Linux Firewall Iptables settings

Although we cannot completely stop attacks, some security work must be done. In Linux, you can configure Iptabels to enhance server security. It is complicated to configure Iptables. However, it is not difficult to configure Iptables step by step through the instructions in this article. -Although we cannot completely avoid attacks, it is still necessary to perform some security settings on the server. Just like in the cold winter, although wearing a dress cannot completely resist the cold, it is better than streaking? In Linux, the firewall configuration is actually to edit the/etc/sysconfig/iptables file, which is described in detail below. First, we can check the port number of each server service: netstat-apn check whether Iptables is installed: service iptables status. If the prompt is iptables: unrecognized service, it indicates that the server has not been installed, for Centos systems, run the following command to install yum install iptables. for Debian systems, run the following command to install apt-get install iptables to view the settings of the local Iptables: iptables-L-n if the prompt is: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACC EPT) target prot opt source destination indicates that Iptables has not been set. If you have set a rule but need to reset it, you can run the following command to clear the old rule. Rules for clearing all rule chains in the filter of the preset table: iptables-F clear rules in the User-Defined chain in the filter of the preset table: iptables-X clears the packet byte counters of all rules in the specified chain: iptables-Z allows the local loopback interface: iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT allows established or related connections: iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT allows access to port 22, that is, the SSH port. If your SSH port has been modified, replace 22 with your actual SSH port number: iptables-a input-p tcp -- dport 22-j ACCEPTiptables-a output-p tcp -- sport 22-j ACCEPT for Web servers, we should allow Allow access to port 80: iptables-a input-p tcp -- dport 80-j ACCEPT allow access to the database: iptables-a input-p tcp -- dport 3306-j ACCEPT enable mail service port: iptables-a input-p tcp -- dport 110-j ACCEPTiptables-a input-p tcp -- dport 25-j ACCEPT enable the FTP port: iptables-a input-p tcp -- dport 21-j ACCEPTiptables-a input-p tcp -- dport 20-j ACCEPT: iptables-a input-p icmp-j ACCEPT Enable DNS server port: iptables-a input-p When udp -- dport 53-j ACCEPT is used for NAT, if the default FORWARD rule is DROP, the forwarding function must be enabled: iptables-a forward-I eth0-o eth1-m state -- state RELATED, ESTABLISHED-j ACCEPTiptables-a forward-I eth1-o eh0-j ACCEPT, although it is only lightweight attack prevention, it is necessary to set it. Enable syncookie: sysctl-w net. ipv4.tcp _ syncookies = 1 &>/dev/null setting default TCP connection dementia Duration: 10800 seconds, that is, 3 hours: sysctl-w net. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 10800 &>/dev/null supports the maximum number of connections. The specific value must be calculated based on the formula. Here, a 32-bit system with 2 GB memory is used as an example: sysctl-w net. ipv4.ip _ conntrack_max = 131072 &>/dev/null: CONNTRACK_MAX = RAMSIZE (memory size, in bytes)/16384/(bit/32). For example, for 32-bit servers with 512 MB memory, the calculation is as follows: 1024*1024/16384*32/32/(32768) = to prevent SYN attacks (lightweight): I Ptables-N syn-floodiptables-a input-p tcp -- syn-j syn-floodiptables-A syn-flood-p tcp-m limit -- limit 3/s -- limit-burst 6 -j RETURNiptables-A syn-flood-j REJECT controls Ip fragmentation no matter where it comes from, you can use the following 100 fragments per second: iptables-a forward-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPTICMP package to prevent ICMP hacker attacks: iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT: iptables-A FORWA RD-p TCP! -- Syn-m state -- state NEW-j LOG -- log-prefix "New not syn:" iptables-a forward-p TCP! -- Syn-m state -- state NEW-j DROP to save the configuration file: service iptables save can also be saved using the following command:/etc/rc. d/init. d/iptables save prohibit access to rules not allowed in Iptables: vi/etc/sysconfig/iptables modify the following parameters: input drop [162: 14797]: forward drop [0: 0]: output accept [144: 22674] restart Iptables: service iptables restart to set automatic start upon startup: chkconfig iptables on so far, the firewall has been configured. You can open the port as needed when setting the allowed port, for example, port 2222 of the DA panel: iptables-a input-p tcp -- dport 2222-j ACCEPT