CentOS Linux firewall configuration and shutdown
Firewall shutdown, turn off its services:
To view firewall information:
#/etc/init.d/iptables status
To turn off the Firewall service:
#/etc/init.d/iptables stop
Permanently closed. Do not know how a permanent method:
#chkconfig –level iptables off
Read several page content is wrong, the following is the correct way:
#/sbin/iptables-i input-p TCP--dport 80-j ACCEPT
#/sbin/iptables-i input-p TCP--dport 22-j ACCEPT
And then Save:
#/etc/rc.d/init.d/iptables Save
and check to see if you already have:
[Root@vcentos ~]#/etc/init.d/iptables status Table:filter Chain INPUT (policy ACCEPT) num target prot opt source Destina tion 1 ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:80 2 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:80 3 rh-firew All-1-input All--0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num Target prot opt source destination 1 Rh-fir Ewall-1-input All--0.0.0.0/0 0.0.0.0/0
The server suffers a large number of syn_recv,80 end numbers, the site is not open
No hard defense
Is there any way to solve it?
1
Sysctl-w Net.ipv4.tcp_syncookies=1 #启用使用syncookies
Sysctl-w Net.ipv4.tcp_synack_retries=1 #降低syn重试次数
Sysctl-w Net.ipv4.tcp_syn_retries=1 #降低syn重试次数
Sysctl-w net.ipv4.tcp_max_syn_backlog=6000 #最大半连接数
Sysctl-w net.ipv4.conf.all.send_redirects=0
Sysctl-w net.ipv4.conf.all.accept_redirects=0 #不接受重定向的icmp數據包
Sysctl-w net.ipv4.tcp_fin_timeout=30
Sysctl-w net.ipv4.tcp_keepalive_time=60
Sysctl-w net.ipv4.tcp_window_scaling=1
Sysctl-w net.ipv4.icmp_echo_ignore_all=1 #禁止ICMP
Sysctl-w Net.ipv4.icmp_echo_ignore_broadcasts=1 #ICMP禁止广播
2. Limit the number of connections per unit time
Such as
Iptables-n Syn-flood
Iptables-a forward-p TCP--syn-j Syn-flood
Iptables-a input-p TCP--syn-j Syn-flood
Iptables-a syn-flood-p tcp--syn-m limit--limit 3/s--limit-burst 1-j accep
Iptables-a syn-flood-j DROP
Iptables-a input-i eth0-p TCP! --syn-m State--state New-j DROP
Iptables-a input-p TCP--syn-m State--state new-j DROP
3 If it's still not working,
Iptables-a input-p TCP--dport 80-m recent--name bad_http_access--update--seconds--hitcount 30-j
Iptables-a input-p TCP--dport 80-m recent--name bad_http_access--set-j accep
Such as attacks over the flow of traffic than your server, then there is no way, if the flow is not large, the above methods, you can temporarily guarantee that your 80 can access
If your kernel already supports iptables connlimit can be used, iptables settings can also be used
Iptables-i forward-p TCP--syn-m connlimit--connlimit-above 5-j DROP
Or
Iptables-a input-p TCP--syn--dport 80-m connlimit--connlimit-above 5-j REJECT
What's really working against SYN-Flood is:
Sysctl-w Net.ipv4.tcp_syncookies=1 #启用使用syncookies
Sysctl-w Net.ipv4.tcp_synack_retries=1 #降低syn重试次数
Other iptables limiting speed features cannot be used against SYN flood (denial of service is not blocked, but it does prevent server crash).