Shulou(Shulou.com)06/01 Report--

There are three security precautions on Linux:

① Packet filtering firewall: iptables

Application Firewall: TCP Wrappers

③ Proxy server firewall: nginx, etc.

iptables programs work on the TCP/IP network stack framework of the kernel and work in user space;

According to the purpose and function, it can be divided into four tables and five chains

Four tables: filter, nat, mangle, raw

Priority: raw, mangle, nat, filter

address translation, mapping, port mapping, etc. mangle is used to modify specific packets (rarely used) raw is generally used to stop iptables from doing link tracing processing of packets, thus improving performance

Correspondence between four tables and five chains:

filter：INPUT OUTPUT FORWARD

nat：PREROUTING POSTROUTING FORWARD

mangle：INPUT OUTPUT FORWARD PREROUTING POSTROUTING

raw：PREROUTING OUTPUT

iptables workflow: portal

When adding rules, consider:

1. The function to be realized: judge which table to load;

2, different types of rules, match the message probability is larger put on the top;

3. Default policies should be set.

Syntax format of iptables:

~]# man iptables-extensions

iptables [-t TABLE] SUBCOMMAND CHAIN CRETERIA -j TARGET

SUBCOMMAND

chain manipulation

-F Clear all rules on the specified chain of the specified table; when chain name is omitted, clear all chains in the table-N Create a user-defined chain; can only be used as a jump object of default chain, effective by reference-X Delete user-defined empty chain; non-custom chain and built-in chain cannot be deleted-Z Set the counter of rule to 0-P Set default processing mechanism of chain-E Rename custom chain

Note: The referenced chain cannot be deleted or renamed.

rules

-A appends a rule at the end of the chain-I inserts a rule at the specified position-D deletes the specified rule-R replaces the specified rule-L

View all rules on the chain, generally using the format-vnL

--line-number Display rule number

CRETERIA: Matching conditions

-s Check the source IP address in the message-d Check the destination IP address in the message-p Check the protocol in the message, such as tcp, udp, icmp-i Incoming interface of data message, usually only used for rules on PREROUTING INPUT FORWARD chain-o Check the outgoing interface of message; usually used for rules on PORWARD OUTPUT POSTROUTING chain

icmp protocol (ping request)

iptables -A INPUT -d 192.168.1.1 -s 192.168.1.0/24 -p icmp --icmp-type 8/0 -j ACCEPTiptables -A OUTPUT -s 192.168.1.1 -d 192.168.1.0/24 -p icmp --icmp-type 0/0 -j ACCEPT

8: Match ping request message

0: Matches response message to ping request

-j: indicates the action taken. REJECT, ACCEPT, DROP

Specify multiple ports at once

Examples:

iptables -I INPUT 1 -d 192.168.1.1 -p tcp -m multiport --dports 22,80,443 -j ACCEPT

Insert a new rule in the INPUT chain. The destination IP of the packet is 192.168.1.1 (usually the local IP): that is, all tcp requests sent to ports 22, 80, and 443 of the local machine are accepted. The default rule here is usually set to DROP (reject undefined requests).

iptables -I OUTPUT 1 -s 192.168.1.1 -p tcp -m multiport --sports 22,80,443 -j ACCEPT

Similarly, all response messages sent by this machine are released through tcp protocols on ports 22, 80 and 443.

-m Module name

Multiport Extension: Multiport matching is defined discretely, specifying up to 15 ports

-s 192.168.1.1 Source IP

--sports ... Source port, i.e. response message exit

Specify a range of contiguous IP addresses

iptables -A INPUT -d 192.168.1.1 -p tcp --dport 23 -m iprange --src-range 192.168.2.2-192.168.2.100 -j ACCEPT

push message rule

iptables -A OUTPUT -s 192.168.1.1 -p tcp --sport 23 -m iprange --dst-range 192.168.2.2-192.168.2.100 -j ACCEPT

unstacking message rule

String matching for application layer data in messages

iptables -A OUTPUT -s 192.168.1.1 -p tcp --sport 80 -m string --string "sex" --algo bm -j REJECT

Match the unstack messages of port 80, and do not respond to any response message with sex characters

-m string: indicates that the module is string module

--string: followed by the string to match

--algo: string matching algorithm bm algorithm

--hex-string pattern: In order to match better performance and higher efficiency, the string is hexadecimal encoded and then matched after conversion.

