iptables optimization case
[root@ghzz ~]# vi /root/shell/iptables.sh #!/bin/bash #by qiuyuetao #-------------------------------------------------------------------------- IPTAB=/sbin/iptables #Define environment variables $IPTAB -X #Clear custom chain $IPTAB -Z #Clear counter $IPTAB -F #Clear all rules of the current table $IPTAB -t nat -F #Clear all rules of nat table $IPTAB -t mangle -F #Empty mangel table rule $IPTAB -t raw -F #Clear raw table rule $IPTAB -X -t nat #Clear custom chain $IPTAB -X -t raw $IPTAB -X -t mangle #-------------------------------------------------------------------------- $IPTAB -A INPUT -i lo -j ACCEPT #Allow loopback address access $IPTAB -A INPUT -s 127.0.0.1 -j ACCEPT #Allow yourself access $IPTAB -A INPUT -s 192.168.0.0/22 -j ACCEPT# Allow intranet access $IPTAB -A INPUT -s 119.161.189.1 -j ACCEPT #Allow springboard access #-------------------------------------------------------------------------- $IPTAB -A INPUT -p icmp -j ACCEPT #Allow icmp to ping $IPTAB -A INPUT -p tcp -m multiport --dport 80,22,3306,2188 -j ACCEPT #Open ports $IPTAB -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Check the status of the incoming package. Packets with established tcp connection and packets related to the connection are allowed to pass! $IPTAB -P INPUT DROP #Except for the input chain of the filter table above $IPTAB -P FORWARD DROP $IPTAB -P OUTPUT ACCEPT #-------------------------------------------------------------------------- $IPTAB-save > /etc/sysconfig/iptables ##Modifying iptables -F -X -Z requires / etc/init.d/iptables save ## -t: Specifies the name of the table to save. # iptables-save -t filter > iptables.bak
To restore the iptables configuration of the backup:
iptables-restor < /etc/sysconfig/iptables
iptables daily configuration
Whether the firewall is on That's how Linux should learn
[root@m01 ~] /etc/init.d/iptables status //Open iptables iptables -F #Clear current table rule iptables -X #Clear custom chain iptables -Z #Clear counter
Turn on kernel forwarding
take net.ipv4.ip_forward = 1 From 0 to 1 sed -i 'snet.ipv4.ip_forward = 0net.ipv4.ip_forward = 1g' sysctl -p Take effect
Add iptables module
lsmod Displays the status information of modules that have been loaded into the kernel lsmod|egrep "nat|filter" See nat And filter Table loaded module information modprobe ip_tables modprobe ip_conntrack modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack_ftp Connection tracking modprobe ip_nat_ftp nat Modular modprobe ipt_state State module
Choice of enterprise firewall mode
Two ideas:
Visiting Parks:
1. The default rule is allowed by default.
Watch movie:
2. The default rule is not allowed by default. More secure.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Allow intranet IP address segment access iptables -A INPUT -d 172.16.1.0/24 -j ACCEPT #Allow loopback address in and out iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
Modify default rule
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT
Add allowed services and ports
#Allow access to http service 80 443 iptables -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT #Only intranet ping is allowed iptables -A INPUT -p icmp -m icmp --icmp-type 8 -s 172.16.1.0/24 -j ACCEPT #Allow ftp requests #iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Allow port mapping iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
NAT sharing Internet
/proc/sys/net/ipv4/ip_forward Turn on kernel forwarding iptables -t filter -A FORWARD -j ACCEPT iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j SNAT --to-source 10.0.0.61 #All intranet 172.16.1.0 segment addresses are forwarded to the Internet through the IP of 10.0.0.61 iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j MASQUERADE #MASQUERADE automatically obtains the server IP and forwards the IP address (for example, openvpn)
Other application service rule cases
"1)http service" iptables -A INPUT -s 192.168.1.0/24 -p tcp -m multiport --dport 8080,8081,8082 -j ACCEPT iptables -A INPUT -p tcp --dport 22000:22030 -j ACCEPT #: a colon represents a segment of ports allowed from 22000-22030 "2) db data service" iptables -A INPUT -s 10.1.8.0/24 -p tcp --dport 3306 -j ACCEPT "3) snmp Network management" iptables -A INPUT -s 10.1.8.0/24 -p UDP --dport 161 -j ACCEPT "4) rsync Real time synchronization" iptables -A INPUT -s 10.1.8.0/24 -p tcp -m tcp --dport 873 -j ACCEPT " 5) nfs 2049,rpc 111 (NFS Network file sharing rpc)" iptables -A INPUT -s 10.1.8.0/24 -p udp -m multiport --dport 111,892,2049 -j ACCEPT iptables -A INPUT -s 10.1.8.0/24 -p tcp -m multiport --dport 111,892,2049 -j ACCEPT " 6) Allow all ping" iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT " 7)Allow intranet 172.16.1.0 Network segment ping" iptables -A INPUT -p icmp -m icmp --icmp-type 8 -s 172.16.1.0/24 -j ACCEP "8) keepalived vrr" -A INPUT -d 172.16.1.0/24 -j ACCEPT -A INPUT -p vrrp -j ACCEPT "9) zabbix Port open" -A INPUT -p tcp -m tcp --dport 10050:10051 -j ACCEPT -A INPUT -p tcp -m udp --dport 10050:10051 -j ACCEPT
iptable security configuration
1)Speed limit iptables -A INPUT -p tcp --syn -m limit --limit 100/s --limit-burst 100 -j ACCEPT 2)No seconds ping No more than 10 iptables -A FORWAD -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCPET 3)take SYN and ACK SYN Limit to no more than 200 per second iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec --limit-burst 200 -j ACCEPT 4)To guard against SYN-Flood Fragment*** iptables -N syn-flood iptables -A INPUT -syn -j syn-flood iptables -A syn-flood -m limit -limit 5000/s -limit-burst 200 -j RETURN iptables -A syn-flood -j DROP prevent all Stealth Scans and TCP State Flags iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP All of the bits are cleared iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP SYN and RST are both set iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP SYN and FIN are both set iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP FIN and RST are both set iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP FIN is the only bit set, without the expected accompanying ACK iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP PSH is the only bit set, without the expected accompanying ACK iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP URG is the only bit set, without the expected accompanying ACK iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROPLinux resource station Published 10 original articles, won praise 37, visited 170000+ Private letter follow