Shulou(Shulou.com)06/01 Report--

This summary focuses on the display extension rule settings of iptables.

Display extension: the extension module used must be explicitly specified for extension

Use help:

Centos 6:man Iptables

Centos 7:man iptables-extensions

Lab 1:

Multiport extension

Define multi-port matches in a discrete manner; specify up to 15 ports

[!]-- source-ports,--sports port,port,....: specifies multiple source ports

[!]-- destination-ports,--dports port,port....: specifies multiple destination ports

[!]-- ports port. Port...: indicates multiple ports, regardless of whether the source port or destination port matches

Allow the host of 192.168.32.163 to access port 22880 of this machine.

Iptables-An INPUT-s 192.168.32.163-d 192.168.32.144-p tcp-m multiport-- dports 22880-j ACCEPT

Lab 2:

Iprange extension

Indicates a contiguous (but generally not entire) range of ip addresses

[!]-- src-rang from [- to]: source IP address

[!]-- dst-rang from [- to]: destination IP address

Hosts from 172.16.100.5 to 172.16.100.10 cannot access local web services

Iptables-An INPUT-d 192.168.32.144-p tcp-- dport 80-m iprange-- src-range 172.16.100.5-172.16.100.10-j DROP

Lab 3:

String extension

Do string pattern matching detection on the application layer data in the message

-- algo {bm | kmp}: string matching detection algorithm

Bm:Boyer-Moore

Kmp:Knuth-Pratt_Morrls

[!]-- string patter: string pattern to be detected

[!]-- hex-string patter: the character creation mode to be detected, in hexadecimal format

Restrict 192.168.32.163 access to pages with have content in native web pages.

Must be defined in OUTPUT because the request message has no string that needs to be restricted, and only the response message has the string that needs to be restricted

Iptables-An OUTPUT-s 192.168.32.144-d 192.168.32.163-p tcp-- sport 80-m string-- algo bm-- string "have"-j REJECT

Install the web service locally and create two pages, one of which contains a have string

The initial state firewall does not make any rules

At this point, the client can access the web server normally

Add Firewall Rul

Iptables-An OUTPUT-s 192.168.32.144-d 192.168.32.163-p tcp-- sport 80-m string-- algo bm-- string "have"-j REJECT

Web pages with have fields cannot be accessed

Lab 4:

Time extension

Match the arrival time of the message with the specified time range

-- datestart YYYY [- MM [- DD [Thh [: mm [: ss]]

-- datestop YYYY [- MM [- DD [Thh [: mm [: ss]]

-datestart 1970-01-01T00:00:00

-datestop 2030-01-19T04:17:07

-- timestart hh:mm [: ss]

-- timestop hh:mm [: ss]

[!]-- monthdays day [, day]

Possible values are 1 to 31.

[!]-- weekdays day [, day]

Possible values are Mon,Tue,Wed,Thu,Fri,Sat,Sun

-- kerneltz: use the time zone on the kernel instead of the default UTC

Defines that the native web service does not allow 192.168.32.145 host access from 14:30 to 18:30 every weekend afternoon.

Iptables-An INPUT-s 192.168.32.163-d 192.168.32.144-p tcp-dport 80-m time-timestart 14:30-timestop 18:30-weekdays Sat,Sun-kerneltz-j DROP

The client can have a normal website when the firewall rules are not set using the time extension.

Clients can access the web service normally

Add time extended access rules

Lab 5:

Connlimit extension

Match the number of concurrent connections per client IP

-- connlimit-upto n: match when the number of connections is less than or equal to n

-- connlimit-above n: match when the number of connections is greater than n

We require that each client IP can connect to up to two

Iptables-An INPUT-d 192.168.32.144-p tcp-- dport 21-m connlimit--connlimit-above 2-j REJECT

Lab 6:

Limit extension

Matching based on the rate of sending and receiving messages

Token bucket filter:

-- limit rate [/ second | / minute | / hour | / day]

-- limit-burst number

Other hosts are only allowed to ping this host three times per minute, with a maximum of 5.

Iptables-I INPUT-d 192.168.32.144-p icmp--icmp-type 8-m limit--limit 10/minute-- limit-burst 5-j ACCEPT fulfills the conditions to execute the release policy

Iptables-I INPUT 2-p icmp-j REJECT plus a reject rule

Before setting up a rule:

Add a rule:

Lab 7:

State extension

Check the status of the connection according to the connection tracking mechanism; it has nothing to do with the TCP protocol

How can I tell if a connection from this machine is a response to a request from others or a self-initiated request?

You can track the results through the conntrack recorded by this machine, and within the valid time, you can see the corresponding relationship between each request connection to the machine and the result of the local feedback.

Conntrack mechanism: tracks the relationship between requests and responses on the local machine; there are several states

NEW: a new request is made; the information entry for this connection does not exist in the connection tracking template, so it is recognized as the first request

The state of communication that occurs during the period before the entry created for it in the connection tracking template expires after the ESTABLISHED:NEW status

RELATED: an associated connection, such as the relationship between a command connection in the ftp protocol and a book

INVALID: invalid connection

UNTRACKEN: links for tracking

Normally, the server will not initiate a connection request through port 80, and port 22 will not initiate a connection request either.

