Linux 11th Week Micro jobs

Last Update:2017-08-29 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

The system's input and output default policy is drop;

1. The Web server that restricts the local host is not allowed to access in Monday; the rate of new requests cannot exceed 100 per second; The Web server contains the admin string and the page is not allowed; The Web server only allows the response message to leave the unit;

]# iptables-a input-p TCP--dport 80-mtime! --weekdays mon-m connlimit--connlimit-above 100-j ACCEPT

]# iptables-a output-p TCP--sport 80-m state--stateestablished-m string--algo kmp--string "admin"-j REJECT

]# iptables-a output-m State--state established,related-jaccept

2, during the working hours, that is, Monday to Friday 8:30-18:00, open the local FTP service to the 172.16.0.0 network host access, the number of data download requests per minute not more than 5;

]# iptables-ainput-s 172.16.0.0/16-p TCP--dport 21-m time--weekdays mon,mon,tus,wed,thu,fri--timestart 08:30:00--t Imestop18:00:00-m connlimit--connlimit-above 5-j ACCEPT

3, open the local SSH service to the host in 172.16.x.1-172.16.x.100, X is your seat number, the new request to establish the rate of one minute not more than 2, only allow the response message through its service port to leave the unit;

] #iptables-A input-p tcp--dport 22-miprange--src-range 172.16.1.1-172.16.1.100-m limit--limit 2/minute-j ACCEPT

] #iptables-A output-m State--state established,related-jaccept

]# iptables-a output-m State--state established,related-jaccept

4, reject the TCP flag bit all 1 and all 0 of the message access to the machine;

] #iptables-A input-p tcp--tcp-flags all all-j DROP

] #iptables-A input-p tcp--tcp-flags all none-j DROP

5, allow the native ping other host, but not open the other host ping this machine;

#] Iptables-a output-s 192.168.10.132-p ICMP--icmp-type 8-j ACCEPT

#] Iptables-a input-d 192.168.10.132-p ICMP--icmp-type 0-j ACCEPT

6, judge the meaning of the following rules:

# iptables-n Clean_in

Added a custom chain clean_in

# iptables-a clean_in-d 255.255.255.255-p icmp-j DROP

To add a rule to a custom chain clean_in: Drops the ping packet for the address 255.255.255.255 of the restricted broadcast

# iptables-a clean_in-d 172.16.255.255-p icmp-j DROP

To add a rule to a custom chain clean_in: Drop ping packets to the 172.16.0.0/16 segment broadcast address

# iptables-a Clean_in-p TCP! --syn-m State--state New-j DROP

To add a rule to a custom chain clean_in: Discard a new request package for a TCP connection other than the first handshake

# iptables-a clean_in-p TCP--tcp-flags all all-j DROP

Adding a rule to a custom chain clean_in: Drop a TCP message with a flag bit that is all 1

# iptables-a clean_in-p TCP--tcp-flags all none-j DROP

Adding a rule to a custom chain clean_in: Drop a TCP message with a flag bit that is all 0

# iptables-a clean_in-d 172.16.100.7-j RETURN

Adding a rule to the custom chain clean_in: The message with the destination address 172.16.100.7 returns to the main chain

# iptables-a input-d 172.16.100.7-j clean_in

Call a custom chain for a message with a destination address of 172.16.100.7 clean_in

# iptables-a Input-i lo-j ACCEPT

Allow data packets to flow into the local loopback interface lo

# iptables-a Output-o lo-j ACCEPT

Allow data messages to flow out of the local loopback interface lo

# iptables-a input-i eth0-m multiport-p tcp--dports 53,113,135,137,139,445-j DROP

Specifies that the incoming interface is eth0, and the packet that accesses TCP port 53,113,135,137,139,445 is discarded

# iptables-a input-i eth0-m multiport-p UDP--dports 53,113,135,137,139,445-j DROP

Specifies that the incoming interface is eth0, and the packet that accesses UDP port 53,113,135,137,139,445 is discarded

# iptables-a input-i eth0-p UDP--dport 1026-j DROP

Discard requests for access to UDP 1026 ports to the Eth0 interface

# iptables-a input-i eth0-m multiport-p tcp--dports 1433,4899-j DROP

Discard TCP data packets that flow into the interface as eth0 and access the 1433,4899 port

# iptables-a input-p icmp-m limit--limit 10/second-j ACCEPT

Limit the ping packet rate to less than 10 per second

7, through the Tcp_wrapper control VSFTPD only allow the 172.16.0.0/255.255.0.0 network host access, but 172.16.100.3 except; the access attempts that were denied are recorded in the/VAR/LOG/TCP_ Wrapper.log the log file;

#] Vim/etc/hosts.allow

vsftpd:172.16. EXCEPT 172.16.100.3

#] Vim/etc/hosts.deny
Vsftpd:all:spawn/bin/echo $ (date) login attempt from%c to%s,%d >>/var/log/tcp_wrapper.log

This article is from the "11822904" blog, please be sure to keep this source http://11832904.blog.51cto.com/11822904/1960448

Linux 11th Week Micro jobs

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Linux 11th Week Micro jobs

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support