How to configure a powerful firewall-iptabels configuration (1)

How to configure a powerful firewall-iptabels configuration (1)

Today, I will lead you to build a powerful firewall for your servers! Let's get started ~

What is iptables?

Ipbtales is a firewall software integrated into the Linux kernel. It can perform a series of filtering before the external devices are sent to our system. We can define the filtering rules and decide which packets can be sent to our computer, which packets are not allowed to enter. This allows our servers to run in a public network environment more securely.
Let's start with me and learn more in practice.

Preparations

First, you need to find two hosts, one as the client and the other as the server. Place the two hosts in the same LAN.
Then, they installed an httpdserver on the server, and added index.html to the httpdserver as a webpage.
PS: httpd server setup please move to http://jingyan.baidu.com/article/64d05a025cdf69de55f73be5.html

OK. The server and client are built. The IP address of my server is 192.168.100.1 and the IP address of the client is 192.168.100.2.
The preparation is now complete! Next, let's start with a simple ipbtales configuration.

Create an iptables HelloWorld

First, we use a Linux stress test command on the client to send a large number of requests to the server:

// Send 3000 requests to the server and add 3000 requests each time [root @ Svr107 bin] # AB-n 3000-c 3000 http: // 192.168.100.1/index.html // The returned results are as follows: This is apachetings, Version 2.3 <$ Revision: 655654 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/Licensed to The Apache Software Foundation, http://www.apache.org/Benchmarking Completed 300 requestsCompleted 600 requestsCompleted 900 requestsCompleted 1200 requestsCompleted 1500 requestsCompleted 1800 requestsCompleted 2100 requestsCompleted 2400 requestsCompleted 2700 requestsCompleted 3000 requestsCompleted 3000 requests

PS: AB command details, please move to http://blog.chinaunix.net/uid-20382003-id-3032167.html

Next, let's go to the server and check the load of the current server.
The netstat command can be used to view the ip addresses of all current requests to our servers:

// View the current server load [root @ iZ28st035lsZ init. d] # netstat // return result Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 115.28.217.42: http 218.2.216.4: 54823 SYN_RECV tcp 0 0 115.28.217.42: http 218.2.216.4: 54818 SYN_RECV tcp 0 0 115.28.217.42: http 218.2.216.4: 54817 SYN_RECV .................................................................. // In fact, there are many ip addresses, which are omitted here

Through the netstat command, we can see that the server is heavily requested by a client.
Of course, for a server, this situation of massive requests from a host is very dangerous. The memory and bandwidth of the server will soon be occupied by a host, as a result, other hosts can no longer request this server, which is also a common means of hacker attacks. So how should we prevent it?

The method is as follows: when we find that there is an abnormal number of ip request servers, we can limit the number of requests for this ip address and set the maximum number of requests to 10, when the ip address sends 10 requests at the same time, the firewall rejects the request.

// This command adds a rule in iptables to limit the maximum number of accesses to the attacker's ip address. If this limit is exceeded, the access is denied. //-I indicates that this rule is inserted at the top of all iptables rules, so it has the highest priority; //-p tcp indicates that the application layer protocol used for data packet access to the server is tcp // -- dport 80 indicates that iptables-I INPUT-p tcp -- dport 80-s xxx. XX. XX. XX (attacker ip)-m connlimit-abve 10-j REJECT

Now, after setting iptabled rules, let the client send 1000000 requests to the server again. Now we can see that Connection refused is rejected by the server.

If you change the concurrent request of the client to 5, you can request the server at this time. No error is reported.

[root@Svr107 bin]# ab -n 3000 -c 5

Now, a HelloWorld is complete. Next we will systematically learn about ipbtales configuration.