Detailed description of Linux iptables firewall + anti-DDOS policy configuration

Source: Internet
Author: User

Detailed description of Linux iptables firewall + anti-DDOS policy configuration

The network firewall function has been implemented in the Linux kernel for a long time. In different Linux kernel versions, different software is used to implement the firewall function.
In the 2.0 kernel, the firewall tool is ipfwadm.
In the 2.2 kernel, the firewall tool is ipchains.
For kernels later than 2.4, the firewall operation tool is iptables.

Ipfwadm and ipchains are old and have become a historical version. This chapter mainly introduces Iptables


I. Detailed description of iptable Operation Command Parameters

-
APPEND: APPEND a rule (to the end)
For example:
Iptables-a input-j ACCEPT
Allow all packets that access the local IP address to pass through


-I
INSERT, INSERT a rule
For example:
Iptables-I INPUT-j DROP
Insert a rule into the INPUT chain of the filter table (1st rows)


-D
DELETE: deletes a rule.
Iptables-d input 3 (matching by number)
Delete the third rule in the INPUT chain of the filter table (no matter what the content is)


-R
REPLACE, REPLACE a rule
For example:
Iptables-r input 9-j ACCEPT
Replace the rule content numbered 9 with "-j ACCEPT"


-P
POLICY to set the default rules for a chain
For example:
Iptables-P INPUT DROP
The default rule for setting the INPUT chain of the filter table is DROP.


-F
FLUSH, clear rules
For example
Iptables-F
Clear all rules in the filter table

 

-P
Protocol comparison communication protocol
For example
Iptables-a input-p tcp
Check whether the communication protocol type is consistent

 

-S
Src, source
For example
Iptables-I INPUT-s 172.16.0.201-j DROP
Used to compare the source IP address of the packet, which can be compared to a single machine or network. Use a number to block the packet when comparing the network. For example, if the IP address 172.16.0.201 is used for access, all data will be discarded.


-- Tcp-flags compares TCP
For example
Iptables-p tcp -- tcp-flags SYN, FIN, ACK SYN
TCP status banners include: SYN (synchronous), ACK (response), FIN (ended), RST (reset), URG (urgent), PSH (forced push)
Can be used in parameters. In addition, you can use the ALL and NONE keywords for comparison.


-- Icmp-type
For example:
Iptables-a input-p icmp -- icmp-type 8
Used to compare ICMP Type numbers. You can use code or number numbers for comparison. Case: ICMP Type: 8


-M limit -- limit
For example
Iptables-a input-m limit -- limit 3/sec
The preceding example compares the average traffic of packets within a certain period of time to determine whether the average traffic per second exceeds three packets.


Configuration File Location:
/Etc/sysconfig/iptables

Iptables Management Service commands
Enable service iptables start
Disable service iptables stop
Restart service iptables restart

 

Ii. Case studies

In this example, the rules will block data packets from a specific IP address range, because the IP address range is suspected by administrators that a large number of malicious attackers are active.
How can I determine whether a service is under attack?
1. Is the ping Test Service lost? Possible causes for packet loss: Your service is under attack, the upper-layer line of the IDC is under attack, a route on the internet is unstable, and machine service/hardware problems (less)
2. You can set up a traffic check service to monitor the network traffic of the service, such as Cacti and MRTG, but none of them are real-time! Usually once every 5 minutes

3. Some script code can be used in linux to monitor the real-time traffic of the NIC,

 


View real-time traffic scripts
Use vi to create a script file, copy the following code, grant permissions, and run script monitoring.

#!/bin/bashwhile [ "1" ]doeth=$1RXpre=$(cat /proc/net/dev | grep $eth | tr : " " | awk '{print $2}')TXpre=$(cat /proc/net/dev | grep $eth | tr : " " | awk '{print $10}')sleep 1RXnext=$(cat /proc/net/dev | grep $eth | tr : " " | awk '{print $2}')TXnext=$(cat /proc/net/dev | grep $eth | tr : " " | awk '{print $10}')clearecho  -e  "\t RX `date +%k:%M:%S` TX"RX=$((${RXnext}-${RXpre}))TX=$((${TXnext}-${TXpre}))if [[ $RX -lt 1024 ]];thenRX="${RX}B/s"elif [[ $RX -gt 1048576 ]];thenRX=$(echo $RX | awk '{print $1/1048576 "MB/s"}')elseRX=$(echo $RX | awk '{print $1/1024 "KB/s"}')fiif [[ $TX -lt 1024 ]];then TX="${TX}B/s" elif [[ $TX -gt 1048576 ]];then TX=$(echo $TX | awk '{print $1/1048576 "MB/s"}') else TX=$(echo $TX | awk '{print $1/1024 "KB/s"}')fi echo -e "$eth \t $RX   $TX "done

When you view network card Traffic, rx is receive (receive) tx is send (transport)
Current Traffic is normal

Test the attempt to use software on another VM to continuously access the local site, improving the traffic

If you think this traffic is abnormal, you can run the following command to check which IP addresses are connected to port 80 of the local machine and then shield them!

