Secure Web host iptables firewall script

The following example of their own Web server, the system's default policy is input for drop,output, forward chain for the Accept,drop set to be more relaxed, because we know that the packet is more secure; In order to verify the universality of the script, my Special The kernel and iptables versions of the server are viewed, as shown in the following commands:

12345678910

uname -a linux ud50041 2.6.9-34.elsmp #1 SMP Fri Feb 16:54:53 EST 2006 i686 i686 i386 Gnu/linuxiptables-v iptables v1.2.11 lsb_release-a lsb version:   : Core-3.0-ia32:core-3.0-noarch:graphics-3.0-ia32: Graphics-3.0-noarch distributor id:    redhatenterpriseas Code class= "Bash plain" >description:    Red Hat Enterprise Linux as Release 4 (Nahant Update 3) release:    4 codename:    NahantUpdate3

As you can see, this system is a rhel4_i386 system with a system kernel version of 2.6.9-34,iptables version 1.2.11; I also successfully deployed this script on other Centos5.5 x86_64 machines. , because the following recent security module is required for the system core (this is often used as a host protection script), if you want to use iptables as a host firewall, it is recommended to use Centos5.6 x86_64 or more advanced version, or the system will have the following error message:

12345

iptables: Unknown error 18446744073709551615iptables:Invalid argument在tail-f /var/log/messages时能发下面的的出错提示ip_tables: connlimit match: invalid size 32 != 16ip_tables: connlimit match: invalid size 32 != 24

In addition, before debugging Iptables scripts in a production environment, it is highly recommended to write crontab tasks, iptalbes scripts are closed every 5 minutes, preventing the SSH client from being locked out, as shown in the following command:

1	*/5* * * * root /etc/init.d/iptablesstop

The script code looks like this:

1234567891011121314151617181920

#!/bin/bashiptables -Fiptables -F -t natiptables -Xiptables -P INPUT DROPiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPT#load connection-tracking modulesmodprobe iptable_natmodprobe ip_conntrack_ftpmodprobe ip_nat_ftpiptables -A INPUT -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPTiptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPTiptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec --limit-burst 200 -j ACCEPTiptables -A INPUT -s 122.70.x.x -j ACCEPTiptables -A INPUT -s 122.70.x.x -j ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A OUTPUT -o lo -j ACCEPTiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p tcp -m multiport --dport 80,22 -j ACCEPT

Here is a special case, because this Web server is placed behind the load balancer, so the connection with the load balancer is very frequent, so we want to allow the data source address as a load balancer packet through; In addition, many of my LNMP-based small sites have also deployed this script, That is, the Web service and the MySQL database are installed on a single machine, there is no open 3306 port, which is accessed by the Web invoke PHP program.

The system should not error after running this script successfully, the command is as follows:

1	iptables -nv –L

This command displays the results as follows (this is the script for another LNMP machine to display the results):

123456789101112131415

Chain INPUT (policy DROP 610 packets, 50967 bytes) pkts bytes target     prot opt in out     sourcedestination           0     0 ACCEPT     all  -f  *      *       0.0.0.0/00.0.0.0/0limit: avg 100/sec burst 100 6100  314K ACCEPT     tcp  --  *      *       0.0.0.0/00.0.0.0/0tcp flags:0x16/0x02 limit: avg 20/sec burst 200 1052 67637 ACCEPT     all  --  *      *       122.70.x.x        0.0.0.0/0  986 58112 ACCEPT     all  --  *      *       122.70.x.x        0.0.0.0/0  918  131K ACCEPT     all  --  lo     *       0.0.0.0/00.0.0.0/097056   12M ACCEPT     all  --  *      *       0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED 4325  218K ACCEPT     tcp  --  *      *       0.0.0.0/00.0.0.0/0multiport dports 80,22Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt inout     sourcedestination           0     0 ACCEPT     icmp --  *      *       0.0.0.0/00.0.0.0/0icmp type 8 limit: avg 1/sec burst 10Chain OUTPUT (policy ACCEPT 144K packets, 155M bytes) pkts bytes target     prot opt inout     sourcedestination         956  134K ACCEPT     all  --  *      lo      0.0.0.0/00.0.0.0/0

I'll explain this script in a little more detail below:
On the host's protection we have configured some security measures to prevent external ping and SYN flood attacks, and it is also limited here, considering that the external crazy port scanning software may affect the server's ingress bandwidth. The commands are as follows:

1	iptables -A INPUT -p tcp --syn -m limit --limit 100/s--limit-burst 100 -j  ACCEPT

The above command allows up to 100 new connections per second, note that the new connection here refers to the data packet with state new, and in the following we also configure the allowed States to be established and related data pass; In addition, 100 this threshold is based on the actual situation of the server to adjust , if it is a small number of concurrent servers this value will be smaller, if the traffic is very large and the number of concurrent servers, this will need to be larger. Then look at the following command:

123

iptables-a input-p ICMP--icmp- type echo -request-m limit--limit 1 /s –limit-burst 10-j ACCEPT This is to prevent ping Flood attack, limit per second ping Code class= "Bash Plain" pack no more than 10. iptables-a input-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit /sec --limit-burst 200-j ACCEPT

The above command prevents a variety of port scans, limiting SYN and ACK syn to no more than 200 per second, lest you run out of the bandwidth of the service.
After the iptables firewall is running, we can run the Nmap tool to scan, the command is as follows:

1	nmap -P0 -sS 211.143.6.x

This command performs the following results:

12345678910111213141516

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-03-29 16:21 CSTInteresting ports on 211.143.6.X:Not shown: 1668 closed portsPORT     STATE SERVICE22/tcp openssh25/tcp opensmtp80/tcp openhttp110/tcp openpop3111/tcpopenrpcbind143/tcpopenimap443/tcpopenhttps465/tcp opensmtps587/tcpopensubmission993/tcpopenimaps995/tcpopenpop3s1014/tcp openunknown

Here, we found a 1014 end by a process opened, with lsof-i:1014 to see the discovery is rpc.statd open, this service each use of the port is not the same AH! Would have liked to ignore it, However, if the RPC.STATD cannot handle the sigpid signal correctly, a remote attacker can use this vulnerability to shut down the process, a denial of service attack, so we still have to find a way to solve the problem, we found that RPC.STATD is opened by the service Nfslock, further query that it is an optional process, it allows the NFS client Locks the file on the server. This process corresponds to the Nfslock service, so we turn off the service and the command looks like this:

12	service nfslock stopchkconfig nfslock off

If there is no hardware firewall protection, in the IDC room and have a public Web server is very useful iptables protection, if found someone with tools malicious frequent connection to our Web server, we can call recent module to block them, Our approach is: Try to deploy iptables firewalls on every machine with a public IP.

This article is from the "Fuqin Wine" blog, please make sure to keep this source http://yuhongchun.blog.51cto.com/1604432/716016

Secure Web host iptables firewall script