Experiences of working Linux Firewall

1. Iptables firewall does not prevent DDOS attacks. We recommend that you purchase a hardware firewall before the entire system during project implementation to prevent DDOS attacks and port ing. If you have special security requirements, the application-level firewall, such as the Tiantai firewall, is powerful: ① Tiantai WEB application firewall verifies the WEB application client input based on the complete detection of the data packet header and load, this provides comprehensive protection against various known and emerging WEB application threats, such as SQL injection, XSS, worms, hacker scans, and attacks; ② Tiantai WEB application firewall provides protection against the flood of DDOS attacks in China. The bandwidth and resource depletion DDOS attacks against WEB applications can be easily handled. In particular, it provides fine-grained protection against DDOS attacks at the application layer. Other advantages are not described here.
2. in project implementation, we recommend that you disable the Linux server's iptables firewall or FreeBSD's ipfw to: ① better improve the network performance of the backend server; ② facilitate the flow of data within the entire business system, the security work is undertaken by the hardware firewall.
3. I currently mainly use iptables for internal NAT firewalls. The performance and convenience of iptables are indeed powerful in management. It can be found through the thunder test that the 10 M bandwidth within the company can be used in a wire-less manner; the software routers commonly used in Wuhan are sea spider, which is also a secondary development of iptables. The routers used to deploy Internet cafes for friends in the past two years, I strongly recommend iptables for NAT route forwarding, which proves to be very effective.
4. The L of iptables is a command, while the-v and-n are only used as options. They cannot be combined, such as-Lvn. To list detailed firewall rules, iptables-nv-L can be used;
5. If you are using remote debugging of the iptables firewall, it is best to set the crontab job to stop the firewall regularly to prevent the firewall from being locked. You can stop iptables once every 5 minutes, close the crontab job after the entire script is completely stable.
6. If you use the default deny policy, you should immediately use the loopback interface lo (because the deny includes lo). Note: loopback interface lo is a dedicated network interface used in Linux to provide local and network-based services. Instead of sending local data streams through the drive of the network interface, the loopback interface is used to send data through the loopback interface of the operating system, the shortcut greatly improves the performance.
7. If a server is hosted by a telecom or dual-line data center, if the front-end hardware firewall is not configured, the Linux host must enable the iptables firewall and the windows2003 host must enable its built-in system firewall, and disable ping.

8. If the item price is acceptable, the front-end hardware firewall should also be used as dual-host redundancy to prevent the entire website from crash due to a single firewall failure, there is always a time when the pressure cannot be reached; if there is a dual machine, the probability of a website problem is much lower.

This article from the "fuqin liquor" blog, please be sure to keep this source http://andrewyu.blog.51cto.com/1604432/502391