Experience the actual battle of iptables enterprise firewall

iptables optimization case

[root@ghzz ~]# vi /root/shell/iptables.sh
#!/bin/bash
#by qiuyuetao
#--------------------------------------------------------------------------
IPTAB=/sbin/iptables #Define environment variables
$IPTAB -X #Clear custom chain
$IPTAB -Z #Clear counter
$IPTAB -F #Clear all rules of the current table
$IPTAB -t nat -F #Clear all rules of nat table
$IPTAB -t mangle -F #Empty mangel table rule
$IPTAB -t raw -F #Clear raw table rule
$IPTAB -X -t nat #Clear custom chain
$IPTAB -X -t raw
$IPTAB -X -t mangle
#--------------------------------------------------------------------------
$IPTAB -A INPUT -i lo -j ACCEPT #Allow loopback address access
$IPTAB -A INPUT -s 127.0.0.1 -j ACCEPT #Allow yourself access
$IPTAB -A INPUT -s 192.168.0.0/22 -j ACCEPT# Allow intranet access
$IPTAB -A INPUT -s 119.161.189.1 -j ACCEPT #Allow springboard access
#--------------------------------------------------------------------------
$IPTAB -A INPUT -p icmp -j ACCEPT #Allow icmp to ping
$IPTAB -A INPUT -p tcp -m multiport --dport 80,22,3306,2188 -j ACCEPT #Open ports
$IPTAB -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Check the status of the incoming package. Packets with established tcp connection and packets related to the connection are allowed to pass!
$IPTAB -P INPUT DROP #Except for the input chain of the filter table above
$IPTAB -P FORWARD DROP
$IPTAB -P OUTPUT ACCEPT
#--------------------------------------------------------------------------
$IPTAB-save > /etc/sysconfig/iptables
##Modifying iptables -F -X -Z requires / etc/init.d/iptables save
## -t: Specifies the name of the table to save.
# iptables-save -t filter > iptables.bak

To restore the iptables configuration of the backup:

iptables-restor < /etc/sysconfig/iptables

iptables daily configuration

Whether the firewall is on That's how Linux should learn

[root@m01 ~] /etc/init.d/iptables status
//Open iptables
iptables -F #Clear current table rule
iptables -X #Clear custom chain
iptables -Z #Clear counter

Turn on kernel forwarding

take net.ipv4.ip_forward = 1 From 0 to 1
sed -i 'snet.ipv4.ip_forward = 0net.ipv4.ip_forward = 1g'
sysctl -p Take effect

Add iptables module

lsmod Displays the status information of modules that have been loaded into the kernel
lsmod|egrep "nat|filter" See nat And filter Table loaded module information
modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack_ftp Connection tracking
modprobe ip_nat_ftp nat Modular
modprobe ipt_state State module

Choice of enterprise firewall mode

Two ideas:

Visiting Parks:

1. The default rule is allowed by default.

Watch movie:

2. The default rule is not allowed by default. More secure.

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#Allow intranet IP address segment access
iptables -A INPUT -d 172.16.1.0/24 -j ACCEPT
#Allow loopback address in and out
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Modify default rule

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

Add allowed services and ports

#Allow access to http service 80 443
iptables -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
#Only intranet ping is allowed
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -s 172.16.1.0/24 -j ACCEPT
#Allow ftp requests
#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Allow port mapping
iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT

NAT sharing Internet

/proc/sys/net/ipv4/ip_forward Turn on kernel forwarding
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j SNAT --to-source 10.0.0.61
#All intranet 172.16.1.0 segment addresses are forwarded to the Internet through the IP of 10.0.0.61
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j MASQUERADE
#MASQUERADE automatically obtains the server IP and forwards the IP address (for example, openvpn)

Other application service rule cases

"1)http service"
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m multiport --dport 8080,8081,8082 -j ACCEPT
iptables -A INPUT -p tcp --dport 22000:22030 -j ACCEPT
#: a colon represents a segment of ports allowed from 22000-22030

"2) db data service"
iptables -A INPUT -s 10.1.8.0/24 -p tcp --dport 3306 -j ACCEPT

"3) snmp Network management"
iptables -A INPUT -s 10.1.8.0/24 -p UDP --dport 161 -j ACCEPT

"4) rsync Real time synchronization"
iptables -A INPUT -s 10.1.8.0/24 -p tcp -m tcp --dport 873 -j ACCEPT

" 5) nfs 2049,rpc 111 (NFS Network file sharing rpc)"
iptables -A INPUT -s 10.1.8.0/24 -p udp -m multiport --dport 111,892,2049 -j ACCEPT
iptables -A INPUT -s 10.1.8.0/24 -p tcp -m multiport --dport 111,892,2049 -j ACCEPT

" 6) Allow all ping"
iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

" 7)Allow intranet 172.16.1.0 Network segment ping"
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -s 172.16.1.0/24 -j ACCEP

"8) keepalived vrr"
-A INPUT -d 172.16.1.0/24 -j ACCEPT
-A INPUT -p vrrp -j ACCEPT

"9) zabbix Port open"
-A INPUT -p tcp -m tcp --dport 10050:10051 -j ACCEPT
-A INPUT -p tcp -m udp --dport 10050:10051 -j ACCEPT

iptable security configuration

1)Speed limit

iptables -A INPUT -p tcp --syn -m limit --limit 100/s --limit-burst 100 -j ACCEPT

2)No seconds ping No more than 10

iptables -A FORWAD -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCPET

3)take SYN and ACK SYN Limit to no more than 200 per second

iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec --limit-burst 200 -j ACCEPT

4)To guard against SYN-Flood Fragment***

iptables -N syn-flood
iptables -A INPUT -syn -j syn-flood
iptables -A syn-flood -m limit -limit 5000/s -limit-burst 200 -j RETURN
iptables -A syn-flood -j DROP
prevent all Stealth Scans and TCP State Flags
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
SYN and RST are both set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
SYN and FIN are both set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
FIN and RST are both set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
FIN is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
PSH is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
URG is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
Published 10 original articles, won praise 37, visited 170000+
Private letter follow

Tags: iptables network firewall Linux

Posted on Sun, 02 Feb 2020 10:40:09 -0500 by payney