Marco 2016 new Linux+python high-end Viban-iptables Firewall Basics exercise, Tcp_wrapper

Source: Internet
Author: User

Content of this week's job:


The system input and output default policy is drop, please complete the following questions about Iptables;

Set the default policy to drop first

# iptables-p OUTPUT DROP

# iptables-p INPUT DROP

1. The Web server that restricts the local host is not allowed to access in Monday; the rate of new requests cannot exceed 100 per second; The Web server contains the admin string and the page is not allowed; The Web server only allows the response message to leave the unit;

# iptables-a input-d 192.168.137.30-p TCP--dport 80-m time! --weekdays mon-m State--state new-m limit--limit 100/s-j ACCEPT

# iptables-i Output-s 192.168.137.30-m string--algo BM--string ' admin '-j REJECT

# iptables-a output-s 192.168.137.30-p TCP--sport 80-m State--state established-j ACCEPT

2, during the working hours, that is, Monday to Friday 8:30-18:00, open the local FTP service to the 172.16.0.0 network host access, the number of data download requests per minute not more than 5;


First this server: a dedicated module for loading FTP tracking:

# modprobe Nf_conntrack_ftp

# iptables-a input-d 192.168.137.30-s 172.16.0.0/16-p tcp--dport 21-m time--weekdays 1,2,3,4,5-m time--timestart 8:30am--timestop 18:00-m State--state new,established-j ACCEPT

# iptables-a input-d 192.168.137.30-s 172.16.0.0/16-p TCP--dport 21-m State--state related,established-j ACCEPT

# iptables-a output-s 192.168.137.30-d 172.16.0.0/16-p tcp-m State--state established-j ACCEPT


3, open the local SSH service to the host in 172.16.x.1-172.16.x.100, X is your seat number, the new request to establish the rate of one minute not more than 2, only allow the response message through its service port to leave the unit;

# iptables-a input-d 192.168.137.30-p tcp--dport 22-m iprange--src-range 172.16.2.1-172.16.2.100-m limit--limit 2/ Minute-j ACCEPT

# iptables-a output-m State--state established-j ACCEPT


4, reject the TCP flag bit all 1 and all 0 of the message access to the machine;

Iptables-a input-p TCP--tcp-flags all all-j DROP

Iptables-a input-p TCP--tcp-flags all none-j DROP


5, allow the native ping other host, but not open the other host ping this machine;

# iptables-a input-d 192.168.137.30-p ICMP--icmp-type 0-jaccept

# iptables-a output-s 192.168.137.30-p ICMP--icmp-type 8-jaccept



6, judge the meaning of the following rules:


# iptables-n Clean_in

Create a new custom chain called clean_in

# iptables-a clean_in-d 255.255.255.255-p icmp-j DROP

Discard packages for broadcast domains

# iptables-a clean_in-d 172.16.255.255-p icmp-j DROP

Discard 172.16 Network segment broadcast messages

# iptables-a Clean_in-p TCP! --syn-m State--state New-j DROP

Discard a connection message with a SYN status of not 1 and new

# iptables-a clean_in-p TCP--tcp-flags all all-j DROP

Discard messages with TCP flag bits of 1

# iptables-a clean_in-p TCP--tcp-flags all none-j DROP

Discard messages with TCP flag bits of 0

# iptables-a clean_in-d 172.16.100.7-j RETURN

If it's 172.16.100.7, return to the clean_in chain.