To check certain positions in the message, you can start with-from and then end with how many bytes you intend to offset from the beginning; there is also the--to option

Access control based on time intervals

--datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]] From what time

--datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]] to what time does it end

--timesart hh:mm[:ss] What time does each day start?

--timestop hh:mm[:ss] What time does each day end?

--monthdays day[,day...] What days of the month?

--weekdays day[,day...] What days of the week?

Examples:

iptables -R INPUT 1 -d 192.168.1.1 -p tcp --dport 80 -m time --timestart 08:30 --timestop 18:30 --weekdays Mon,Tue,Wed,Thu,Fri -j REJECT

PS: The first letter of the week should be capitalized or written as 1, 2, 3, 4, 5, 6, 7.

The purpose of this command:

Push messages requesting port 80 of this server are not allowed between 8:30-18:30 every day from Monday to Friday.

Limit based on packet rate

connlimit: Concurrence request connection limit is made according to each client IP, i.e., connection requests that can be initiated simultaneously by a single IP are limited;

--connlimit-up to n: the number of connections is less than or equal to the threshold;

--connlimit-above n: the number of connections exceeds the threshold;

Examples:

No more than 2 SSH requests per client

iptables -I INPUT -d 192.168.1.1 -p tcp --dport 22 -m connlimit --connlimit-above 2 -j REJECT

Limit users to 20 ping requests per minute

--limit rate[/second|/minute|/hour|/day]

--limit-burst number Size of token bucket, default is 5 (peak rate)

iptables -I INPUT -d 192.168.1.1 -p icmp --icmp-type 8 -m limit --limit-burst 3 --limit 20/minute -j ACCEPTiptables -A OUTPUT -s 192.168.1.1 -p icmp --icmp-type 0 -j ACCEPT

Status monitoring mechanism

iptables can use a hash table to record the source IP and destination IP of each connection on a certain section of memory in the kernel; the source port, the destination port, when the connection was established with the local machine, and how long it has lasted.

When a new request arrives, it will be compared against the information recorded in this table to see if there is a record, and if there is no record

When the number of concurrent accesses is greater than the recordable memory space, the request is rejected,

View the maximum number of request traces that can be stored:

cat /proc/sys/net/nf_conntrack_max

Note: The host is a scheduler, and it has to carry a very large number of concurrent request links. If this function is enabled, a large number of service requests will be rejected instantly, which is fatal!!!

Status:

NEW: New Connection

ESTABLISHED: Established connections

INVALID: Unrecognized connection

UNTRACKED: Untracked connections

RELATED: Associated connections (e.g. ftp command connections and data transfer connections)

Now suppose there is a situation:

All other ports on the server are closed, and only port 80 is open to the outside world. Suddenly there is a request from port 80, indicating that someone planted a Mini programs on the server and secretly connected to its control end.

Therefore, it is necessary to set up status monitoring: all messages passing through port 80 only allow incoming requests for NEW, and outgoing requests can only be ESTABLISHED

~]# iptables -A INPUT -d 192.168.1.1 -ptcp -m multiport --dports 22,23,80 -m state --state NEW,ESTABLISHED -j ACCEPT~]# iptables -R OUTPUT 1 -m state--state ESTABLISHED -j ACCEPT

The default policy is DROP

Well, basically that's all. There's also log information records, and how to save rules and overload rules.

Save: iptables-save > /PATH/TO/SOME_RULE_FILE

Overload: iptables-restore < /PATH/FROM/SOME_RULE_FILE

-n, --noflush: does not clear the original rule

-t, --test: only analyze the generated rule set, but do not submit it;

Note: Overloading the rules in the file will clear the existing rules;

Rules optimization ideas:

(1)Priority is given to the release of messages with a bi-directional status of ESTABLISHED;

(2)Rules serving different categories of functions, with the more likely to match the message placed first;

(3)For rules that serve the same category of functions, those with stricter matching conditions are placed first;

(4)Set default policy: Whitelist mechanism

(a)Default policies can be set using iptables -P;

(b)It is recommended that rules be defined at the end of the rule chain as default policies;

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.