Build a high-security e-commerce website-Linux Server iptables rule list Overview [connected E-commerce system architecture]

Build a high-security e-commerce website-Linux Server iptables rule list Overview [connected E-commerce system architecture]Source:Http://jimmyli.blog.51cto.com/I'm standing on the shoulders of giants, Jimmy Li
By Jimmy Li
Key words: E-commerce system architecture vsftpd Local User Logon virtual user logon
------ [Connected E-commerce system architecture] technical architecture of e-commerce websites with more than 1 million visitsServer security has always been a top priority for websites. There are a variety of security solutions. For Linux Server firewalls, the most common ones are iptables firewalls. Iptables is a common firewall software in Linux, and its rules are flexible and should be the most extensive. To build a high-security e-commerce website, any security software essential to a server is, of course, iptables firewall. The rule is flexible and variable, and the function should be extensive. This is also the first choice for Linux system administrators. The order of each rule in the iptables table chain is very important. If the first rule is accept all, all data packets are allowed to pass through firewall. Therefore, the Rule Order should be properly arranged. The general rule is: deny all allowed minority.
The actual application of the total iptables rules is applied on each server, such. 650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0P4134161-0.jpg "/> 650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0P4133212-1.gif "/>
However, if you know more about the iptables firewall, you can configure it by yourself and achieve or even exceed the performance of the hardware firewall:
1. The instance describes the list of iptables rules of a high-security e-commerce website.
2. based on the instance, ptables installation and removal of iptables rules, iptables only opens the specified port, iptables shield the specified ip address, ip segment and unseal, delete added iptables rules and other basic applications of iptables.
3. Introduce the key port settings in detail. In particular, how should I set iptables rules for special FTP, and support ftp active mode and ftp passive mode. Iptables rule instance: List of iptables rules of an e-commerce website

Iptables

========================================================== ====================================== # Iptables conf/etc/sysconfig/iptables # Created by http://jimmyli.blog.51cto.com/ # Last Updated 2010.10.17 # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. * Filter : Forward accept [0: 0] : Input accept [0: 0] : RH-Firewall-1-INPUT-[0: 0] : Output accept [0: 0] -A input-j RH-Firewall-1-INPUT -A forward-j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT-I lo-j ACCEPT -A RH-Firewall-1-INPUT-p icmp -- icmp-type any-j ACCEPT -An RH-Firewall-1-INPUT-p 50-j ACCEPT -An RH-Firewall-1-INPUT-p 51-j ACCEPT -A RH-Firewall-1-INPUT-m state -- state ESTABLISHED, RELATED-j ACCEPT -A RH-Firewall-1-INPUT-p tcp-m state-m tcp -- dport 22 -- state NEW-j ACCEPT -A RH-Firewall-1-INPUT-p tcp-m state-m tcp -- dport 21 -- state NEW-j ACCEPT -A RH-Firewall-1-INPUT-p tcp-m state-m tcp -- dport 80 -- state NEW-j ACCEPT -A RH-Firewall-1-INPUT-p tcp-m state-m tcp -- dport 873 -- state NEW-j ACCEPT -A RH-Firewall-1-INPUT-p tcp-m state-m tcp -- dport 3306 -- state NEW-j ACCEPT -A RH-Firewall-1-INPUT-p tcp-m state-m tcp -- dport 8080 -- state NEW-j ACCEPT -A RH-Firewall-1-INPUT-p tcp-m state-m tcp -- dport 30000: 30030 -- state NEW-j ACCEPT -A RH-Firewall-1-INPUT-j REJECT -- reject-with icmp-host-prohibited COMMIT ========================================================== ======================================

For the iptables rule list of an e-commerce website, describe how to use it. Add or replace the above content with the/etc/sysconfig/iptables file and edit vim/etc/sysconfig/iptables.
2. Make the rule take effect. Then the service iptables restart takes effect.
3. in the above rules, only the following ports are opened: 22ssh), 21FTP), 80 Web), 3306 mysql), and 8000. Ports 30000 to 30030 are in the FTP passive mode, all others are forbidden. You can also modify the settings as needed. Tip:
This iptables rule also supports ftp active mode and ftp passive mode. It is a key application for FTP special port applications.
Attached system default Template

