Introduction to Linux Server iptables rule list for e-commerce websites

[Connected E-commerce system architecture] technical architecture of e-commerce websites with more than 1 million visits

Server security has always been a top priority for websites. There are a variety of security solutions. For Linux Server firewalls, the most common ones are iptables firewalls. Iptables is a common firewall software in Linux, and its rules are flexible and should be the most extensive. To build a high-security e-commerce website, any security software essential to a server is, of course, iptables firewall. The rule is flexible and variable, and the function should be extensive. This is also the first choice for Linux system administrators. The order of each rule in the iptables table chain is very important. If the first rule is accept all, all data packets are allowed to pass through firewall. Therefore, the Rule Order should be properly arranged. The general rule is: deny all allowed minority.
The actual application of the total iptables rules is applied on each server, such.
However, if you know more about the iptables firewall, you can configure it by yourself and achieve or even exceed the performance of the hardware firewall:
1. The instance describes the list of iptables rules of a high-security e-commerce website.
2. based on the instance, ptables installation and removal of iptables rules, iptables only opens the specified port, iptables shield the specified ip address, ip segment and unseal, delete added iptables rules and other basic applications of iptables.
3. Introduce the key port settings in detail. In particular, how should I set iptables rules for special FTP, and support ftp active mode and ftp passive mode. Iptables rule instance: List of iptables rules of an e-commerce website

 iptables========================================================================# iptables conf /etc/sysconfig/iptables# Created by http://jimmyli.blog.51cto.com/# Last Updated 2010.10.17# Firewall configuration written by system-config-securitylevel# Manual customization of this file is not recommended.*filter:FORWARD ACCEPT [0:0]:INPUT ACCEPT [0:0]:RH-Firewall-1-INPUT - [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -j RH-Firewall-1-INPUT-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i lo -j ACCEPT-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT-A RH-Firewall-1-INPUT -p 50 -j ACCEPT-A RH-Firewall-1-INPUT -p 51 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 21 --state NEW -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 873 --state NEW -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 3306 --state NEW -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 8080 --state NEW -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 30000:30030 --state NEW -j ACCEPT-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibitedCOMMIT

For the iptables rule list of an e-commerce website, describe how to use it. Add or replace the above content with the/etc/sysconfig/iptables file and edit vim/etc/sysconfig/iptables.
2. Make the rule take effect. Then the service iptables restart takes effect.
3. in the preceding rules, only ports 22 (ssh), 21 (FTP), 80 (web), 3306 (mysql), and 8000 are enabled, port 30000 to port 30030 is a port in FTP passive mode, and other ports are prohibited. You can also modify the settings as needed.

 

Tip:
This iptables rule also supports ftp active mode and ftp passive mode. It is a key application for FTP special port applications.
Attached system default Template

 Python========================================================================# Firewall configuration written by system-config-securitylevel# Manual customization of this file is not recommended.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:RH-Firewall-1-INPUT - [0:0]-A INPUT -j RH-Firewall-1-INPUT-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i lo -j ACCEPT-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT-A RH-Firewall-1-INPUT -p 50 -j ACCEPT-A RH-Firewall-1-INPUT -p 51 -j ACCEPT-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibitedCOMMIT~~

Basic Application description of iptables firewall on Linux

Iptables is a common firewall software in Linux, the following describes how to install and clear iptables rules. iptables only supports the specified port. iptables shields basic applications of iptables, such as specified ip addresses, ip segments, unblocking, and deleting added iptables rules.. For more instructions on iptables, run iptables -- help or search for iptables parameters online. 1. Install iptables Firewall
If iptables is not installed, install iptables first. Run the following command on CentOS: yum install iptables.
Run apt-get install iptables In Debian/Ubuntu.
2. Clear existing iptables rules

iptables -Fiptables -Xiptables -Z

3. Open the specified port

# Allow the local loopback interface (that is, running the local machine to access the local machine) iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT # Allow ESTABLISHED or connected traffic through iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT # Allow all local machines to access iptables-a output-j ACCEPT # Allow access to port 22 iptables-a input-p tcp -- dport 22-j ACCEPT # Allow access to 80 port iptables-a input-p tcp -- dport 80-j ACCEPT # Allow port 21 and Port 20 of the FTP service iptables-a input-p tcp -- dport 21-j ACCEPTiptables-a input- p tcp -- dport 20-j ACCEPT # If there are other ports, the rule is similar. Modify the preceding statement slightly. # Disable other unpermitted rules from accessing iptables-a input-j REJECTiptables-a forward-j REJECT.

4. Shielding IP addresses
# If you only want to block the IP address, you can skip "3. Open the specified port.
# The command to shield a single IP address is
Iptables-I INPUT-s 123.45.6.7-j DROP
# The command for sealing the entire segment from 123.0.0.1 to 123.20.255.254
Iptables-I INPUT-s 123.0.0.0/8-j DROP
# An IP address segment is a command from 123.45.0.1 to 123.45.255.254.
Iptables-I INPUT-s 124.45.0.0/16-j DROP
# The command from 123.45.6.1 to 123.45.6.254 is
Iptables-I INPUT-s 123.45.6.0/24-j DROP
4. view the added iptables rules
Iptables-L-n
V: displays details, including the number of matching packages and the number of matching bytes for each rule.
X: Disable Automatic unit conversion (K, M) based on v)
N: only the ip address and port number are displayed. do not resolve the ip address to the domain name. 5. Delete the added iptables rule.
Display All iptables with serial numbers. Run iptables-L-n -- line-numbers.
For example, to delete the rule with serial number 8 in INPUT, run iptables-d input 8.
6. Start iptables and save the rules
After iptables is installed on CentOS, iptables does not start automatically after it is started. You can execute the following command:

 

Chkconfig -- level 345 iptables on
Add it to startup. On CentOS, you can run the: service iptables save rule. In addition, iptables On Debian/Ubuntu does not save rules. You need to follow the steps below to make the NIC closed is to save iptables rules, load iptables rules at startup: Create the/etc/network/if-post-down.d/iptables file, add the following content :#! /Bin/bash
Iptables-save>/etc/iptables. rules
Run: chmod + x/etc/network/if-post-down.d/iptables to add execution permissions. Create the/etc/network/if-pre-up.d/iptables file and add the following content :#! /Bin/bash
Iptables-restore </etc/iptables. rules
Run: chmod + x/etc/network/if-pre-up.d/iptables to add execution permissions. Summary:
Iptables applications are everywhere and are important firewall software to improve system security. It is widely used in Linux systems. Iptables rules are required for servers in actual production. Of course, the iptables firewall is indispensable for building a high-security e-commerce website.