Web host iptables firewall security script

The system's default policy is to set the INPUT to DROP, the OUTPUT and FORWARD chains to ACCEPT, and the DROP settings to loose, because we know that the outgoing data packets are safer. To verify the versatility of scripts, I checked the kernel and iptables version of the server. The command is as follows:

If you want to use iptables as the host firewall, we recommend that you use CentOS5.6 x86_64 or a later version. Otherwise, the system will have the following error message:

Iptables: Unknown error 18446744073709551615
Iptables: Invalid argument
The following error message is displayed during tail-f/var/log/messages.
Ip_tables: connlimit match: invalid size 32! = 16
Ip_tables: connlimit match: invalid size 32! = 24

In addition, before debugging the iptables script in the production environment, it is strongly recommended to write a crontab task and close the iptalbes script every five minutes to prevent the SSH client from being locked out. The command is as follows:

*/5 * root/etc/init. d/iptablesstop

The script code is as follows:

#!/bin/bash iptables -F iptables -F -t nat iptables -X iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT #load connection-tracking modules modprobe iptable_nat modprobe ip_conntrack_ftp modprobe ip_nat_ftp iptables -A INPUT -f -m limit --limit 100/sec--limit-burst 100 -j ACCEPT iptables -A INPUT -p icmp --icmp-typeecho-request -m limit --limit 1/s--limit-burst 10 -j ACCEPT iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec--limit-burst 200 -j ACCEPT iptables -A INPUT -s 122.70.x.x -j ACCEPT iptables -A INPUT -s 122.70.x.x -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -m multiport --dport 80,22 -j ACCEPT

There is a special case where the Web server is placed behind the Server Load balancer, so the connection to the Server Load balancer is still frequent. Therefore, we need to allow the data source address to pass through the Server Load balancer data packet; in addition, many of my small websites based on LNMP have also deployed this script, that is, the Web service and MySQL database are installed on one machine at the same time, and port 3306 is not opened, the Web calls PHP program for access.

After the script is successfully run, the system will not report an error. The command is as follows:

Iptables-nv-L

The result of this command is as follows:

Chain INPUT (policy DROP 610 packets, 50967 bytes) pkts bytes target    prot opt inout    sourcedestination      0    0 ACCEPT    all  -f  *      *      0.0.0.0/00.0.0.0/0limit: avg 100/secburst 100 6100  314K ACCEPT    tcp  --  *      *      0.0.0.0/00.0.0.0/0tcp flags:0x16/0x02limit: avg 20/secburst 200 1052 67637 ACCEPT    all  --  *      *      122.70.x.x        0.0.0.0/0 986 58112 ACCEPT    all  --  *      *      122.70.x.x        0.0.0.0/0 918  131K ACCEPT    all  --  lo    *      0.0.0.0/00.0.0.0/0 97056  12M ACCEPT    all  --  *      *      0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED 4325  218K ACCEPT    tcp  --  *      *      0.0.0.0/00.0.0.0/0multiport dports 80,22 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt inout    sourcedestination      0    0 ACCEPT    icmp --  *      *      0.0.0.0/00.0.0.0/0icmp type8 limit: avg 1/secburst 10 Chain OUTPUT (policy ACCEPT 144K packets, 155M bytes) pkts bytes target    prot opt inout    sourcedestination      956  134K ACCEPT    all  --  *      lo      0.0.0.0/00.0.0.0/0

 

I will explain this script in detail below:
In terms of host protection, we have configured some security measures to prevent external ping and SYN flood attacks, and considering that the external crazy port scanning software may affect the server's entry bandwidth, therefore, restrictions are also imposed here. The command is as follows:

Iptables-a input-p tcp -- syn-m limit -- limit 100/s -- limit-burst 100-j ACCEPT

The above command allows a maximum of 100 New connections per second. Note that the New connection here refers to a data packet with the state of New, in the future, we also configured data passing in the allowed status of ESTABLISHED and RELATED. In addition, the 100 threshold value should be adjusted according to the actual situation of the server, if the number of servers with a small number of concurrent requests is reduced, and if the number of servers with a large number of concurrent requests is increased.

Iptables-a input-p icmp -- icmp-typeecho-request-m limit -- limit 1/s-limit-burst 10-j ACCEPT
To prevent ping flood attacks, a maximum of 10 ping packets per second are allowed.
Iptables-a input-p tcp-m tcp -- tcp-flags SYN, RST, ack syn-m limit -- limit 20/sec -- limit-burst 200-j ACCEPT

The above command prevents various port scans and limits SYN and ack syn to no more than 200 per second, so as not to exhaust the bandwidth of the server.

After the iptables firewall is running, run the nmap tool for scanning. The command is as follows:

Nmap-P0-sS 211.143.6.x

The command execution result is as follows:

Starting Nmap 4.11 ( http://www.insecure.org/nmap/) at 2009-03-29 16:21 CST Interesting ports on 211.143.6.X: Not shown: 1668 closed ports PORT    STATE SERVICE 22/tcpopenssh 25/tcpopensmtp 80/tcpopenhttp 110/tcpopenpop3 111/tcpopenrpcbind 143/tcpopenimap 443/tcpopenhttps 465/tcpopensmtps 587/tcpopensubmission 993/tcpopenimaps 995/tcpopenpop3s 1014/tcpopenunknown

Here, we found that a 1014 terminal was opened by a process, and it was opened by rpc. statd using lsof-I: 1014. This service uses different ports each time! I wanted to ignore it, but if rpc. statd cannot correctly process the SIGPID signal. Remote attackers can use this vulnerability to close the process and initiate a denial of service attack. Therefore, they still have to solve the problem. We found that rpc. statd is enabled by the Service nfslock. Further query shows that statd is an optional process, which allows the NFS client to lock files on the server. This process corresponds to the nfslock service, so we disabled the service and the command is as follows:

Service nfslock stop
Chkconfig nfslock off

If there is no hardware firewall protection, it is necessary to enable iptables protection for Web servers deployed in IDCs and with public networks. If someone finds that they use tools to maliciously and frequently connect to our Web servers, we can call the recent module to block them.

-A input-p tcp -- syn-m limit -- limit 12/s -- limit-burst 24-j ACCEPT prevents DDOS SYN