Iptables Firewall host firewall (2)

To undertake the previous blog, here is the main firewall Advanced section, an example of content, I hope you understand!

One, explicit extension:

You must explicitly indicate the extension that is being used by the expansion module;

Use Help:

CentOS 6:man iptables

CentOS 7:man iptables-extensions

1. multiport extension

Define multi-port matching in a discrete way; specify up to 15 ports;

[!] --source-ports,--Sports Port[,port|,port:port] ... : Specify multiple source Ports "," representing discrete ports ":" for contiguous port segments;

[!]--destination-ports,--dports Port[,port|,port:port] ... : Specify multiple destination ports;

[!]--ports Port[,port|,port:port] ... : Specify multiple ports;

# iptables -s input-p input drop-a input -d 172.18.29.122/32 -p  tcp -m multiport --dports 22,80 -j ACCEPT-A INPUT -d  172.18.29.122/32 -p udp -m udp --dport 53 -j accept-a input  -d 172.18.29.122/32 -p udp -m udp --sport 53 -j accept-a  input -p icmp -m icmp --icmp-type 8 -j acceptiptables -s  output-p output drop-a output -s 172.18.29.122/32 -p tcp -m  Multiport --sports 22,80 -j accept-a output -s 172.18.29.122/32 -p  icmp -m icmp --icmp-type 0 -j ACCEPT-A OUTPUT -s  172.18.29.122/32 -p udp -m udp --sport 53 -j accept-a output  -s 172.18.29.122/32 -p udp&Nbsp;-m udp --dport 53 -j accept 

2. iprange Extension

Indicates the range of IP addresses for a continuous (but generally non-brain) network;

[!] --src-range from[-to]: source IP address;

[!] --dst-range from[-to]: Destination IP address;

Iptables-p INPUT drop-a input-p tcp-m multiport--dports 22,80-m iprange--src-range 172.18.29.1-172.18.29.155-j ACCE Pt-a input-d 172.18.29.122/32-p udp-m UDP--dport 53-j accept-a input-d 172.18.29.122/32-p udp-m UDP--sport 53-j Accept-a input-p icmp-m ICMP--icmp-type 8-j accept-a input-p tcp-m tcp--dport 22-j ACCEPT

3. String extension

The string pattern matching detection is done for the application layer data in the message;

--algo {BM|KMP}: string matching detection algorithm;

Bm:boyer-moore

Kmp:knuth-pratt-morris

--from: Starting from a part of a message

--to: Ending from a part of a message

[!] --string pattern: The string pattern to be detected;

[!] --hex-string pattern: The string pattern to be detected, 16 binary format;

# iptables-a output-s 172.16.100.67-d 172.16.0.0/16-p tcp--sport 80-m string--algo BM--string "gay"-j REJECT

4. Time extension

Match the time of arrival of the message to the specified time range;

--datestart Yyyy[-mm[-dd[thh[:mm[:ss]]

--datestop Yyyy[-mm[-dd[thh[:mm[:ss]]

--timestart Hh:mm[:ss]:--timestart 08:00:00--timestop 16:00:00

--timestop Hh:mm[:ss]

[!] --monthdays Day[,day ...] :--monththdays 1,2,3,4 ...

[!] --weekdays day[,day...]:--weekdays 1,2,3,4 ...

--kerneltz: Use the time zone on the kernel instead of the default UTC; #很重要, specifying the kernel time zone can be

Iptables-a input-d 172.18.29.122/32-p tcp-m tcp--dport 80-m time--timestart 23:30:00--timestop 23:50:00--datestop 2038-01-19t03:14:07--kerneltz-j ACCEPT

5. connlimit Extension

The number of concurrent connections is matched according to each client IP;

--connlimit-upto N: The number of connections is less than or equal to N;

--connlimit-above N: Match when the number of connections is greater than n;

Iptables-a input-d 172.16.100.67-p tcp--dport 21-m connlimit--connlimit-above 2-j REJECT

6. Limit Extension

Matching based on the rate of sending and receiving messages;

Token bucket filter;

--limit Rate[/second|/minute|/hour|/day]

