Marco 2016 new Linux+python high-end Viban-iptables Firewall Basics exercise, Tcp_wrapper

Content of this week's job:

The system input and output default policy is drop, please complete the following questions about Iptables;

Set the default policy to drop first

# iptables-p OUTPUT DROP

# iptables-p INPUT DROP

1. The Web server that restricts the local host is not allowed to access in Monday; the rate of new requests cannot exceed 100 per second; The Web server contains the admin string and the page is not allowed; The Web server only allows the response message to leave the unit;

# iptables-a input-d 192.168.137.30-p TCP--dport 80-m time! --weekdays mon-m State--state new-m limit--limit 100/s-j ACCEPT

# iptables-i Output-s 192.168.137.30-m string--algo BM--string ' admin '-j REJECT

# iptables-a output-s 192.168.137.30-p TCP--sport 80-m State--state established-j ACCEPT

2, during the working hours, that is, Monday to Friday 8:30-18:00, open the local FTP service to the 172.16.0.0 network host access, the number of data download requests per minute not more than 5;

First this server: a dedicated module for loading FTP tracking:

# modprobe Nf_conntrack_ftp

# iptables-a input-d 192.168.137.30-s 172.16.0.0/16-p tcp--dport 21-m time--weekdays 1,2,3,4,5-m time--timestart 8:30am--timestop 18:00-m State--state new,established-j ACCEPT

# iptables-a input-d 192.168.137.30-s 172.16.0.0/16-p TCP--dport 21-m State--state related,established-j ACCEPT

# iptables-a output-s 192.168.137.30-d 172.16.0.0/16-p tcp-m State--state established-j ACCEPT

3, open the local SSH service to the host in 172.16.x.1-172.16.x.100, X is your seat number, the new request to establish the rate of one minute not more than 2, only allow the response message through its service port to leave the unit;

# iptables-a input-d 192.168.137.30-p tcp--dport 22-m iprange--src-range 172.16.2.1-172.16.2.100-m limit--limit 2/ Minute-j ACCEPT

# iptables-a output-m State--state established-j ACCEPT

4, reject the TCP flag bit all 1 and all 0 of the message access to the machine;

Iptables-a input-p TCP--tcp-flags all all-j DROP

Iptables-a input-p TCP--tcp-flags all none-j DROP

5, allow the native ping other host, but not open the other host ping this machine;

# iptables-a input-d 192.168.137.30-p ICMP--icmp-type 0-jaccept

# iptables-a output-s 192.168.137.30-p ICMP--icmp-type 8-jaccept

6, judge the meaning of the following rules:

# iptables-n Clean_in

Create a new custom chain called clean_in

# iptables-a clean_in-d 255.255.255.255-p icmp-j DROP

Discard packages for broadcast domains

# iptables-a clean_in-d 172.16.255.255-p icmp-j DROP

Discard 172.16 Network segment broadcast messages

# iptables-a Clean_in-p TCP! --syn-m State--state New-j DROP

Discard a connection message with a SYN status of not 1 and new

# iptables-a clean_in-p TCP--tcp-flags all all-j DROP

Discard messages with TCP flag bits of 1

# iptables-a clean_in-p TCP--tcp-flags all none-j DROP

Discard messages with TCP flag bits of 0

# iptables-a clean_in-d 172.16.100.7-j RETURN

If it's 172.16.100.7, return to the clean_in chain.

