English | 简体中文 | 繁體中文 | Русский язык | Français | Español | Português | Deutsch | 日本語 | 한국어 | Italiano | بالعربية
Content
IPTABLES= -iptables is an important network security prevention system tool for Linux servers, considering that most servers have dedicated teams to host, server administrators can only manage remotely through SSH most of the time, and under the condition of security, to ensure the legitimate connection of SSH, the following configuration needs to be done. IPTABLES= -F IPTABLES= -A INPUT -P INPUT ACCEPT -j ACCEPT IPTABLES= -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT IPTABLES= -A INPUT -p tcp --dport 22 -j ACCEPT IPTABLES= -P INPUT DROP IPTABLES= -P FORWARD DROP IPTABLES= -i lo IPTABLES= -P OUTPUT ACCEPT -L
v22This can ensure the SSH
Port to get legal passage, finally execute service iptables save to save the configuration just now. /etc/Through cat/sysconfig
iptables can view the information of the iptables configuration file, and in the future, you can directly edit the file to add or delete configuration entries. -View the command to run the iptables rules: lsmod | grep ip_tables or iptables
L.
#!/bin/sh
The editor adds another knowledge point: anti-simple attack iptables strategy/sbin/IPTABLES=
iptables
$IPTABLES -F
# clear
# if pkg type is allow, then accept -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# #$IPTABLES8# If running at the same time10Drop this IP if the connection count of port 0 exceeds
netstat -an | grep :80 | awk -F: '{ print $8 }' | sort | uniq -c | awk -F\ '$1>10 && $2!="" { print $2 }' >> /etc/fw.list
less /etc/fw.list | sort | uniq -c | awk -F\ '$2!="" { print $2 }' > /etc/fw.list2
less /etc/fw.list2 > /etc/fw.list
while read line
do
t=`echo "$line"`
$IPTABLES -A INPUT -p tcp -s $t -j DROP
done < /etc/fw.list2
# IP forwarding
$IPTABLES -A INPUT -p tcp --dport 20002 -j ACCEPT
$IPTABLES -A INPUT -d 172.16.204.7 -p tcp -m tcp --dport 20002 -i eth0 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d 211.100.39.44 -p tcp -m tcp --dport 20002 -j DNAT --to-destination 172.16.204.7:20002
$IPTABLES -t nat -A POSTROUTING -d 172.16.204.7 -p tcp -m tcp --dport 20002 -j SNAT --to-source 10.6.39.44
# if pkg visit 80,7710 port then accept
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 8080 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 873 -j ACCEPT
# $IPTABLES -A INPUT -i eth0 -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 30/m --limit-burst 2 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 10/s -j ACCEPT
$IPTABLES -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
# if pkg from allow ip then accept
$IPTABLES -A INPUT -p tcp -s 127.0.0.1 -j ACCEPT
# if pkg not above then deny
$IPTABLES -A INPUT -p tcp --syn -j DROP
The following firewall test result is more accurate and can play a certain role in preventing attacks
#!/bin/sh
IPTABLES="/sbin/iptables"
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -F
$IPTABLES -X
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 30/m --limit-burst 2 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -s 192.168.1.102 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -s 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -s 192.168.1.102 -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -j DROP
That's all for this article. I hope it will be helpful to everyone's learning and that everyone will support the Yelling Tutorial more.
Statement: The content of this article is from the Internet, the copyright belongs to the original author. The content is contributed and uploaded by Internet users spontaneously. This website does not own the copyright, has not been manually edited, and does not assume any relevant legal liability. If you find any content suspected of copyright infringement, please send an email to notice#w.3Please report via email to codebox.com (replace # with @ when sending email) and provide relevant evidence. Once verified, this site will immediately delete the infringing content.