Iptables security policy

This is the 8th day of my participation in Gwen Challenge

Iptable is a set of firewall services on Linux, which actually calls the Netfilter kernel module. Netfilter is a packet processing module in the core layer of Linux operating system.

Netfilter function
- Network address translation
- Packet Content modification
- Packet filtering firewall function

Differences between iptables and Firewalld

1. Iptables allows access to services or data packets by default. For example, you can set specific rules to block access to certain data packets. 2. Firewalld denies access to all packets by default. Only when a packet is allowed to meet a certain rule can the corresponding setting be performed. 3. Firewalld uses the concept of zones for data security management, which is divided into many zones for security management, while Iptables does not partition and directly sets rules.Copy the code

Iptables security rules

Table 4

Filter table: the default table for filtering data packets
NAT table: Used for network address translation (IP address, port)
Mangle table: used to modify the service type and TTL of data packets, and configure routes to achieve QOS
Raw: Used to determine whether a packet is processed by the status tracing mechanism

Article 5 the chain

INPUT chain: Incoming packets apply the rules in this rule chain
OUTPUT chain: Outgoing packets apply the rules in this rule chain
FORWARD: forwards packets to apply the rules in the rule chain
PREROUTING chain: The rules in this chain apply before routing packets
POSTROUTING chain: The rules in this chain are applied after routing packets

Common Parameter Options

-A adds one or more new rules to the specified chain
-d Deletes one or more rules from the specified chain
-n Creates a user-defined chain
-f specifies the policies in the rule chain or all rule chains, usually at table initialization
-x deletes the specified user-defined link (the link policy must be cleared first).
-p Specifies the packets of certain protocols, such as TCP, UDP, and ICMP
-s specifies the source address of the IP address [/ mask]
-d specifies the destination IP address of the IP address [/ mask]
-i Specifies the interface through which packets are sent. If multiple network adapters are used, you may need to specify the interface

Iptables -f Clears rules By default, there are three rule chains: INPUT, OUTPUT, and FORWARDCopy the code

In some cases

Iptables -A INPUT -I lo -j ACCEPT if ["$LOCAL_NET" if ["$LOCAL_NET" ]; Then iptables -A INPUT -p TCP -s $LOCAL_NET -j ACCEPT fi ALLOW_HOSTS=(# X.X.X.X "" X.X.X.X") if [ "${ALLOW_HOSTS}" ]; then for allow_host in ${ALLOW_HOSTS[@]} do iptables -A INPUT -p tcp -s $allow_host -j ACCEPT done fiCopy the code

If ["${DENY_HOSTS}"] then for deny_host in =(# drop list "xxx.xxx.xxx.xxx" "XXX.xxx.xxx" ${DENY_HOSTS[@]} do iptables -A INPUT -s $deny_host -m limit --limit 1/s -j LOG --log-prefix "deny_host: " iptables -A INPUT -s $deny_host -j DROP done fiCopy the code

Iptables -n SYN_FLOOD iptables -a SYN_FLOOD -p TCP -- SYN \ -m hashlimit \ --hashlimit 200/s \ # Maximum of 200 connections per second --hashlimit-burst # If the number of connections exceeds the above limit three times in a row, there will be a limit. --hashlimit-htable-expire 300000 \ # Manage the expiration of entries in the table (unit: Ms) --hashlimit-mode srcip # number of requests managed by source address --hashlimit-name t_SYN_FLOOD # hash table names stored in /proc/net/ipt_hashlimit -j RETURN iptables -A SYN_FLOOD -j LOG --log-prefix "syn_flood_attack: " iptables -A SYN_FLOOD -j DROP iptables -A INPUT -p tcp --syn -j SYN_FLOODCopy the code

Iptables -a PING_OF_DEATH -p icmp --icmp-type echo-request \ -m hashlimit  \ --hashlimit 1/s \ --hashlimit-burst 10 \ --hashlimit-htable-expire 300000 \ --hashlimit-mode srcip \ --hashlimit-name  t_PING_OF_DEATH \ -j RETURN iptables -A PING_OF_DEATH -j LOG --log-prefix "ping_of_death_attack: " iptables -A PING_OF_DEATH -j DROP iptables -A INPUT -p icmp --icmp-type echo-request -j PING_OF_DEATHCopy the code

HTTP is also based on a layer 4 policy, which is based on TCP. It is not set based on the cookie session of layer 7 sessions. This is a TCP connection, but only a specific service port is specified to access, so that the frequency limit. iptables -N HTTP_DOS iptables -A HTTP_DOS -p tcp -m multiport --dports $HTTP \ -m hashlimit \ --hashlimit 1/s \ --hashlimit-burst 100 \ --hashlimit-htable-expire 300000 \ --hashlimit-mode srcip \ --hashlimit-name t_HTTP_DOS \ Ipt_hashlimit -j RETURN iptables -A HTTP_DOS -j LOG --log-prefix "http_dos_attack: " iptables -A HTTP_DOS -j DROP iptables -A INPUT -p tcp -m multiport --dports $HTTP -j HTTP_DOSCopy the code

Iptables -A INPUT -p TCP -m multiport --dports $HTTP -j ACCEPT iptables -A INPUT -p TCP -m multiport --dports $HTTP -j ACCEPT LIMITED_LOCAL_NET="xxx.xxx.xxx.xxx/xx" if [ "$LIMITED_LOCAL_NET" ] then # SSH iptables -A INPUT -p tcp -s $LIMITED_LOCAL_NET -m multiport --dports $SSH -j ACCEPT # LIMITED_LOCAL_NET -> SELF # FTP iptables -A INPUT -p tcp -s $LIMITED_LOCAL_NET -m multiport --dports $FTP -j ACCEPT # LIMITED_LOCAL_NET -> SELF # MySQL iptables -A INPUT -p tcp -s $LIMITED_LOCAL_NET -m multiport --dports $MYSQL -j ACCEPT # LIMITED_LOCAL_NET -> SELF fi ZABBIX_IP="xxx.xxx.xxx.xxx" if [ "$ZABBIX_IP" ] then iptables -A INPUT -p tcp -s $ZABBIX_IP --dport 10050 -j ACCEPT fiCopy the code

Iptable is a set of firewall services on Linux, which actually calls the Netfilter kernel module. Netfilter is a packet processing module in the core layer of Linux operating system.

Differences between iptables and Firewalld

Iptables security rules

Table 4

Article 5 the chain

Common Parameter Options

In some cases

Related Posts

Spring uses Redis to design a simple access counter

Summary of the singleton pattern for C++ thread safety

Is RedLock the silver bullet of Redis distributed lock?