# iptables-a input-d 172.16.100.7-j clean_in

The connection to the 172.16.100.7, let it enter into the clean_in chain

# iptables-a Input-i lo-j ACCEPT

Allow local Area Connection access

# iptables-a Output-o lo-j ACCEPT

Allow local Area Connection access

# iptables-a input-i eth0-m multiport-p tcp--dports 53,113,135,137,139,445-j DROP

Specifies that the incoming message interface is eth0, the protocol is TCP, and the target port is 53,113,135,137,139,445 packets discarded

# iptables-a input-i eth0-m multiport-p UDP--dports 53,113,135,137,139,445-j DROP

Specifies that the incoming message interface is eth0, the protocol is UDP, and the target port is 53,113,135,137,139,445 packets discarded

# iptables-a input-i eth0-p UDP--dport 1026-j DROP

Specifies that the incoming message interface is eth0, the protocol is UDP, and the target port is 1026 packets discarded

# iptables-a input-i eth0-m multiport-p tcp--dports 1433,4899-j DROP

Specify the incoming message interface as ETH0, protocol TCP, specify multiple port 1433,4899, message Discard

# iptables-a input-p icmp-m limit--limit 10/second-j ACCEPT

Limit ping rate to 10 times per second

7, through the Tcp_wrapper control VSFTPD only allow the 172.16.0.0/255.255.0.0 network host access, but 172.16.100.3 except; the access attempts that were denied are recorded in the/VAR/LOG/TCP_ Wrapper.log the log file;

Vim/etc/hosts.allow

vsftpd:172.16.0.0/255.255.0.0 EXCEPT 172.16.100.3 # #子网掩码必须为长格式

Vim/etc/hosts.deny

Vsftpd:all:spawn/bin/echo ' Date ' login attempt from%c to%s,%d >>/var/log/tcp_wrapper.log

8. Delete whitespace characters from the beginning of all lines in the/boot/grub/grub.conf file;

# sed ' [email protected]^[[:space:]]\[email protected]@ '/etc/grub2.cfg

9. Delete all # and white space characters at the beginning of the line at the beginning of #, followed by at least one white-space character, in the/etc/fstab file;

# sed ' [email protected]^#[[:space:]]\[email protected]@ '/etc/fstab

10. Save the odd line of/etc/fstab file as/tmp/fstab.3;

# sed ' n;d '/etc/fstab >>/tmp/fstab.3

11. Echo a file path to the SED command, take out its base name, and further, take out its path name;

# echo "/etc/fstab" | Sed ' [Email protected][^/]\+/\[email protected]@ '

12. Count the number of States of all TCP connections on the current system;

# Netstat-tan | awk '/^tcp\>/{state[$NF]++}end{for (i in state) {print I,state[i]}} '

13. Count the number of resource accesses for each IP in the specified Web Access log:

# awk ' {ip[$1]++}end{for (i in IP) {print i,ip[i]}} '/var/log/httpd/access_log

14, authorized CentOS users can run the FDISK command to complete Disk Management, and use MKFS or MKE2FS to achieve file system management;

# Visudo Add the following line

# CentOS All= (Root) nopasswd:/sbin/fdisk,/SBIN/MKE2FS,/SBIN/MKFS

15, authorized Gentoo users can run the logical volume management of the relevant commands;

# Gentoo all= (Root) LVM

16, based on the pam_time.so module, restrict the user through the SSHD service remote login only during working hours;

(1). # vim/etc/pam.d/sshd

Insert a line on account required pam_nologin.so:

Account Required Pam_time.so

(2). Edit the configuration file for the Pam_time.so module

# vim/etc/security/time.conf

*;*;*; motuwethfr0900-1800

The above represents 9 to 6 o'clock in the afternoon of working hours allows access to SSH

17, based on the pam_listfile.so module, the definition of only some users, or some groups of users can log in the system;

Create a user's list file, such as/etc/sshd_userlist, and then edit the file

Root

Centos

Gentoo

Then modify the permissions of the file and the owner

# chmod 600/etc/sshd_userlist

# chown Root/etc/sshd_userlist

Then edit the/etc/pam.d/sshd file and add the following line:

Auth Required pam_listfile.so item=user sense=allow file=/etc/sshd_userlist onerr=succeed

This article is from the "Ljohn" blog, make sure to keep this source http://ljohn.blog.51cto.com/11932290/1874279

Marco 2016 new Linux+python high-end Viban-iptables Firewall Basics exercise, Tcp_wrapper