Use iptables to set some security protection functions (3)
Source: Internet
Author: User
Article Title: Use iptables to set some security protection functions (3 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: kenduest (xiaozhou)
Setting to prevent sync flood attacks:
Will this setting method affect a very busy platform?
I tested this setting for a very busy platform. To be honest, it's not good ....
Therefore, you may be able to adjust the trigger value of the time and number of times.
Here, only some icmp echo requests are rejected and can be adjusted as needed.
Or directly set the host to not respond to the echo request.
/Proc/sys/net/ipv4/icmp_echo_ignore_all
New experiences
The iptables mechanism is to check items one by one...
However, if a packet is to pass, the first rule has passed, and the fate of the packet has been settled, the remaining rule will not be checked, even if the remaining rule has to block this packet, it will not work!
Example:
Rule 1: Allow all 80 port packets
Rule 2: reject 210.58.221.241 80 port packets
Rule 3 ........
In this case, the 210.58.221.241 80 port packet cannot be blocked at all...
Because 1st rules have already been used to allow all 80 port packets, the packet has already passed ......
Correct writing should replace Rule 1 with rule 2 .....
※The following is an example of AceLan:
> [Root @ babu netfilter] # pwd
>/Lib/modules/2.4.13-7mdk/kernel/net/ipv4/netfilter
> [Root @ babu netfilter] # ls
> Ip_conntrack.o.gz ipchains.o.gz ipt_mark.o.gz
> Ip_conntrack_ftp.o.gz ipfwadm.o.gz ipt_multiport.o.gz
> Ip_conntrack_h323.o.gz ipt_LOG.o.gz ipt_owner.o.gz
> Ip_conntrack_irc.o.gz ipt_MARK.o.gz ipt_state.o.gz
> Ip_conntrack_talk.o.gz ipt_MASQUERADE.o.gz ipt_tcpmss.o.gz
> Ip_nat_ftp.o.gz ipt_2.16.o.gz ipt_tos.o.gz
> Ip_nat_h323.o.gz ipt_REDIRECT.o.gz ipt_unclean.o.gz
> Ip_nat_irc.o.gz ipt_REJECT.o.gz iptable_filter.o.gz
> Ip_nat_talk.o.gz ipt_TCPMSS.o.gz iptable_mangle.o.gz
> Ip_queue.o.gz ipt_tos.gz iptable_nat.o.gz
> Ip_tables.o.gz ipt_limit.o.gz
> Ip_vs/ipt_mac.o.gz
> Many things I did not find relevant materials on the iptables Main Site
> (Http://netfilter.samba.org /)
> I'm curious that the functions of each module start with "ip _" and start with "iptable _".
> What are the differences between these modules?
Start with iptables _, which is for iptables-t xxxx. For example:
Ip_conntrack starts with recording/tracing the operation of communication protocols, and then modifies packets in a timely manner.
Content allows specific communication protocols to work properly.
The start of ip_nat _ is to solve the problem that some common services may not be available in the nat environment.
The modules ip_conntrack * And ip_nat _ * usually use modprobe for loading.
Ip_tables is the core of iptables. Ip_queue can filter packets
Transfer is thrown to the application at the usage layer for processing.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
