Description: The local test host IP is 172.16.110.11
The system's input and output default policy is drop;
[[email protected] ~]# iptables-p INPUT drop[[email protected] ~]# iptables-p OUTPUT DROP
Note: The default rule is rejected, thus the following rules match the data of interest in the exile line (similar to whitelist)
1. The Web server that restricts the local host is not allowed to access in Monday;
[[email protected] ~]# iptables-a input-d 172.16.110.11-p tcp--dport 80-m time! --weekdays 1-j ACCEPT
The rate of a new request cannot exceed 100 per second;
[[email protected] ~]# iptables-a input-d 172.16.110.11-p tcp--dport 80-m limit--limit 100/second-m State--state N Ew-j ACCEPT
The Web server contains the admin string that the page does not allow access to;
[[email protected] ~]# iptables-a output-s 172.16.110.11-p tcp--sport 80-m string--algo BM! --string "Admin"-j ACCEPT
The Web server only allows response messages to leave the machine;
[Email protected] ~]# iptables-a output-s 172.16.110.11-p TCP--sport 80-m State--state established-j ACCEPT
2, during the working hours, that is, Monday to Friday 8:30-18:00, open the local FTP service to the 172.16.0.0 network host access, the number of data download requests per minute not more than 5;
[[email protected] ~]# iptables-a input-s 172.16.0.0/16-d 172.16.110.11-p tcp--dport 21-m time--weekdays 1,2,3,4,5 --timestart--timestop 18:00-m limit--limit 5/minute-m State--state new,established-j Accept[[email protected] ~ ]# iptables-a output-s 172.16.110.11-d 172.16.0.0/16-p TCP--sport 21-m State--state established-j ACCEPT
3, open the local SSH service to the host in 172.16.x.1-172.16.x.100, X is your seat number, the new request to establish the rate of one minute not more than 2, only allow the response message through its service port to leave the unit;
[Email protected] ~]# iptables-a input-d 172.16.110.11-p tcp--dport 22-m iprange--src-range 172.16.110.1-172.16.110 .100-m Limit--limit 2/minute-m State--state new,established-j accept[[email protected] ~]# iptables-a output-s 172. 16.110.11-p TCP--sport 22-m State--state established-j ACCEPT
4, reject the TCP flag bit all 1 and all 0 of the message access to the machine;
[[email protected] ~]# iptables-a input-d 172.16.110.11-p TCP! --tcp-flags all all-j accept[[email protected] ~]# iptables-a output-s 172.16.110.11-p TCP! --tcp-flags all None-j ACCEPT
5, allow the native ping other host, but not open the other host ping this machine;
[[email protected] ~]# iptables-a output-s 172.16.110.11-p ICMP--icmp-type 8-j accept[[email protected] ~]# iptables -A input-d 172.16.110.11-p ICMP--icmp-type 0-j ACCEPT
6, judge the meaning of the following rules:
# iptables-n Clean_in
New Custom Chain clean_in
# iptables-a clean_in-d 255.255.255.255-p icmp-j DROP
Add a new rule to the custom chain clean_in chain, discarding the ICMP packets sent to the full-network broadcast address (to prevent a full-network broadcast storm)
# iptables-a clean_in-d 172.16.255.255-p icmp-j DROP
Add a new rule to the custom chain clean_in chain, discarding the ICMP packets sent to the 172.16.0.0/16 segment broadcast address (to prevent network broadcast storms)
# iptables-a Clean_in-p TCP! --syn-m State--state New-j DROP
New rule in the custom chain clean_in, discarding the SYN flag bit not 1 for a fresh connection request packet (matching TCP first handshake)
# iptables-a clean_in-p TCP--tcp-flags all all-j DROP
New rule in custom chain clean_in, discard packets with TCP flag bit all 1 (prevent xmas-tree Scan)
# iptables-a clean_in-p TCP--tcp-flags all none-j DROP
New rule in custom chain clean_in, discard packets with TCP flag bit all 0 (prevent null scan)
# iptables-a clean_in-d 172.16.100.7-j RETURN
New rule in custom chain clean_in, end custom chain clean_in rule match, return call chain for IP 172.16.100.7 host
# iptables-a input-d 172.16.100.7-j clean_in
Call custom chain clean_in for a message that accesses IP as 172.16.100.7 host for rule matching
# iptables-a Input-i lo-j ACCEPT
Allow messages to flow into the native loopback port Lo
# iptables-a Output-o lo-j ACCEPT
Allow messages to flow out of the native loopback port Lo
# iptables-a input-i eth0-m multiport-p tcp--dports 53,113,135,137,139,445-j DROP
53,113,135,137,139,445 of message drops to TCP for incoming eth0 network ports (primarily DNS, authentication, remote calls, files, and Printer sharing services)
# iptables-a input-i eth0-m multiport-p UDP--dports 53,113,135,137,139,445-j DROP
53,113,135,137,139,445 of messages dropped to UDP (primarily DNS, authentication, remote calls, files, and Printer sharing services) to the ETH0 network port
# iptables-a input-i eth0-p UDP--dport 1026-j DROP
Packet discards for 1026 ports that are accessing UDP on the Eth0 network port (10,261 as the next idle port, preventing port scanning)
# iptables-a input-i eth0-m multiport-p tcp--dports 1433,4899-j DROP
Packet discards for 1433 (SQL Server), 4899 (remote control) port (to prevent critical service port sniffing) for incoming eth0 network port access to TCP
# iptables-a input-p icmp-m limit--limit 10/second-j ACCEPT
Limit ICMP packet (ping) rates to less than 10 per second (restrict fast pings to avoid Dos attacks such as Ping of Death)
7, through the Tcp_wrapper control VSFTPD only allow the 172.16.0.0/255.255.0.0 network host access, but 172.16.100.3 except; the access attempts that were denied are recorded in the/VAR/LOG/TCP_ Wrapper.log the log file;
[Email protected] ~]# vim/etc/hosts.allowvsftpd:172.16.except 172.16.100.3[[email protected] ~]# vim/etc/ Hosts.denyvsftpd:all:spawn/bin/echo $ (date) login attempt from%c to%s,%d >>/var/log/tcp_wrapper.log
Linux Service and security management 11th week job "Linux Micro Jobs"