Here, we use iptables as a firewall, which is completely powerless in the face of attacks of a certain scale. if you encounter such attacks, based on the scale and characteristics, targeted Selection of hardware firewalls and anti-denial-of-service hardware equipment, the general price is not low. [Root @ r2cn ~] # Create an execution file using viiptables. sh volumes #! /Bin/bashLANeth0 # use it here
IptablesA firewall is completely powerless in the face of attacks of a certain scale. in case of such attacks, select the hardware firewall and anti-denial-of-service hardware according to the scale and characteristics, the general price is not low.
[Root @ r2cn ~] # Vi iptables. sh ← create an execution file #! /Bin/bash
LAN = eth0
# Obtaining intranet Netmask
LOCALNET_MASK = 'ifconfig $ LAN | sed-e's/^. * Mask: \ ([^] * \) $/\ 1/p'-ed'
# Retrieving intranet addresses
LOCALNET_ADDR = 'netstat-rn | grep $ LAN | grep $ LOCALNET_MASK | cut-f1-d '''
LOCALNET = $ LOCALNET_ADDR/$ LOCALNET_MASK
# Stop the firewall (clear all rules)
/Etc/rc. d/init. d/iptables stop
# Default rule settings
Iptables-P INPUT DROP
Iptables-P OUTPUT ACCEPT
Iptables-P FORWARD DROP
# Allow local access
Iptables-a input-I lo-j ACCEPT
# Allow all internal access
Iptables-a input-s $ LOCALNET-j ACCEPT
# Allow Internal access requests
Iptables-a input-m state -- state ESTABLISHED, RELATED-jACCEPT
# Enable SYN Cookies
# Prevent tcp syn Flood attacks
Sysctl-w net. ipv4.tcp _ syncookies = 1>/dev/null
Sed-I '/net. ipv4.tcp _ syncookies/D'/etc/sysctl. conf
Echo "net. ipv4.tcp _ syncookies = 1">/etc/sysctl. conf
# Ping from broadcast address does not respond
# Preventing Smurf attacks
Sysctl-w net. ipv4.icmp _ echo_ignore_broadcasts = 1>/dev/null
Sed-I '/net. ipv4.icmp _ echo_ignore_broadcasts/D'/etc/sysctl. conf
Echo "net. ipv4.icmp _ echo_ignore_broadcasts = 1">/etc/sysctl. conf
# Reject ICMP Redirect packets
Sed-I '/net. ipv4.conf. *. accept_redirects/D'/etc/sysctl. conf
For dev in 'ls/proc/sys/net/ipv4/conf /'
Do
Sysctl-w net. ipv4.conf. $ dev. accept_redirects = 0>/dev/null
Echo "net. ipv4.conf. $ dev. accept_redirects = 0">/etc/sysctl. conf
Done
# Reject Source Routed packets
Sed-I '/net. ipv4.conf. *. accept_source_route/D'/etc/sysctl. conf
For dev in 'ls/proc/sys/net/ipv4/conf /'
Do
Sysctl-w net. ipv4.conf. $ dev. accept_source_route = 0>/dev/null
Echo "net. ipv4.conf. $ dev. accept_source_route = 0">/etc/sysctl. conf
Done
# Do not record the fragment package
Iptables-a input-f-j LOG -- log-prefix '[iptables fragment]:'
Iptables-a input-f-j DROP
# Access related to external NetBIOS is not recorded
# Prevent useless logs from being recorded
Iptables-a input! -S $ LOCALNET-p tcp-m multiport -- dports135, 137,138,139,445-j DROP
Iptables-a input! -S $ LOCALNET-p udp-m multiport -- dports135, 137,138,139,445-j DROP
Iptables-a output! -D $ LOCALNET-p tcp-m multiport -- sports135, 137,138,139,445-j DROP
Iptables-a output! -D $ LOCALNET-p udp-m multiport -- sports135, 137,138,139,445-j DROP
# Four or more ping requests per second are not recorded
# Prevent Ping of Death attacks
Iptables-N LOG_PINGDEATH
Iptables-A LOG_PINGDEATH-m limit -- limit 1/s -- limit-burst 4-jACCEPT
Iptables-A LOG_PINGDEATH-j LOG -- log-prefix '[iptables pingdeath]:'
Iptables-A LOG_PINGDEATH-j DROP
Iptables-a input-p icmp -- icmp-type echo-request-jLOG_PINGDEATH
# Data packets from all addresses are not recorded
# Prevent useless logs from being recorded
Iptables-a input-d limit 255-j DROP
