Shulou(Shulou.com)06/01 Report--

1. All ICMP protocol packets that are denied access to the firewall

Iptables-I INPUT-p icmp-j REJECT

two。 Allow the firewall to forward all packets except the ICMP protocol

Iptables-A FORWARD-p! Icmp-j ACCEPT

Description: use "!" The condition can be reversed.

3. Refuse to forward data from 192.168.1.10 host, and allow data from 192.168.0.0Universe 24 network segment to be forwarded.

Iptables-A FORWARD-s 192.168.1.11-j REJECT

Iptables-A FORWARD-s 192.168.0 ACCEPT 24-j

Explanation: be careful to put the rejected first or it won't work.

4. Discard packets whose source address is private address from the external network interface (eth2) to the firewall

Iptables-An INPUT-I eth2-s 192.168.0.0 Universe 16-j DROP

Iptables-An INPUT-I eth2-s 172.16.0.0 Universe 12-j DROP

Iptables-An INPUT-I eth2-s 10.0.0.0 Universe 8-j DROP

5. Block the network segment (192.168.1.0) and unseal it two hours later.

[root@server] # iptables-I INPUT-s 10.20.30.0 DROP 24-j

[root@server] # iptables-I FORWARD-s 10.20.30.0 DROP 24-j

[root@server ~] # at now + 2 hours

At > iptables-D INPUT 1

At > iptables-D FORWARD 1

Explanation: it would be better for us to complete this strategy with the help of crond planning tasks.

[1] + Stopped at now + 2 hours

6. Administrators are only allowed to log in to the firewall host remotely using SSH from the 202.13.0.0amp 16 network segment.

Iptables-An INPUT-p tcp-- dport 22-s 202.13.0.0 ACCEPT 16-j

Iptables-An INPUT-p tcp-- dport 22-j DROP

Note: this usage is suitable for remote management of devices, such as when the SQL server located in the branch needs to be managed by the administrator of the head office.

7. Allow native access to application services provided from TCP ports 20-1024.

Iptables-An INPUT-p tcp-- dport 20pur1024-j ACCEPT

Iptables-An OUTPUT-p tcp-- sport 20pur1024-j ACCEPT

8. Allows forwarding of DNS parsing request packets from the 192.168.0.0 Universe 24 LAN segment.

Iptables-A FORWARD-s 192.168.0 ACCEPT 24-p udp-- dport 53-j ACCEPT

Iptables-A FORWARD-d 192.168.0 ACCEPT 24-p udp-- sport 53-j ACCEPT

9. Disable other hosts ping firewall hosts, but allow ping of other hosts from the firewall

Iptables-I INPUT-p icmp--icmp-type Echo-Request-j DROP

Iptables-I INPUT-p icmp--icmp-type Echo-Reply-j ACCEPT

Iptables-I INPUT-p icmp--icmp-type destination-Unreachable-j ACCEPT

10. Prohibit forwarding packets from and hosts with MAC address 00:0C:29:27:55:3F

Iptables-A FORWARD-m mac--mac-source 00:0c:29:27:55:3F-j DROP

Description: iptables uses the form of "- m module keyword" to call display matching. We use "- m mac- mac-source" here to indicate the source MAC address of the packet.

11. Allow firewalls to open TCP ports 20, 21, 25, 110 and passive mode FTP ports 1250-1280 natively

Iptables-An INPUT-p tcp-m multiport-- dport 20, 21, 25, 110, 1250, tcp, 1280-j ACCEPT

Description: use "- m multiport-dport" to specify the destination port and range

twelve。 The forwarding of TCP packets with source IP addresses of 192.168.1.20-192.168.1.99 is prohibited.

Iptables-A FORWARD-p tcp-m iprange-- src-range 192.168.1.20-192.168.1.99-j DROP

Note: "- m-iprange-src-range" is used here to specify the IP range.

13. Forbidden to forward non-syn request packets that are not related to a normal TCP connection.

Iptables-A FORWARD-m state-- state NEW-p tcp!-- syn-j DROP

Note: "- m state" indicates the connection status of the packet, and "NEW" indicates that it has nothing to do with any connection.

14. Deny access to new packets from the firewall, but allow responses to connections or packets related to existing connections

Iptables-An INPUT-p tcp-m state-- state NEW-j DROP

Iptables-An INPUT-p tcp-m state-- state ESTABLISHED,RELATED-j ACCEPT

Note: "ESTABLISHED" indicates a packet that has responded to a request or has established a connection, and "RELATED" indicates that it is related to the established connection, such as an FTP data connection.

15. Only the local web service (80) and FTP (20, 21, 20450-20480) are opened, the external host is allowed to send reply packets from other ports of the server, and other inbound data packets are discarded.

Iptables-I INPUT-p tcp-m multiport-- dport 20, 21 ACCEPT, 80-j ACCEPT

Iptables-I INPUT-p tcp-- dport 20450 tcp 20480-j ACCEPT

Iptables-I INPUT-p tcp-m state-- state ESTABLISHED-j ACCEPT

Iptables-P INPUT DROP

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.