Netstat-ant | grep ": 80" | awk '{printf "% s \ n", $5, $6}' | sort

If you think 0.201IP is suspicious and want to block it, run the following command:

Shield Inbound ip

 

Iptables-I INPUT-s 172.16.0.201-j DROP

 

Unblocking
Iptables-d input-s 172.16.0.201-j DROP

 

 

Only port 80 of the local machine is blocked from the IP address segment 172.16.0. Other ports can be used normally. The command is as follows:
Iptables-I INPUT-p tcp -- dport 80-s 172.16.0.201/24-j DROP

Unblocking
Iptables-d input-p tcp -- dport 80-s 172.16.0.201/24-j DROP

 

Test: Use 172.16.0.2 to try to access port 80 of the service.

When adding rules, the actions of the REJECT (REJECT) target and the DROP (discard) target are different. REJECT rejects the entry of the target group and returns a connection refused error message to the user attempting to connect to the service. DROP will discard the group and will not send any warning to the telnet user.

 


The rule added by the command takes effect temporarily. After the iptables service is restarted, it will be restored. You can save the Command service iptables save permanently or directly modify the configuration file.
After the/etc/sysconfig/iptables firewall configuration file is modified, the iptables service must be restarted to take effect.

 

 

Iii. Complete anti-DDOS policies and explanations

The default iptables rule cannot filter DDOS attack data. We need to add a filter rule to implement iptables's anti-DDOS capability.

The following firewall rules are my real firewall rules on the linux post office server. I have suffered M SYN DDOS traffic attacks and my server's international bandwidth is only 20 M,
Almost paralyzing the entire service. After the SYN filter rule is added to iptables, the network returns to normal, with a latency of about 100 and a latency of about 45 under normal conditions, but there is no problem with sending and receiving services at the service post office!

System: Centos 5.5

The above iptable configuration rules are described as follows:


Shield SYN_RECV connections
-A forward-p tcp-m tcp -- tcp-flags FIN, SYN, RST, ack syn-m limit -- limit 1/sec-j ACCEPT


Restrict IP fragments. Only 100 fragments are allowed per second to prevent DoS attacks.
-A forward-f-m limit -- limit 100/sec -- limit-burst 100-j ACCEPT

 


Limit one ping packet per second, and start again after 10
-A forward-p icmp-m limit -- limit 1/sec -- limit-burst 10-j ACCEPT

 


Restrict one request per second from ICMP Packets
-A forward-p icmp-m icmp -- icmp-type 8-m limit -- limit 1/sec-j ACCEPT


Here, you can customize a table.
-A forward-j RH-Firewall-1-INPUT


Fully accept loopback interface packets
-A RH-Firewall-1-INPUT-I lo-j ACCEPT


Allow hosts to receive ping requests
-A RH-Firewall-1-INPUT-p icmp-m icmp -- icmp-type any-j ACCEPT


Internet printer service (can be deleted)
-A RH-Firewall-1-INPUT-p udp-m udp -- dport 631-j ACCEPT
-A RH-Firewall-1-INPUT-p tcp-m tcp -- dport 631-j ACCEPT


Packets sent from the host after the connection is permitted
-A RH-Firewall-1-INPUT-m state -- state RELATED, ESTABLISHED-j ACCEPT


Allow the firewall to enable the specified port (the common port 22 21 80 25 110 3306 is enabled in this server rule)
-A RH-Firewall-1-INPUT-p tcp-m state -- state NEW-m tcp -- dport port-j ACCEPT

 


Restrict SSH Login
Ssh remote logon is only allowed on 172.16.0.2. ssh is prohibited from other computers.
Iptables-a input-s 172.16.0.2-p tcp -- dport 22-j ACCEPT

Iptables-a input-p tcp -- dport 22-j DROP

 

 

Iptables Firewall is a powerful firewall. As long as the rules are configured, it can greatly improve system security. It is better than many firewalls in windows. If you are interested, try it!

 

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.