Allow NEW requests to connect in

Iptables-An INPUT-d 192.168.32.144-p tcp-- dport 80-m state-- state NEW-j ACCEPT

INPUT chain releases NEW,ESTABLISHED

Iptables-An INPUT-d 192.168.32.144-p tcp-m multiport-- dports 22 80-m state-- state NEW,ESTABLISHED-j ACCEPT

OUTPUT chain releases ESTABLISHED

Iptables-An OUTPUT-s 192.168.32.144-p tcp-m multiport-- sports 22 80-m state-- state ESTABLISHED-j ACCEPT

Change the default policy to all DROP:

Iptables-P INPUT DROP

Iptables-P OUTPUT DROP

Iptables-P FORWARD DROP

The client can access normally:

Adjust the maximum number of connections that the connection tracking feature can accommodate:

/ proc/sys/net/nf_contrack_max

Connections that have been tracked and recorded:

/ proc/net/nf_conntrack

Continuous tracking time for different protocols

/ proc/sys/net/netfilter/

The maximum capacity of link tracking in iptables is / proc/sys/net/ipv4/ip_conntrack_max. When a link encounters a timeout in various states, it will be deleted from the table. When the template is full, subsequent connections may time out.

There are generally two solutions:

(1) increase the value of nf_conntrack_ max

Vim / etc/sysctl.conf

Net.ipv4.nf_conntrack_max=393216

Net.ipv4.netfilter.nf_conntrack_max=393216

(2) reduce nf_conntrack timeout time

Vim / etc/sysctl.conf

Net.ipv4.netfilter.nf_conntrack_tcp_timeout_established=300

Net.ipv4.netfilter.nf_conntrack_tcp_timeout_time_wait=120

Net.ipv4.netfilter.nf_conntrack_tcp_timeout_close_wait=60

Net.ipv4.netfilter.nf_conntrack_tcp_timeout_fin_wait=120

Lab 8:

How to open ftp in passive mode

Ftp active link mode. The client initiates a request to connect to the server port 21, and the server-side process will actively connect to the random port + 1 port of the client through the local port 20 (new data request). The client may have a firewall.

Ftp passive connection mode. The client asks the server to initiate a data download request, and the server randomly uses a port to respond.

The server side determines whether the data connection is related to a previous command connection. As long as the data connection is related to the previous command connection, the firewall will release it, not from the port, and take the transition as the standard.

Copy a file to / var/ftp/pub first

Cp / etc/issue / var/ftp/pub/

Initial state of the firewall:

Port 22 was released because of the remote connection function.

Client uses lftp connection to discover connection failure

A module for manually recording connection tracking

Modprobe nf_conntrack_ftp

Set firewall rule release command connection:

Iptables-An INPUT-d 192.168.32.144-p tcp-- dport 21-m state-- state NEW,ESTABLISHED-j ACCEPT

Iptables-An OUTPUT-s 192.168.32.144-p tcp-- sport 21-m state-- state ESTABLISHED-j ACCEPT

Release data connections:

Iptables-An INPUT-d 192.168.32.144-p tcp-m state-- state RELATED,ESTABLISHED-j ACCEPT

Iptables-An OUTPUT-s 192.168.32.144-p tcp-m state-- state ESTABLISHED-j ACCEPT

If you continue to visit at this time, you can see

Lab 9:

Rule optimization:

Server rule optimization settings: any access that is not allowed should be denied when the request arrives

(1) all inbound connections that can be safely released are ESTABLISHED status connections.

(2) all outbound connections that can be safely released are ESTABLISHED status connections.

(3) carefully release new requests for inbound traffic

(4) the function of restricting access with a special purpose should be rejected before the Fang Xin rule.

Iptables-I INPUT-d 192.168.32.144-m state-- state ESTABLISHED-j ACCEPT

Iptables-I INPUT 2-d 192.168.32.144-p tcp-m multiport-- dport 21 state 2280-m state-- state NEW-j ACCEPT

Iptables-I INPUT 3-d 192.168.32.144-p tcp-m state-- state RELATED-j ACCEPT

Iptables-D INPUT 4

Iptables-D INPUT 4

Iptables-D INPUT 4

Outbound rule setting

Iptables-I OUTPUT-s 192.168.32.144-m state-- state ESTABLISHED-j ACCEPT

Iptables-D OUTPUT 2

Iptables-D OUTPUT 2

Iptables-D OUTPUT 2

Restrict pages with have in requests that are fed back by web services

Iptables-I OUTPUT-m string-algo kmp-string "have"-j REJECT

Note: in fact, it is unwise to use state connection tracking on servers where the front-end web service is extremely busy. We will focus on this issue when it comes to cluster load.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.