Python

========================================================== ====================================== # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. * Filter : Input accept [0: 0] : Forward accept [0: 0] : Output accept [0: 0] : RH-Firewall-1-INPUT-[0: 0] -A input-j RH-Firewall-1-INPUT -A forward-j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT-I lo-j ACCEPT -A RH-Firewall-1-INPUT-p icmp -- icmp-type any-j ACCEPT -An RH-Firewall-1-INPUT-p 50-j ACCEPT -An RH-Firewall-1-INPUT-p 51-j ACCEPT -A RH-Firewall-1-INPUT-p udp -- dport 5353-d 224.0.0.20.- j ACCEPT -A RH-Firewall-1-INPUT-p udp-m udp -- dport 631-j ACCEPT -A RH-Firewall-1-INPUT-p tcp-m tcp -- dport 631-j ACCEPT -A RH-Firewall-1-INPUT-m state -- state ESTABLISHED, RELATED-j ACCEPT -A RH-Firewall-1-INPUT-m state -- state NEW-m tcp-p tcp -- dport 22-j ACCEPT -A RH-Firewall-1-INPUT-j REJECT -- reject-with icmp-host-prohibited COMMIT ~ ~ ========================================================== ======================================

Iptables is a common firewall software in Linux, the following describes how to install and clear iptables rules. iptables only supports the specified port. iptables shields basic applications of iptables, such as specified ip addresses, ip segments, unblocking, and deleting added iptables rules.. For more instructions on iptables, run iptables -- help or search for iptables parameters online. 1. Install iptables Firewall
If iptables is not installed, install iptables first. Run the following command on CentOS: yum install iptables.
Run apt-get install iptables In Debian/Ubuntu.
2. Clear existing iptables rules
Iptables-F
Iptables-X
Iptables-Z
3. Open the specified port
# Allow the local loopback interface (that is, running the local machine to access the local machine)
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
# Allow established or related connections
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
# Allow external access from all hosts
Iptables-a output-j ACCEPT
# Allow access to port 22
Iptables-a input-p tcp -- dport 22-j ACCEPT
# Allow access to port 80
Iptables-a input-p tcp -- dport 80-j ACCEPT
# Allow port 21 and Port 20 of the FTP service
Iptables-a input-p tcp -- dport 21-j ACCEPT
Iptables-a input-p tcp -- dport 20-j ACCEPT
# If there are other ports, the rule is similar. Just modify the preceding statement slightly.
# Prohibit access by other unpermitted rules
Iptables-a input-j REJECT
Iptables-a forward-j REJECT
4. Shielding IP addresses
# If you only want to block the IP address, you can skip "3. Open the specified port.
# The command to shield a single IP address is
Iptables-I INPUT-s 123.45.6.7-j DROP
# The command for sealing the entire segment from 123.0.0.1 to 123.20.255.254
Iptables-I INPUT-s 123.0.0.0/8-j DROP
# An IP address segment is a command from 123.45.0.1 to 123.45.255.254.
Iptables-I INPUT-s 124.45.0.0/16-j DROP
# The command from 123.45.6.1 to 123.45.6.254 is
Iptables-I INPUT-s 123.45.6.0/24-j DROP
4. view the added iptables rules
Iptables-L-n
V: displays details, including the number of matching packages and the number of matching bytes for each rule.
X: Based on v, auto unit conversion K and M are prohibited)
N: only the ip address and port number are displayed. do not resolve the ip address to the domain name. 5. Delete the added iptables rule.
Display All iptables with serial numbers. Run iptables-L-n -- line-numbers.
For example, to delete the rule with serial number 8 in INPUT, run iptables-d input 8.
6. Start iptables and save the rules
After iptables is installed on CentOS, iptables does not start automatically after it is started. Run chkconfig -- level 345 iptables on.
Add it to startup. On CentOS, you can run the: service iptables save rule. In addition, iptables On Debian/Ubuntu does not save rules. You need to follow the steps below to make the NIC closed is to save iptables rules, load iptables rules at startup: Create the/etc/network/if-post-down.d/iptables file, add the following content :#! /Bin/bash
Iptables-save>/etc/iptables. rules
Run: chmod + x/etc/network/if-post-down.d/iptables to add execution permissions. Create the/etc/network/if-pre-up.d/iptables file and add the following content :#! /Bin/bash
Iptables-restore </etc/iptables. rules
Run: chmod + x/etc/network/if-pre-up.d/iptables to add execution permissions. Summary:
Iptables applications are everywhere and are important firewall software to improve system security. It is widely used in Linux systems. Iptables rules are required for servers in actual production. Of course, the iptables firewall is indispensable for building a high-security e-commerce website. Source: http://jimmyli.blog.51cto.com/Jimmy Li Blog. You are welcome to discuss and communicate with each other. Deduction: ⑥ ()

This article is from the "Jimmy Li I stand on the shoulders of giants" blog, please be sure to keep this source http://jimmyli.blog.51cto.com/3190309/690063