DNS
add new dns
method 1:
1
2
3
4
5
6
7# step1: vim /etc/systemd/resolved.conf
[Resolve]
DNS=10.201.44.51 223.5.5.5 # new DNS
FallbackDNS=127.0.0.53
# step2: restart service
sudo systemctl restart systemd-resolvedmethod2: (有时候不起效)
1
2
3
4
5
6vim /etc/resolv.conf
# 注意:添加的dns解析地址,需要放在前面,会有顺序影响
nameserver 10.201.44.51 # new DNS
nameserver 223.5.5.5 # new DNS
nameserver 127.0.0.53
network
create new network
step1: vim /etc/netplan/ib.yaml
1 | network: |
step2: netplan apply
bond
create bond
Bonding Mode
| Mode | Max Speed (Single Flow) | Max Speed (Multiple Flows) | Key Feature |
|---|---|---|---|
| mode=0 (round-robin) | Sum of all slaves | Sum of all slaves | Best for maximizing bandwidth, may cause out-of-order packets. |
| mode=1 (active-backup) | One interface’s speed | One interface’s speed | Best for redundancy, no speed gain. |
| mode=2 (balance-xor) | One interface’s speed | Sum of all slaves | Good for performance; switch support required. |
| mode=4 (802.3ad - LACP) | One interface’s speed | Sum of all slaves | Efficient load balancing for multiple flows; requires switch support. |
| mode=5 (balance-tlb) | One interface’s speed | Sum of all slaves (outgoing only) | Adaptive transmit load balancing. |
| mode=6 (balance-alb) | One interface’s speed | Sum of all slaves | Adaptive load balancing without switch support. |
assume make ib7s400p0 to bond1, which have assigned ip 172.30.12.46 with ib7s400p0
optional: Load the Bonding Kernel Module
Ensure the bonding driver is loaded:
1 | sudo modprobe bonding |
To persist this across reboots:
1 | echo "bonding" | sudo tee /etc/modules-load.d/bonding.conf |
optional: Remove the IP Address from ib7s400p0
Since the bond interface will carry the IP, you must remove the IP from ib7s400p0 first:
1 | sudo ip addr del 172.30.12.61/24 dev ib7s400p0 |
Step 2: Create the Bond Interface (bond1)
Create the bond interface:
1 | sudo ip link add bond1 type bond |
Step 3: Configure Bonding Mode
For your use case, you can set mode=active-backup (best for redundancy with one NIC now) or mode=802.3ad (if planning for LACP in the future).
Set Active-Backup Mode (Recommended for 1 NIC Now)
1 | echo "active-backup" | sudo tee /sys/class/net/bond1/bonding/mode |
OR Set 802.3ad Mode (If Future Expansion is Planned)
1 | echo "802.3ad" | sudo tee /sys/class/net/bond1/bonding/mode |
Step 4: Add ib7s400p0 as a Slave
- Remove any IP address from ib7s400p0 (if it has one):
1 | sudo ip addr flush dev ib7s400p0 |
- Add ib7s400p0 to bond1:
1 | sudo ip link set ib7s400p0 down |
check: ethtool ib7s400p0
- Bring bond1 up:
1 | sudo ip link set bond1 up |
check: cat /proc/net/bonding/bond1
Step 5: Assign an IP Address
If using a static IP:
1 | sudo ip addr add 172.30.12.61/24 dev bond1 |
Or if using DHCP:
1 | sudo dhclient bond1 |
Try to force traffic through bond1 by removing the direct route through ib7s400p0
1 | sudo ip route del 172.30.12.0/24 dev ib7s400p0 |
Step 6: Persistent Configuration (Rocky 9 / RHEL 9) (optional)
To ensure the bond configuration persists after reboot:
- Create
/etc/sysconfig/network-scripts/ifcfg-bond1
1 | DEVICE=bond1 |
- Create
/etc/sysconfig/network-scripts/ifcfg-ib7s400p0
1 | DEVICE=ib7s400p0 |
- Restart NetworkManager to apply changes:
1 | sudo systemctl restart NetworkManager |
Step 7: Verify Configuration
- Check bond details:
1 | cat /proc/net/bonding/bond1 |
ib7s400p0 should now appear as a Slave Interface.
- Confirm IP address and route:
1 | ip a |
- Test connectivity:
1 | ping 172.30.12.47 # other same bond addr |
Step 8: Optional - Test Failover (For active-backup Mode)
1. Temporarily bring down ib7s400p0:
1 | sudo ip link set ib7s400p0 down |
2. Check bond1 status:
1 | cat /proc/net/bonding/bond1 |
In active-backup mode, bond1 should remain active (even though ib7s400p0 is down).
In 802.3ad mode, bond1 would go down since no alternate NIC exists yet.
Summary
Use active-backup mode if ib7s400p0 is the only slave (recommended now).
Use 802.3ad if planning to add more NICs for higher throughput in the future.
Ensure /etc/sysconfig/network-scripts/ configs are properly set for persistence.
ibtables
remove specify rule
1 | check iptables |
To remove the reject-with icmp-host-prohibited rule and allow all incoming traffic from external servers, follow these steps. This will disable the firewall’s default rejection of unmatched traffic.
Step 1: Remove the REJECT Rule in iptables
First, identify and delete the explicit REJECT rule in the INPUT chain.
Check current iptables rules (look for the REJECT line):
1 | sudo iptables -L INPUT -n --line-numbers |
Example output:
1 | Chain INPUT (policy ACCEPT) |
Delete the rule by its line number (e.g., line 5):
1 | sudo iptables -D INPUT 5 |
Step 2: Set Default Policy to ACCEPT (Optional)
If you want to allow all traffic by default (not recommended for security), set the INPUT chain policy to ACCEPT:
1 | sudo iptables -P INPUT ACCEPT |
Step 3: Save the Rules (Persist Across Reboots)
Save the changes to ensure they survive a reboot.
For systems using iptables-persistent:
1 | sudo netfilter-persistent save |
For systems using nftables (modern Linux):
If your system uses nftables , flush all rules and set a default ACCEPT policy:
1 | # Flush existing rules |
Step 4: Verify the Rules
Confirm the REJECT rule is gone and traffic is allowed:
1 | sudo iptables -L INPUT -n |
Important Notes
- Security Warning: Disabling firewall rules entirely (
ACCEPTpolicy) exposes your server to all traffic. Only do this in trusted environments. - If you only want to allow specific ports (e.g.,
6800), use targeted rules instead of disabling the firewall:1
2sudo iptables -I INPUT -p tcp --dport 6800 -j ACCEPT
sudo netfilter-persistent save - The
icmp-host-prohibitedrejection is part of theiptablesrules, not a separate service. Deleting the rule (Step 1) is sufficient to stop the blocking.