--limit-burst number

# iptables-i input-d 172.16.100.67-p ICMP--icmp-type 8-m limit--limit 3/minute--limit-burst 5-j ACCEPT# iptables- I INPUT 2-p icmp-j reject-a input-p icmp-m ICMP--icmp-type 8-m limit--limit 10/min--limit-burst 3-j ACCEPT

7, the State extension: states are Conntrack's own, for the status of the message to do a connection tracking

Connection Tracking Template: entry (sip:sport--dip:dport), Countdown

If the entry is too large then the connection is rejected. The number can be adjusted and the connection tracking function is not required on the load balancer.

Check the status of the connection according to the "Connection tracking mechanism";

Conntrack mechanism: Tracks the relationship between requests and responses on the local machine, as in the following situations:

NEW: a request is made; The connection tracking template does not have an associated information entry for this connection, so it is identified as a request for the first time;

After the Established:new state, the communication status in the connection tracking template for which the entry is established before it expires;

Related: An associated connection, such as the relationship between a data connection and a command connection in an FTP protocol;

INVALID: Invalid connection;

Untracked: A connection that is intentionally not tracked;

[!] --state State

# iptables-a input-d 172.16.100.67-p tcp-m multiport--dports 22,80-m State--state new,established-j ACCEPT# iptabl Es-a output-s 172.16.100.67-p tcp-m multiport--sports 22,80-m State--state established-j ACCEPT

How to open the passive mode FTP service?

(1) Loading FTP connection () to track the dedicated module:

# modprobe nf_conntrack_ftp# lsmod |grep nf_conntrack_ftp

(2) Release command connection (assuming server address is 172.16.100.67):

Tcp-m TCP--dport 21-m State--state new,established-j accept-a input-d 172.18.29.122/32-p tcp-m State--state RELAT Ed,established-j ACCEPT

(3) Release data connection (assuming server address is 172.16.100.67):-A input-d 172.18.29.122/32-p

-A output-s 172.18.29.122/32-p tcp-m TCP--sport 21-m State--state established-j accept-a output-s 172.18.29.122/32 -P tcp-m State--state established-j ACCEPT

Rule optimization Strategy: the order of the rules in the sequence of the connections, the order in which they are checked, therefore, the optimization has a certain law:

(1) Similar rules (access to the same application), the matching rules are small in front of the scope; for special treatment;

(2) Different classes of rules (access to different applications), matching the scope of the rules of the large-scale front;

(3) The multiple rules that can be described by a rule should be combined to be unique;

(4) Set default policy

Second, save the rule:

The rules defined using the iptables command are manually deleted before the expiration date is kernel survival period;

Save the rule to the specified file:

CentOS 6:

~]# Service Iptables Save

Save the rules to the/etc/sysconfig/iptables file;

~]# iptables-save >/path/to/some_rules_file, default = (/etc/sysconfig/iptables, other paths will not be read)

CentOS 7:

~]# iptables-s

~]# iptables-save >/path/to/some_rules_file

Reload rules in the stored rules file:

CentOS 7:

~]# Iptables-restore </path/from/some_rules_file

CentOS 6:

~]# Service iptables Restart

Will read the configuration file again/etc/sysconfig/iptables

Rules in the Auto-effective rule file:

(1) Save each iptables command with a script, and let the script run automatically after booting;

Add a script path to the/etc/rc.d/rc.local file;

/path/to/some_script_file

(2) Save the rules with the rules file, and automatically load the rules in this rule file at boot time;

/etc/rc.d/rc.local file Add:

Iptables-restore </path/from/iptables_rules_file

Description

CentOS 7:

Introduced a new iptables front-end management tool FIREWALLD, the management of which are: Firewalld-cmd, firewalld-config

Target:

ACCEPT, DROP, REJECT, RETURN

LOG, SNAT, DNAT, REDIRECT, Masquerade, ...

LOG:

--log-level level

--log-prefix Prefix

This article is from the "Deep Sea Fish" blog, please be sure to keep this source http://kingslanding.blog.51cto.com/9130940/1769434

Iptables Firewall host firewall (2)