Shulou(Shulou.com)06/01 Report--

This article mainly shows you the "secure Web host iptables firewall script how to use", the content is easy to understand, clear, hope to help you solve doubts, the following let Xiaobian lead you to study and learn "secure Web host iptables firewall script how to use" this article.

Let's take our own Web server as an example. The default policy of the system is that INPUT is set to DROP,OUTPUT and FORWARD chain is set loosely to ACCEPT,DROP, because we know that the outgoing packets are relatively secure. In order to verify the generality of the script, I specifically checked the kernel and iptables version of the server, and the command is as follows:

[root@ud50041] # uname-a

Linux ud50041 2.6.9-34.ELsmp # 1 SMP Fri Feb 24 16:54:53 EST 2006 i686 i686 i386 GNU/Linux

[root@ud50041] # iptables-V

Iptables v1.2.11

[root@ud50041] # lsb_release-a

LSB Version:: core-3.0-ia32:core-3.0-noarch:graphics-3.0-ia32:graphics-3.0-noarch

Distributor ID: RedHatEnterpriseAS

Description: Red Hat Enterprise Linux AS release 4 (Nahant Update 3)

Release: 4

Codename: NahantUpdate3

As you can see, this system is a RHEL4_i386 system with a kernel version of 2.6.9-34 and IptabLes version 1.2.11. In addition, I have successfully deployed this script on other Centos5.5 x86room64 machines. Since subsequent recent security modules have requirements on the system kernel (this is also often used as a host protection script), if you want to use iptables as the host firewall, it is recommended to use Centos5.6 x86Secret64 or higher, otherwise the system will have the following error message:

Iptables: Unknown error 18446744073709551615

Iptables:Invalid argument

The following error prompt can be sent when tail-f / var/log/messages

Ip_tables: connlimit match: invalid size 32! = 16

Ip_tables: connlimit match: invalid size 32! = 24

In addition, before debugging iptables scripts in a production environment, it is strongly recommended that you write a crontab task and close the iptalbes script every 5 minutes to prevent the SSH client from being locked out, as follows:

* / 5 * root / etc/init.d/iptables stop

The script code is as follows:

#! / bin/bash iptables-F iptables-F-t nat iptables-X iptables-P INPUT DROP iptables-P OUTPUT ACCEPT iptables-P FORWARD ACCEPT # load connection-tracking modules modprobe iptable_nat modprobe ip_conntrack_ftp modprobe ip_nat_ftp iptables-An INPUT-f-m limit--limit 100/sec-limit-burst 100-j ACCEPT iptables-A FORWARD-p icmp--icmp-type echo-request-m limit--limit 1Universe s-limit-burst 10-j ACCEPT iptables-An INPUT-p tcp- m tcp--tcp-flags SYN,RST ACK SYN-m limit--limit 20/sec-- limit-burst 200-j ACCEPT iptables-An INPUT-s 122.70.x.x-j ACCEPT iptables-An INPUT-s 122.70.x.x-j ACCEPT iptables-An INPUT-I lo-j ACCEPT iptables-An OUTPUT-o lo-j ACCEPT iptables-An INPUT-m state-state ESTABLISHED,RELATED-j ACCEPT iptables-An INPUT-p tcp-m multiport-dport 80 22-j ACCEPT

There is a special case here, because this Web server is placed behind the load balancer, so the connection to the load balancer is very frequent; so we want to allow packets whose data source address is the load balancer to pass through In addition, many of my small LNMP-based websites have deployed this script, that is, the Web service and the MySQL database are installed on the same machine and port 3306 is not open, which is accessed by Web calling the PHP program.

