Iptables configuration in debian system

Last Update:2014-05-27 Source: Internet

Author: User

Tags rsyslog

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

I. functions that iptables should possess. 1. meet the above-mentioned second requirement for database security. 2. Record rejected data packets to log3. after the machine restarts, iptables is automatically activated and executed on the mysql master/slave device. the following Red Command iptables-AINPUT-ptcp-s192.168.0.196/32-d192.168.0.199 -- dport3300-jACCEP 1, IptablesFunctions
1. meet the above-mentioned second requirement to ensure database security
2. Record rejected data packets to log
3. iptables is automatically activated after the machine restarts
In MysqlRun the following Red Command on the master/slave device:
Iptables-a input-p tcp-s 192.168.0.196/32-d 192.168.0.199 -- dport 3300-j ACCEPT
Iptables-a input-p tcp-s 192.168.0.120/32-d 192.168.0.199 -- dport 3300-j ACCEPT
Iptables-a input-p tcp-d 192.168.0.199 -- dport 3300-j LOG -- log-prefix "iptables denied:" -- log-level 4
Iptables-a input-p tcp-d 192.168.0.199 -- dport 3300-j REJECT
The following is an explanation of the related commands:
# Allow a specific host to connect to mysql
# Iptables-a input-p tcp-s 192.168.0.196/32-d 192.168.0.199 -- dport 3300-j ACCEPT
# Iptables-a input-p tcp-s 192.168.0.120/32-d 192.168.0.199 -- dport 3300-j ACCEPT
# Log-level 4 is warning
# Iptables-a input-p tcp-d 192.168.0.199 -- dport 3300-j LOG -- log-prefix "iptables denied:" -- log-level 4
# Reject data packets. the initiator prompts a connection failure
# Iptables-a input-p tcp-d 192.168.0.199 -- dport 3300-j REJECT
### The following rules are for future reference and are not used in configuration.
# Drop data packets, no response from the initiator
# Iptables-a input-p tcp-d 192.168.206.121 -- dport 3300-j DROP
# View iptables rule matching
# Iptables-L-v
# View Logs
# Tail-f/var/log/messages
# Delete rules
# Iptables-d input 1
2. Save the rule to the configuration file.
# Iptables-save>/etc/iptables. mysql. rules
3. Save the rule to the configuration file that automatically starts iptables at startup.
# Iptables-save>/etc/iptables. mysql. up. rules
4. create an automatic startup file for iptables
# Vi/etc/network/if-pre-up.d/iptables
#! /Bin/bash
/Sbin/iptables-restore </etc/iptables. mysql. up. rules
5. add the execution permission to the automatic startup file of iptables.
# Chmod + x/etc/network/if-pre-up.d/iptables
6. write deny data packets to/var/log/iptables. log
# Vi/etc/rsyslog. conf
# For log denied ip packets to/var/log/iptables. log, not to default/var/log/messages.
Kern. warning/var/log/iptables. log
Restart log process
#/Etc/init. d/rsyslog restart
Check whether logs take effect
# Tail-f/var/log/iptables. log
7. complete the configuration and perform corresponding tests.
Test on different machines
# Mysql-uusername-p123456-h192.168.0.199-P3300
Check the number of matched packets
# Iptables-L-v-n
Chain INPUT (policy ACCEPT 853 K packets, 70 M bytes)
Pkts bytes target prot opt in out source destination
6 422 ACCEPT tcp -- ** 192.168.0.196 192.168.0.199 tcp dpt: 3300
453 28893 ACCEPT tcp -- ** 192.168.0.120 192.168.0.199 tcp dpt: 3300
1 60 LOG tcp -- ** 0.0.0.0/0 192.168.0.199 tcp dpt: 3300 LOG flags 0 level 4 prefix 'iptables denied :'
1 60 REJECT tcp -- ** 0.0.0.0/0 192.168.0.199 tcp dpt: 3300 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
Pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 748 K packets, 481 M bytes)
Pkts bytes target prot opt in out source destination
Check the log of the iptables Reject packet
# Tail-f/var/log/iptables. log
Nov 18 14:08:51 db199 kernel: [199125.557827] iptables denied: IN = eth0 OUT = MAC = 00: 18: 8b: e5: 87: af: 84: 2b: 2b: 60: AB: d8: 08: 00 SRC = 192.168.0.234 DST = 192.168.0.199 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 15617 df proto = tcp spt = 43469 DPT = 3300 WINDOW = 5840 RES = 0x00 syn urgp = 0
Nov 18 14:25:21 db199 kernel: [200332.168071] iptables denied: IN = eth0 OUT = MAC = 00: 18: 8b: e5: 87: af: 00: 1a: 30: 3c: 24: 00: 08: 00 SRC = 124.128.18.161 DST = 192.168.0.199 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 56 ID = 43242 df proto = tcp spt = 15472 DPT = 3300 WINDOW = 5840 RES = 0x00 syn urgp = 0

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More