First, Iptables introduction
The Linux packet filtering function, the Linux firewall, consists of two components, NetFilter and iptables.
The NetFilter component, also known as kernel space, is part of the kernel and consists of packet filtering tables that contain the set of rules that the kernel uses to control packet filtering processing.
The Iptables component is a tool, also known as user space, that makes it easy to insert, modify, and remove rules from the packet filtering table.
II. Structure of Iptables
Iptables-> Tables-> chains-> Rules
Tables are made up of chains, and chains are made up of rules. Iptables default has four table filter, NAT, mangle, Raw.
iptables [-t table name] command options [chain name] [conditional match] [-j target action or jump]
Filter for packet filtering function, do not fill default for filter
You can determine which chain to use according to the flow of data, and the use in filter is as follows:
Input chain-processing data from external output chain-processing outgoing data ForWord chain-forwarding data to other network card devices on this machine
Conditional matching is divided into basic matching and extended matching, and extended matching is divided into implicit extension and display extension.
The data packet control method includes 4 kinds
ACCEPT: Allow packets to drop: drop packets directly, without giving any response information REJECT: Reject packets passing, and send a response message to the data when necessary LOG: in/var/log/ Log information in the messages file, and then pass the packet to the next rule QUEUE: Firewall handing packets to user space return: The firewall stops executing subsequent rules in the current chain and returns to the call chain
Iv. iptables Common Commands
Iptables-f
Iptables-l (Iptables-l-v-n)
Iptables-a input-i eth0-p TCP--dport 80-m State--state New,established-j
4, add a rule to the specified location
Iptables-i INPUT 2-i eth0-p TCP--dport 80-m State--state new,established-j ACCEPT
Iptables-d INPUT 2
Iptables-r INPUT 3-i eth0-p TCP--dport 80-m State--state new,established-j ACCEPT
7, set the default policy
Iptables-p INPUT DROP
8, allow the remote host SSH connection
Iptables-a input-i eth0-p TCP--dport 22-m State--state new,established-j ACCEPT iptables-a output-o eth0-p t CP--sport 22-m State--state established-j ACCEPT
9, allow the local host to SSH connection
Iptables-a output-o eth0-p TCP--sport 22-m State--state new,established-j ACCEPT iptables-a input-i eth0-p t CP--dport 22-m State--state established-j ACCEPT
Iptables-a input-i eth0-p TCP--dport 80-m State--state new,established-j ACCEPT iptables-a output-o eth0-p t CP--sport 80-m State--state established-j ACCEPT
11, to limit the number of ping a host of packets, the average 2/s, up to no more than 3
Iptables-a input-i eth0-d xx.xx.xx.xx-p ICMP--icmp-type 8-m limit--limit 2/second--limit-burst 3-j ACCEPT
12. Limit SSH Connection rate
Iptables-i input 1-p tcp--dport 22-d xx.xx.xx.xx-m State--state established-j ACCEPT iptables-i INPUT 2-p TCP --dport 22-d xx.xx.xx.xx-m limit--limit 2/minute--limit-burst 2-m State--state New-j
Five, iptables configuration
Iptables-f
2, configure the default chain policy
Iptables-p INPUT Drop iptables-p FORWARD drop iptables-p OUTPUT drop
3, allow remote and local host SSH (reference above 8, 9 points)
4. Allow HTTP requests (refer to 10 above)
Vi. iptables against common attacks
1. Prevent SYN attacks (limit the maximum number of SYN connections for a single IP)
Iptables–a input–i eth0–p tcp--syn-m connlimit--connlimit-above 15-j DROP
A, using the recent module to protect against Dos attacks
Iptables-i input-p tcp-dport 22-m connlimit--connlimit-above DROP
B, single IP pair multi-Connection 3 sessions
Iptables-i input-p TCP--dport 22-m the state--state new-m recent--set--name SSH
C, as long as the new connection request, it is added to the SSH list
You've tried 3 times in 5 minutes, and you're refusing to provide this IP service in the SSH list. 5 minutes to recover.
Iptables-i input-p TCP--dport 22-m State new-m recent--update--seconds---hitcount 3--name ssh-j DROP
3, prevent a single IP traffic too large
Iptables-i input-p TCP--dport 80-m connlimit--connlimit-above DROP
Iptables-a input-p ICMP--icmp-type echo-request-m limit--limit 1/m-j ACCEPT