The system should not report an error after successfully running this script, as follows:

Iptables-nv-L

This command displays the results as follows (this is the result of a script for another LNMP machine):

Chain INPUT (policy DROP 610 packets, 50967 bytes)

Pkts bytes target prot opt in out source destination

00 ACCEPT all-f * * 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 of the limit: avg 100/sec burst 100

6100 314K ACCEPT tcp-- * * 0.0.0.0 ACCEPT tcp 0 0.0.0.0 tcp flags:0x16/0x02 limit: avg 20/sec burst 200

1052 67637 ACCEPT all-* * 122.70.x.x 0.0.0.0 Universe 0

986 58112 ACCEPT all-* * 122.70.x.x 0.0.0.0 Universe 0

918 131K ACCEPT all-- lo * 0.0.0.0Uniplex 0 0.0.0.0Universe 0

97056 12m ACCEPT all-- * 0.0.0.0Universe 0 0.0.0.0Swiss 0 state RELATED,ESTABLISHED

4325 218K ACCEPT tcp-- * * 0.0.0.0Universe 0 0.0.0.0Universe 0 multiport dports 80 ACCEPT tcp 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

0 0 ACCEPT icmp-- * * 0.0.0.0 limit 0 0.0.0.0 limit 0 icmp type 8: avg 1/sec burst 10

Chain OUTPUT (policy ACCEPT 144K packets, 155m bytes)

Pkts bytes target prot opt in out source destination

956 134K ACCEPT all-- * lo 0.0.0.0Uniplex 0 0.0.0.0Universe 0

Let me explain this script in a little more detail:

In the protection of the host, we have configured some security measures to prevent external ping and SYN flooding, and considering that the external crazy port scanning software may affect the ingress bandwidth of the server, we have also made restrictions here. The command is as follows:

Iptables-An INPUT-p tcp-- syn-m limit--limit 100max s-- limit-burst 100-j ACCEPT

The above command allows a maximum of 100 new connections per second. Please note that the new connection here refers to the packet whose state is New. Later, we have also configured to allow data with the status of ESTABLISHED and RELATED to pass through. In addition, the threshold of 100 should be adjusted according to the actual situation of the server. If it is a server with a small amount of concurrency, it should be reduced, and if it is a server with a very large number of visits and a large number of concurrency, this value needs to be increased. Take a look at the following command:

Iptables-An INPUT-p icmp--icmp-type echo-request-m limit--limit 1max s-limit-burst 10-j ACCEPT

This is to prevent ping flooding and limit the number of ping packets per second to 10.

Iptables-An INPUT-p tcp- m tcp--tcp-flags SYN,RST,ACK SYN-m limit--limit 20/sec-limit-burst 200-j ACCEPT

The above command prevents various port scans and limits SYN and ACK SYN to no more than 200s per second to avoid running out of bandwidth.

After the iptables firewall is running, we can run the nmap tool to scan with the following command:

Nmap-P0-sS 211.143.6.x

The execution result of this command is as follows:

Starting Nmap 4.11 (http://www.insecure.org/nmap/) at 2009-03-29 16:21 CST

Interesting ports on 211.143.6.X:

Not shown: 1668 closed ports

PORT STATE SERVICE

22/tcp open ssh

25/tcp open smtp

80/tcp open http

110/tcp open pop3

111/tcp open rpcbind

143/tcp open imap

443/tcp open https

465/tcp open smtps

587/tcp open submission

993/tcp open imaps

995/tcp open pop3s

1014/tcp open unknown

Here, we find that a 1014 port has been opened by a process. Using lsof-i 1014 to check and find that it is opened by rpc.statd again. The port used by this service is different each time. Originally, we wanted to ignore it, but if rpc.statd cannot handle SIGPID signals correctly, remote users can take advantage of this loophole to shut down the process and carry out a denial of service * *, so we still have to find a way to solve it. We found that rpc.statd was opened by the service nfslock. Further query shows that it is an optional process that allows NFS clients to lock files on the server. This process corresponds to the nfslock service, so we shut down the service with the following command:

Service nfslock stop

Chkconfig nfslock off

If there is no hardware firewall protection, the Web server placed in the IDC room and with a public network is still very useful iptables protection. If someone is found to use tools to maliciously connect to our Web server frequently, we can call the recent module to stop them. What we do is to deploy iptables firewall on every machine with public network IP as far as possible.

The above is all the contents of the article "how to use the secure Web host iptables firewall script". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.