# iptables-a input-d 172.16.100.7-j clean_in

The connection to the 172.16.100.7, let it enter into the clean_in chain


# iptables-a Input-i lo-j ACCEPT

Allow local Area Connection access

# iptables-a Output-o lo-j ACCEPT

Allow local Area Connection access



# iptables-a input-i eth0-m multiport-p tcp--dports 53,113,135,137,139,445-j DROP

Specifies that the incoming message interface is eth0, the protocol is TCP, and the target port is 53,113,135,137,139,445 packets discarded

# iptables-a input-i eth0-m multiport-p UDP--dports 53,113,135,137,139,445-j DROP

Specifies that the incoming message interface is eth0, the protocol is UDP, and the target port is 53,113,135,137,139,445 packets discarded

# iptables-a input-i eth0-p UDP--dport 1026-j DROP

Specifies that the incoming message interface is eth0, the protocol is UDP, and the target port is 1026 packets discarded

# iptables-a input-i eth0-m multiport-p tcp--dports 1433,4899-j DROP

Specify the incoming message interface as ETH0, protocol TCP, specify multiple port 1433,4899, message Discard


# iptables-a input-p icmp-m limit--limit 10/second-j ACCEPT

Limit ping rate to 10 times per second



7, through the Tcp_wrapper control VSFTPD only allow the 172.16.0.0/255.255.0.0 network host access, but 172.16.100.3 except; the access attempts that were denied are recorded in the/VAR/LOG/TCP_ Wrapper.log the log file;


Vim/etc/hosts.allow

vsftpd:172.16.0.0/255.255.0.0 EXCEPT 172.16.100.3 # #子网掩码必须为长格式

Vim/etc/hosts.deny

Vsftpd:all:spawn/bin/echo ' Date ' login attempt from%c to%s,%d >>/var/log/tcp_wrapper.log



8. Delete whitespace characters from the beginning of all lines in the/boot/grub/grub.conf file;

# sed ' [email protected]^[[:space:]]\[email protected]@ '/etc/grub2.cfg


9. Delete all # and white space characters at the beginning of the line at the beginning of #, followed by at least one white-space character, in the/etc/fstab file;

# sed ' [email protected]^#[[:space:]]\[email protected]@ '/etc/fstab


10. Save the odd line of/etc/fstab file as/tmp/fstab.3;

# sed ' n;d '/etc/fstab >>/tmp/fstab.3

11. Echo a file path to the SED command, take out its base name, and further, take out its path name;

# echo "/etc/fstab" | Sed ' [Email protected][^/]\+/\[email protected]@ '

12. Count the number of States of all TCP connections on the current system;

# Netstat-tan | awk '/^tcp\>/{state[$NF]++}end{for (i in state) {print I,state[i]}} '

13. Count the number of resource accesses for each IP in the specified Web Access log:

# awk ' {ip[$1]++}end{for (i in IP) {print i,ip[i]}} '/var/log/httpd/access_log

14, authorized CentOS users can run the FDISK command to complete Disk Management, and use MKFS or MKE2FS to achieve file system management;

# Visudo Add the following line

# CentOS All= (Root) nopasswd:/sbin/fdisk,/SBIN/MKE2FS,/SBIN/MKFS

15, authorized Gentoo users can run the logical volume management of the relevant commands;

# Gentoo all= (Root) LVM

16, based on the pam_time.so module, restrict the user through the SSHD service remote login only during working hours;

(1). # vim/etc/pam.d/sshd

Insert a line on account required pam_nologin.so:

Account Required Pam_time.so

(2). Edit the configuration file for the Pam_time.so module

# vim/etc/security/time.conf

*;*;*; motuwethfr0900-1800

The above represents 9 to 6 o'clock in the afternoon of working hours allows access to SSH

17, based on the pam_listfile.so module, the definition of only some users, or some groups of users can log in the system;

Create a user's list file, such as/etc/sshd_userlist, and then edit the file

Root

Centos

Gentoo

Then modify the permissions of the file and the owner

# chmod 600/etc/sshd_userlist

# chown Root/etc/sshd_userlist

Then edit the/etc/pam.d/sshd file and add the following line:

Auth Required pam_listfile.so item=user sense=allow file=/etc/sshd_userlist onerr=succeed


This article is from the "Ljohn" blog, make sure to keep this source http://ljohn.blog.51cto.com/11932290/1874279

Marco 2016 new Linux+python high-end Viban-iptables Firewall Basics exercise, Tcp_wrapper

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.