Iptables-a input-d 224.0.0.1-j DROP
# Port 113 does not respond (IDENT) to access denied
# Prevent the email host from being unresponsive
Iptables-a input-p tcp -- dport 113-j REJECT -- reject-withtcp-reset
#----------------------------------------------------------#
# The following is an open port for the protocol. please define it as needed #
#----------------------------------------------------------#
# TCP22 port (SSH)
Iptables-a input-p tcp -- dport 22-j ACCEPT
# TCP/UDP53 port (DNS)
Iptables-a input-p tcp -- dport 53-j ACCEPT
Iptables-a input-p udp -- dport 53-j ACCEPT
# TCP80 port (HTTP)
Iptables-a input-p tcp -- dport 80-j ACCEPT
# TCP443 port (HTTPS)
Iptables-a input-p tcp -- dport 443-j ACCEPT
# Port TCP21 (FTP)
Iptables-a input-p tcp -- dport 21-j ACCEPT
# PASV port (FTP-DATA)
# Assume that Port 60000: 60030 is used
Iptables-a input-p tcp -- dport 60000: 60030-j ACCEPT
# TCP25 port (SMTP)
Iptables-a input-p tcp -- dport 25-j ACCEPT
# TCP465 port (SMTPS)
Iptables-a input-p tcp -- dport 465-j ACCEPT
# TCP110 port (POP3)
Iptables-a input-p tcp -- dport 110-j ACCEPT
# TCP995 port (POP3S)
Iptables-a input-p tcp -- dport 995-j ACCEPT
# TCP143 port (IMAP)
Iptables-a input-p tcp -- dport 143-j ACCEPT
# TCP993 port (IMAPS)
Iptables-a input-p tcp -- dport 993-j ACCEPT
# UDP1194 port (OpenVPN)
Iptables-a input-p udp -- dport 1194-j ACCEPT
# Strong fire prevention setting for VPN
[-F/etc/openvpn-startup] &/etc/openvpn-startup
# Discard the access records defined by the above rules
Iptables-a input-m limit -- limit 1/s-j LOG -- log-prefix '[iptables input]:'
Iptables-a input-j DROP
Iptables-a forward-m limit -- limit 1/s-j LOG -- log-prefix '[iptables forward]:'
Iptables-a forward-j DROP
# Save the rule. The rule is valid after the host is restarted.
/Etc/rc. d/init. d/iptables save
# Start the firewall
/Etc/rc. d/init. d/iptables start
The above is the execution file content
[Root @ r2cn ~] # Sh iptables. sh rule execution file [OK] clear firewall rules:
[OK] set chains to ACCEPT policy: filter
[OK] uninstalling the Iiptables module:
[OK] save the current rule to/etc/sysconfig/iptables:
[OK] clear firewall rules:
[OK] set chains to ACCEPT policy: filter
[OK] uninstalling the Iiptables module:
[OK] apply iptables firewall rules:
[OK] load the additional iptables module: ip_conntrack_netbios_ns
[Root @ r2cn ~] # Chkconfig iptables on firewall automatically runs the firewall upon startup. when we use the CentOS system, the CentOS firewall sometimes needs to be changed. The CentOS firewall is enabled by default. you can set the open port of the CentOS firewall as follows:
Open the iptables configuration file: Vi/etc/sysconfig/iptables
Note the following when modifying the CentOS firewall: you must leave yourself with a path to the VNC and an SSh management port.
The following is an example of iptables: # Firewall configuration written bysystem-config-securitylevel
# Manual customization of this file is not recommended.
* Filter
: Input accept [0: 0]
: Forward accept [0: 0]
: Output accept [0: 0]
: RH-Firewall-1-INPUT-[0: 0]
-A input-j RH-Firewall-1-INPUT
-A forward-j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT-I lo-j ACCEPT
-A RH-Firewall-1-INPUT-p icmp? Icmp-type any-j ACCEPT
-An RH-Firewall-1-INPUT-p 50-j ACCEPT
-An RH-Firewall-1-INPUT-p 51-j ACCEPT
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
