Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "how to set up an iptables firewall to block common attacks". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

I read this article from Yaocheng. Good things need to be treasured. Here is a list of the following attacks and responses often encountered by Linux. The following iptables rules should be generally applicable to all Linux versions, but be careful to save them so as not to fail after the system reboot.

The initially created TCP connection must contain SYN

The code is as follows:

Iptables-An INPUT-p tcp!-- syn-m state-- state NEW-j DROP

Drop Fragments fragmented packets (consequence of fragmented packet attack: may result in normal packet loss)

The code is as follows:

Iptables-An INPUT-f-j DROP

Prevent SYN flood attacks (the speed limit is adjusted according to your own situation)

The code is as follows:

Iptables-An INPUT-p tcp-m state-- state NEW-m limit--limit 100/second-- limit-burst 300-j ACCEPT

Iptables-An INPUT-p tcp-m state-- state NEW-j DROP

Drop abnormal XMAS packets (consequences of abnormal XMAS packet attacks: may cause some systems to crash)

The code is as follows:

Iptables-An INPUT-p tcp--tcp-flags ALL ALL-j DROP

Iptables-An INPUT-p tcp--tcp-flags ALL FIN,PSH,URG-j DROP

Iptables-An INPUT-p tcp--tcp-flags ALL SYN,RST,ACK,FIN,URG-j DROP

Drop NULL empty packet

The code is as follows:

Iptables-An INPIT-p tcp--tcp-flags ALL NONE-j DROP

Allow limited TCP RST requests (the speed limit is adjusted according to your own situation)

The code is as follows:

Iptables-An INPUT-p tcp- m tcp--tcp-flags RST RST-m limit--limit 10/second-- limit-burst 30-j ACCEPT

Drop invalid packet

The code is as follows:

Iptables-An INPUT-m state-- state INVALID-j DROP

Iptables-A FORWARD-m state-- state INVALID-j DROP

Iptables-An OUTPUT-m state-- state INVALID-j DROP

Block access to fraudulent IP addresses (the following are RFC1918 type and IANA reserved addresses, mostly LAN or multicast addresses, which cannot be used as public network address sources)

The code is as follows:

Iptables-An INPUT-s 10.0.0.0It 8-j DROP

Iptables-An INPUT-s 169.254.0.0Universe 16-j DROP

Iptables-An INPUT-s 172.16.0 DROP 12-j

Iptables-An INPUT-s 127.0.0.0 DROP 8-j

Iptables-An INPUT-s 224.0.0.0 DROP 4-j

Iptables-An INPUT-d 224.0.0.0 DROP 4-j

Iptables-An INPUT-s 240.0.0.0 DROP 5-j

Iptables-An INPUT-d 240.0.0.0 DROP 5-j

Iptables-An INPUT-s 0.0.0.0 iptables 8-j DROP

Iptables-An INPUT-d 0.0.0.0 DROP 8-j

Iptables-An INPUT-d 239.255.255.0 Universe 24-j DROP

Iptables-An INPUT-d 255.255.255.255-j DROP

Block access to custom malicious IP addresses

The code is as follows:

Iptables-An INPUT-s xxx.xxx.xxx.xxx-j DROP

Prohibit ICMP PING

The code is as follows:

Iptables-An INPUT-p icmp- m icmp--icmp-type echo-request-j DROP

This is the end of "how to set up an iptables firewall to block common attacks". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.