Networking and Firewalls

1.Introduction to Networks and Networking
   1.1 Getting Started with Interfaces
     To display the status of all the interfaces on a host, use this command:
     $­ifconfig­–a      

     To make it easier to explore the configuration of an interface, you can also display a single interface, like so:

     $­ifconfig­ eth0

     
     激活网卡

     $­sudo ­ifconfig­ eth0­ up

     失效网卡

     $­sudo ­ifconfig­ eth0­ down

     ­$sudo ­ifdown ­eth0

     修改网卡IP

     ­$sudo ­ifconfig eth0 192.168.0.3 netmask 255.255.255.0  --netmask 可以省略

     The ifconfig command can also be used to add and delete IP addresses to and from an interface; here is how we could have added our 192.168.0.1 IP address to the eth0 interface:
     $­sudo ­ifconfig ­eth0­ add­ 192.168.0.1
     The ifconfig command can also be used to delete an IP address from an interface like so:
     $­sudo ­ifconfig ­eth0 ­del­ 192.168.0.1

修改ip地址

即时生效:
# ifconfig eth0 192.168.0.20 netmask 255.255.255.0
启动生效:
#  vi /etc/sysconfig/network-scripts/ifcfg-eth0

（CENTOS6以后，ifcfg-Auto_eth0）

修改default gateway
即时生效:
# route add default gw 192.168.0.254
启动生效:
修改/etc/sysconfig/network-scripts/ifcfg-eth0

修改dns
修改/etc/resolv.conf
修改后可即时生效，启动同样有效

修改host name
即时生效:
# hostname fc2
启动生效:
修改/etc/sysconfig/network

etc/sysconfig/network-scripts/ifcfg-ethN 文件

在RedHat中，系统网络设备的配置文件保存在“/etc/sysconfig/network-scripts”目录下，ifcfg-eth0包含第一块网卡的配置信息，ifcfg-eth1包含第二块网卡的配置信息。

下面是“/etc/sysconfig/network-scripts/ifcfg-eth0”文件的示例：

DEVICE=eth0

IPADDR=x.x.x.x

NETMASK=255.255.255.0

NETWORK=x.x.x.x

BROADCAST=x.x.x.x

ONBOOT=yes

BOOTPROTO=none

USERCTL=no

若希望手工修改网络地址或在新的接口上增加新的网络界面，可以通过修改对应的文件（ifcfg-ethN）或创建新的文件来实现。

DEVICE=name　　　　 name表示物理设备的名字

IPADDR=addr　　　　 addr表示赋给该卡的IP地址

NETMASK=mask　　　　mask表示网络掩码

NETWORK=addr　　　　addr表示网络地址

BROADCAST=addr　　 addr表示广播地址

ONBOOT=yes/no　　 启动时是否激活该卡

none：无须启动协议

bootp：使用bootp协议

dhcp：使用dhcp协议

USERCTL=yes/no　　　　　　 是否允许非root用户控制该设备

   1.2 general Network Troubleshooting

• ping
• mtr

      mtr www.google.com 的输出结果如下

                             My traceroute  [v0.71]

localhost.localdomain (0.0.0.0)                        Fri Mar  9 22:55:45 2012

Keys:  Help   Display mode   Restart statistics   Order of fields   quit

                                              Packets               Pings

 Host                                       Loss%  Last   Avg  Best  Wrst StDev

 1. 192.168.1.1                              0.0%   1.1   1.2   0.9   5.2   0.6

 2. 118.23.8.90                              0.0%  50.1  34.4   9.7  64.3  12.0

 3. 118.23.7.213                             0.0%  55.6  33.4  11.0  63.6  11.5

 4. 118.23.96.29                             0.0%  52.9  36.3  12.1  63.2  11.9

 5. 122.28.168.29                            0.0%  55.6  35.1  13.4  71.1  12.8

 6. 118.23.168.86                            0.0%  44.1  39.6  12.8 151.8  20.0

 7. 118.23.146.226                           0.0%  54.2  38.1  13.1 133.1  16.5

 8. 211.129.61.38                            2.0%  75.3  62.6  37.6 126.3  17.4

 9. 209.85.241.90                            0.0%  56.7  43.5  17.6 155.4  22.1

10. 209.85.241.133                           0.0%  54.8  37.4  15.0  65.9  12.3

11. nrt19s12-in-f20.1e100.net                0.0%  54.6  35.7  13.2  67.2  12.4

Loss% : 是显示的每个对应IP的丢包率
Last     : 显示的最近一次的返回时延
Avg      :是平均值 这个应该是发送ping包的平均时延
Best     :是最好或者说时延最短的
Wrst     :是最差或者说时延最常的
StDev : 是标准偏差

• tcpdump
• netstat

     We will then start the nc command using the -l, or listen, option on the host with the IP address of 192.168.0.1.

     $­sudo ­nc ­-l ­80

     This binds our nc command to all interfaces on the port. We can test that by running another command called netstat:

     $­sudo ­netstat­ –lpt
     tcp        0      0 *:http                      *:*                         LISTEN      5154/nc

     -l : listen for network connections

     -p: display what applications are using each connection

     -t : look for TCP connections only

   1.3 Netfilter and iptables
     The iptables command is the   user‑  space management tool for Netfilter. It allows the operating system to perform packet filtering and shaping at a kernel level, and this allows it to be under fewer restrictions than   user‑  space programs. This is especially useful for dedicated firewall and router hosts

     1.3.1 Tables
     Netfilter has four built‑in tables that can hold rules for process‑ing traffic. The first is the filter table, which is the default table used for all rules related to the filtering of your traffic. The second is nat, which handles NAT rules. Next is the mangle table, which covers a variety of packet alteration functions. Last of all is the raw table, which is used to exempt packets from connection tracking and is called before any other Netfilter table.
     1.3.2 Chains
     Each of the Netfilter tables, filter, nat, mangle, and raw, contain sets of predefined hooks that Netfilter will process in order.

   Built-in Chains
Chain                 description
INPUT              Used to sequence rules for packets coming to the host interface(s). Found in the filter and
                          mangle tables only.
FORWARD      Used to sequence rules for packets destined for another host. Found in the filter and
                         mangle  table only.
OUTPUT          Used to sequence rules for outgoing packets originating from the host interface(s). Found in
                          the filter, nat, mangle, and raw tables.
PREROUTING    Used to alter packets before they are routed to the other chains. Found in the nat,
                            mangle, and raw tables.
POSTROUTING Used to alter packets after they have left the other chains and are about to go out of the
                            interface(s). Found in the nat and mangle tables only.

具体可以参考下面链接
 http://javafreeman.blogspot.com/2012/03/netfilteriptables.html