Detailed description of Linux iptables firewall + anti-DDOS policy configuration
650) this. width = 650; "alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T2502549-0.jpg "/>
The network firewall function has been implemented in the Linux kernel for a long time. In different Linux kernel versions, different software is used to implement the firewall function.
In the 2.0 kernel, the firewall tool is ipfwadm.
In the 2.2 kernel, the firewall tool is ipchains.
For kernels later than 2.4, the firewall operation tool is iptables.
Ipfwadm and ipchains are old and have become a historical version. This chapter mainly introduces Iptables
I. Detailed description of iptable Operation Command Parameters
-
APPEND: APPEND a rule to the end)
For example:
Iptables-a input-j ACCEPT
Allow all packets that access the local IP address to pass through
-I
INSERT, INSERT a rule
For example:
Iptables-I INPUT-j DROP
Insert a rule into the INPUT chain of the filter table to insert 1st rules)
-D
DELETE: deletes a rule.
Iptables-d input 3 matching by number)
Delete the third rule in the INPUT chain of the filter table, regardless of its content)
-R
REPLACE, REPLACE a rule
For example:
Iptables-r input 9-j ACCEPT
Replace the rule content numbered 9 with "-j ACCEPT"
-P
POLICY to set the default rules for a chain
For example:
Iptables-P INPUT DROP
The default rule for setting the INPUT chain of the filter table is DROP.
-F
FLUSH, clear rules
For example
Iptables-F
Clear all rules in the filter table
-P
Protocol comparison communication protocol
For example
Iptables-a input-p tcp
Check whether the communication protocol type is consistent
-S
Src, source
For example
Iptables-I INPUT-s 172.16.0.201-j DROP
Used to compare the source IP address of the packet, which can be compared to a single machine or network. Use a number to block the packet when comparing the network. For example, if the IP address 172.16.0.201 is used for access, all data will be discarded.
-- Tcp-flags compares TCP
For example
Iptables-p tcp -- tcp-flags SYN, FIN, ACK SYN
TCP status banners include: SYN sync), ACK response), FIN end), RST Reset), URG urgent), PSH force push)
Can be used in parameters. In addition, you can use the ALL and NONE keywords for comparison.
-- Icmp-type
For example:
Iptables-a input-p icmp -- icmp-type 8
Used to compare ICMP Type numbers. You can use code or number numbers for comparison. Case: ICMP Type: 8
-M limit -- limit
For example
Iptables-a input-m limit -- limit 3/sec
The preceding example compares the average traffic of packets within a certain period of time to determine whether the average traffic per second exceeds three packets.
Configuration File Location:
/Etc/sysconfig/iptables
Iptables Management Service commands
Enable service iptables start
Disable service iptables stop
Restart service iptables restart
Ii. Case studies
In this example, the rules will block data packets from a specific IP address range, because the IP address range is suspected by administrators that a large number of malicious attackers are active.
How can I determine whether a service is under attack?
1. Is the ping Test Service lost? Possible causes for packet loss: Your service is under attack, the upper-layer line of the IDC is under attack, a route on the internet is unstable, and machine service/hardware problems (less)
2. You can set up a traffic check service to monitor the network traffic of the service, such as Cacti and MRTG, but none of them are real-time! Usually once every 5 minutes
3. Some script code can be used in linux to monitor the real-time traffic of the NIC,
View real-time traffic scripts
Use vi to create a script file, copy the following code, grant permissions, and run script monitoring.
#! /Bin/bash
While ["1"]
Do
Eth = $1
RXpre = $ (cat/proc/net/dev | grep $ eth | tr: "" | awk '{print $2 }')
TXpre = $ (cat/proc/net/dev | grep $ eth | tr: "" | awk '{print $10 }')
Sleep 1
RXnext = $ (cat/proc/net/dev | grep $ eth | tr: "" | awk '{print $2 }')
TXnext = $ (cat/proc/net/dev | grep $ eth | tr: "" | awk '{print $10 }')
Clear
Echo-e "\ t RX 'date + % k: % M: % s' TX"
RX =$ ($ {RXnext}-$ {RXpre }))
TX =$ ($ {TXnext}-$ {TXpre }))
If [[$ RX-lt 1024]; then
RX = "$ {RX} B/s"
Elif [[$ RX-gt 1048576]; then
RX = $ (echo $ RX | awk '{print $1/1048576 "MB/s "}')
Else
RX = $ (echo $ RX | awk '{print $1/1024 "KB/s "}')
Fi
If [[$ TX-lt 1024]; then
TX = "$ {TX} B/s"
Elif [[$ TX-gt 1048576]; then
TX = $ (echo $ TX | awk '{print $1/1048576 "MB/s "}')
Else
TX = $ (echo $ TX | awk '{print $1/1024 "KB/s "}')
Fi
Echo-e "$ eth \ t $ RX $ TX"
Done
650) this. width = 650; "alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T25061V-1.jpg "/> 650) this. width = 650; "alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T25013K-2.jpg "/>
When you view network card Traffic, rx is receive (receive) tx is send transport)
Current Traffic is normal
650) this. width = 650; "alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T250JY-3.jpg "/>
Test the attempt to use software on another VM to continuously access the local site, improving the traffic
650) this. width = 650; "alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T2504500-4.jpg "/>
If you think this traffic is abnormal, you can run the following command to check which IP addresses are connected to port 80 of the local machine and then shield them!
