In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-15 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
This article shares with you the content of the sample code for the firewall initialization script iptables.sh. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.
#! / bin/bashpath=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbinexport path## WEB server, open port 80.443 iptables-An INPUT-p tcp-- dport 80-j ACCEPTiptables-An INPUT-p tcp-- dport 443-j ACCEPT## zabbix server Open port 10050 INPUT 10051 iptables-An INPUT-p tcp-- dport 10050 iptables 10051-j ACCEPT###redis server service command iptables-An INPUT-p tcp-- dport 6379-j ACCEPT# database server default port 6379 Open port 3306 iptables-An INPUT-p tcp-- dport 3306-j ACCEPT# allowed native SSH service iptables-An INPUT-p TCP-- dport 1314-j ACCEPT# allowed native rsync service iptables-An INPUT-p TCP-- dport 873-j ACCEPT### allows icmp packets to pass, that is, ping iptables-An INPUT-p icmp-j ACCEPT iptables-An OUTPUT-p icmp-j ACCEPT iptables-An INPUT-p icmp-j ACCEPT### allows loopback! Iptables-An INPUT-I lo-p all-j ACCEPT iptables-An OUTPUT-o lo-p all-j ACCEPT#### reduces unsafe port connections # some Trojans * * scan the service iptables-An OUTPUT-p tcp-- sport 31337OUTPUT-An OUTPUT-p tcp-- dport 31337OUTPUT-An OUTPUT-p tcp-- dport 31337MU 31340-j DROP### on ports 31337 to 31340 (i.e., DROP### port in * language) to deal with the number of IP fragments and prevent *, allowing 100 iptables-A FORWARD-f-m limit--limit 100pots per second to set ICMP packet filtering s-limit-burst 100-j ACCEPT###. One packet per second is allowed, and the trigger condition is 10 packets iptables-A FORWARD-p icmp-m limit--limit 1Universe s-limit-burst 10-j ACCEPT### drop illegal connection iptables-An INPUT-m state-- state INVALID-j DROP iptables-An OUTPUT-m state-- state INVALID-j DROP iptables-A FORWARD-m state-state INVALID-j DROP#### allows all established and associated connections iptables-An INPUT-m state-- state ESTABLISHED RELATED-j ACCEPT iptables-An OUTPUT-m state-- state ESTABLISHED RELATED-j ACCEPT#### discards broken TCP packets iptables-A FORWARD-p TCP!-- syn- m state-- state NEW-j DROP#### prevents SYN*** from lightweight prevention iptables-N syn-floodiptables-An INPUT-p tcp-- syn- j syn-floodiptables-I syn-flood-p tcp-m limit--limit 3Compact s-limit-burst 6-j RETURNiptables-A syn-flood-j REJECT#### prevents DOS from too many connections You can allow a maximum of 15 initial connections per IP of the external network card, and discard the excess iptables-An INPUT-I eth0-p tcp-- syn-m connlimit--connlimit-above 15-j DROPiptables-An INPUT-p tcp-m state-- state ESTABLISHED. RELATED-j ACCEPT#### uses Iptables to defend against DDOS (same parameters as above) iptables-An INPUT-p tcp-- syn-m limit--limit 12 ACCEPTiptables s-limit-burst 24-j ACCEPTiptables-A FORWARD-p tcp-- syn-m limit--limit 1 Universe s-j ACCEPT# controls a single IP for a certain period of time (for example, 60 seconds) to allow the number of newly established connections iptables-An INPUT-p tcp-- dport 80-m recent-name- BAD_HTTP_ACCESS-- update-- seconds 60-- hitcount 30-j REJECT iptables-An INPUT-p tcp-- dport 80-m recent-- name BAD_HTTP_ACCESS-- set-j ACCEPT#### controls the maximum number of concurrent connections for a single IP iptables-I INPUT-p tcp-- dport 80-m connlimit--connlimit-above 50-j REJECT# blacklist # / sbin/iptables-An INPUT-s 1.1.1.0 DROP# / sbin/iptables-An INPUT-s 1.1.1.0-j DROP# whitelist # / sbin/iptables-An INPUT-s 1.1.1.1 ACCEPT # trusted network # / sbin/iptables-An INPUT-s 1.1.1.1-j ACCEPT # trusted ip/etc/rc.d/init.d/iptables save#/etc/rc.d/init.d/iptables restart thank you for reading! On the "firewall initialization script iptables.sh sample code" this article is shared here, I hope the above content can be of some help to you, so that you can learn more knowledge, if you think the article is good, you can share it out for more people to see it!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.