destination IP (can be a segment)-j: Followed by action (ACCEPT = allow packet; DROP = discard packet; REJECT = reject packet)-i: Specify network card-Z: Reset packet and flow counter-P: =pre, Preset strategy

• Order of iptables command options:

iptables -t Table Name <-A/I/D/R> Rule Chain Name [Rule Number] <-i/o Network Card Name> -p Protocol Name <-s Source IP/Source Subnet> --sport Source Port <-d Destination IP/Destination Subnet> --dport Destination Port -j Action

• View Rules

[root@adai003 ~]# iptables -nvL

The iptables rule configuration file: /etc/sysconfig/iptables

• Clear Rules

[root@adai003 ~]# iptables -F

Note: This command will not clear rules in the configuration file! After modifying the rules, execute the command ‘service iptables save’ to save them to the configuration file.

• Add a Rule (-A/I)

[root@adai003 ~]# iptables -A INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP

Explanation: Add a rule such that when IP~192.168.188.1 with protocol tcp and port ‘1234’ sends a packet to IP~192.168.188.128 at port 80, the operation to perform is: drop (discard packet). Note: You can replace -A with -I, the difference between the two is similar to queuing and cutting in line, the priorities of the rules inserted differ.

• Delete a Rule (-D)Method 1: Knowing the rule content

[root@adai003 ~]# iptables -D INPUT -s 192.168.188.1 -p tcp --sport 1234 -d 192.168.188.128 --dport 80 -j DROP

Note: To delete a rule, it must be consistent with the inserted rule, i.e., apart from -A/I and -D, both iptables commands should be the same.

Method 2: Forget the rule contentFirst, use the following command to view rule number:

[root@adai003 ~]# iptables -nvL --line-number

Then execute the delete command:

[root@adai003 ~]# iptables -D INPUT [Number] 

• Change Preset Policy (-P)

Execute Command:

# iptables -P OUTPUT DROP

Result:

Warning: Do not change this configuration casually, especially during remote login; once this command is executed, the connection will be disconnected. This policy can only be reverted to original status with command: ‘iptables -P OUTPUT ACCEPT’, the -F parameter cannot be used.