Netstat-ant | grep ": 80" | awk '{printf "% s \ n", $5, $6}' | sort
650) this. width = 650; "alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T250H51-5.jpg "/>
If you think 0.201IP is suspicious and want to block it, run the following command:
Shield Inbound ip
Iptables-I INPUT-s 172.16.0.201-j DROP
Unblocking
Iptables-d input-s 172.16.0.201-j DROP
650) this. width = 650; "alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T250FZ-6.jpg "/>
650) this. width = 650; "alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T2504955-7.jpg "/>
Only port 80 of the local machine is blocked from the IP address segment 172.16.0. Other ports can be used normally. The command is as follows:
Iptables-I INPUT-p tcp -- dport 80-s 172.16.0.201/24-j DROP
650) this. width = 650; "alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T250C55-8.jpg "/>
Unblocking
Iptables-d input-p tcp -- dport 80-s 172.16.0.201/24-j DROP
Test: Use 172.16.0.2 to try to access port 80 of the service.
650) this. width = 650; "alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T250J95-9.jpg "/> 650) this. width = 650; "alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T2504X0-10.jpg "/>
When adding a rule, the REJECT rejects the action) the target and the DROP discard action) the target action are different. REJECT rejects the entry of the target group and returns a connection refused error message to the user attempting to connect to the service. DROP will discard the group and will not send any warning to the telnet user.
The rule added by the command takes effect temporarily. After the iptables service is restarted, it will be restored. You can save the Command service iptables save permanently or directly modify the configuration file.
After the/etc/sysconfig/iptables firewall configuration file is modified, the iptables service must be restarted to take effect.
Iii. Complete anti-DDOS policies and explanations
The default iptables rule cannot filter DDOS attack data. We need to add a filter rule to implement iptables's anti-DDOS capability.
The following firewall rules are my real firewall rules on the linux post office server. I have suffered M SYN DDOS traffic attacks and my server's international bandwidth is only 20 M,
Almost paralyzing the entire service. After the SYN filter rule is added to iptables, the network returns to normal, with a latency of about 100 and a latency of about 45 under normal conditions, but there is no problem with sending and receiving services at the service post office!
System: Centos 5.5
650) this. width = 650; "alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T2501325-11.jpg "/>
The above iptable configuration rules are described as follows:
Shield SYN_RECV connections
-A forward-p tcp-m tcp -- tcp-flags FIN, SYN, RST, ack syn-m limit -- limit 1/sec-j ACCEPT
Restrict IP fragments. Only 100 fragments are allowed per second to prevent DoS attacks.
-A forward-f-m limit -- limit 100/sec -- limit-burst 100-j ACCEPT
Limit one ping packet per second, and start again after 10
-A forward-p icmp-m limit -- limit 1/sec -- limit-burst 10-j ACCEPT
Restrict one request per second from ICMP Packets
-A forward-p icmp-m icmp -- icmp-type 8-m limit -- limit 1/sec-j ACCEPT
Here, you can customize a table.
-A forward-j RH-Firewall-1-INPUT
Fully accept loopback interface packets
-A RH-Firewall-1-INPUT-I lo-j ACCEPT
Allow hosts to receive ping requests
-A RH-Firewall-1-INPUT-p icmp-m icmp -- icmp-type any-j ACCEPT
Internet printer service (can be deleted)
-A RH-Firewall-1-INPUT-p udp-m udp -- dport 631-j ACCEPT
-A RH-Firewall-1-INPUT-p tcp-m tcp -- dport 631-j ACCEPT
Packets sent from the host after the connection is permitted
-A RH-Firewall-1-INPUT-m state -- state RELATED, ESTABLISHED-j ACCEPT
Allow the firewall to enable the specified port (the common port 22 21 80 25 110 3306 is enabled in this server rule)
-A RH-Firewall-1-INPUT-p tcp-m state -- state NEW-m tcp -- dport port-j ACCEPT
Restrict SSH Login
Ssh remote logon is only allowed on 172.16.0.2. ssh is prohibited from other computers.
Iptables-a input-s 172.16.0.2-p tcp -- dport 22-j ACCEPT
Iptables-a input-p tcp -- dport 22-j DROP
Iptables Firewall is a powerful firewall. As long as the rules are configured, it can greatly improve system security. It is better than many firewalls in windows. If you are interested, try it!
650) this. width = 650; "alt =" "border =" 0 "src =" http://www.bkjia.com/uploads/allimg/131227/0T2502D0-12.jpg "/>
This article is from the "SKY" blog and will not be reproduced!