Shulou(Shulou.com)06/03 Report--

The following is about the implementation of vsftp virtual users in mysql and the use of iptables. The secret of the text lies in being close to the topic. So, no gossip, let's go straight to the following, I believe you will benefit from reading this article on the implementation of vsftp virtual users and iptables usage in mysql.

Vsftp creates virtual users based on mysql

1. Install the environment first

Yum groupinstall-y "Development Tools"Server PlatformDevelopment" yum install-y pam-devel mariadb-devel mariadb-server vsftpd lftp ftp download the latest pam-mysql http://pam-mysql.sourceforge.net/ compilation and install pam-mysqltar xf pam_mysql-0.7RC1.tar.gzcd pam_mysql-0.7RC1./configure-- with-pam=/usr-- with-mysql=/usr-- with-pam-mods-dir=/usr/lib64/securitymakemake install

2 configure vsftp

Establish the documents required for pam certification

Vim / etc/pam.d/vsftpd.mysql add the following two lines auth required / usr/lib64/security/pam_mysql.so user=vsftpd passwd=centos host=127.0.0.1 db=vsftpd table=user usercolumn=name passwdcolumn=password crypt=2account required / usr/lib64/security/pam_mysql.so user=vsftpd passwd=centos host=127.0.0.1 db=vsftpd table=user usercolumn=name passwdcolumn=password crypt=2

Establish the system user and corresponding directory of virtual user mapping

Mkdir / ftproot useradd-s / sbin/nologin-d ftproot vuser create a test directory mkdir / ftproot/ {pub,upload} cd / ftproot chown vuser:vuser upload

Modify the configuration file of vsftpd to adapt to mysql authentication

Vim / etc/vsftpd/vsftpd.conf modify the value of the pam_service_name option as follows pam_service_name=vsftpd.mysql add the following two lines: guest_enable=YESguest_username=vuser

Configure virtual users with different access rights

Create the required directory and provide configuration files for virtual users

Mkdir / etc/vsftpd/vusers_confcd / etc/vsftpd/vusers_conf

Configure virtual users with different access rights:

Vim tom writes the following

Anon_upload_enable=YESanon_mkdir_write_enable=YESanon_other_write_enable=YES

Vim jerry

Anon_upload_enable=NOanon_mkdir_write_enable=NOanon_other_write_enable=NO

3 create data in sql

MariaDB [(none)] > CREATEDATABASE vsftpd;MariaDB [(none)] > use vsftpd;MariaDB [vsftpd] > create table user (name char (30), password char (50)); MariaDB [vsftpd] > INSERT INTO vsftpd.user (name,password) VALUES ('tom',PASSWORD (' lxq')), ('jerry',PASSWORD (' lxq')); MariaDB [(none)] > create user vsftpd@localhost identified by 'centos'MariaDB [(none)] > grant all privileges on vsftp.user to vsftpd@localhost identified by' centos';MariaDB [(none)] > FLUSHPRIVILEGES

4 Test

Log in to tom

Upload any file at will

Login to jerry, upload failed

Detailed description of iptables five chains

Concept of four tables and five chains

Filter table-filter packet Nat table-for network address translation (IP, port) Mangle table-modify packet service type, TTL, And you can configure the routing implementation QOSRaw table-- determine whether the packet is handled by the state tracking mechanism INPUT chain-- incoming packets apply the policy OUTPUT chain in this rule chain-- outgoing packets apply the policy FORWARD chain in this rule chain-- apply the policy PREROUTING chain in this rule chain when forwarding packets-- apply the rules in this chain before routing packets (all packets enter) When it comes, it is handled by this chain first) POSTROUTING chain-the rules in this chain should be applied after routing packets (all packets are handled by this chain first. # empty iptables rule [root@localhost ~] # iptables-F [root@localhost ~] # iptables-vnLChain INPUT (policy ACCEPT 6 packets) 348 bytes) pkts bytes target prot opt in out source destinationChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destinationChain OUTPUT (policy ACCEPT 5 packets) 380 bytes) Software required for pkts bytes target prot opt in out source destination# installation [root@localhost ~] # yum-y install httpd telnet-server samba tftp-server vsftpd mariadb-server# sets the default policy for input and output of CVM is DROP [root@localhost ~] # iptables-P INPUT DROP [root@localhost ~] # iptables-P OUTPUT DROP

(1) Multi-port matching

# receive messages that flow through ports 22 and 80, that is, you can use ssh and httpd services [root@localhost] # iptables-I INPUT-d 192.168.186.131-p tcp-m multiport-- dports 22OUTPUT 80-j ACCEPT [root@localhost] # iptables-I OUTPUT-s 192.168.186.131-p tcp-m multiport-sports 22J ACCEPT

(2) connection tracking

# allow a specified range of ip addresses to connect to port 23 [root@localhost ~] # iptables-I INPUT 3-d 192.168.186.131-p tcp-- dport 23-m iprange-- src-range 192.168.186.130-192.168.186.135-j ACCEPT [root@localhost ~] # iptables-I OUTPUT 3-s 192.168.186.131-p tcp-sport 23-m iprange-dst-range 192.168.186.130-192.168.186.135-j ACCEPT

(3) string matching

# change the default policy back to ACCEPT [root@localhost ~] # iptables-P INPUT ACCEPT [root@localhost ~] # iptables-P OUTPUT ACCEPT# do not send [root@localhost ~] # iptables-I OUTPUT-s 192.168.186.131-m string-algo kmp-- string "gaain"-j REJECT when "gaain" appears in the Datagram

(4) time matching

# Open synchronous time service port [root@localhost ~] # iptables-I OUTPUT-s 192.168.186.131-p udp-m multiport-- dports 123323-j ACCEPT [root@localhost] # iptables-I INPUT-d 192.168.186.131-p udp-m multiport-- sports 123323-j ACCEPT# add rules # specify that ip can connect to port 23 [root@localhost ~] # iptables-I INPUT-d 192.168.186.131 every day from 16:00 to 23:00 -p tcp-- dport 23-m iprange-- src-range 192.168.186.130-192.168.186.135-m time-- timestart 12:00:00-- timestop 23:00:00-j ACCEPT [root@localhost ~] # iptables-I OUTPUT-s 192.168.186.131-p tcp-- sport 23-m iprange-- dst-range 192.168.186.130-192.168.186.135-m time-- timestart 12:00:00-timestop 23:00:00-j ACCEPT

(5) concurrent connection limit

[root@localhost ~] # systemctl start mariadb.service [root@localhost ~] # mysqlMariaDB [(none)] > CREATE USER 'test'@'192.168.186.%' IDENTIFIED BY' 123 MariaDB [(none)] > FLUSH PRIVILEGES MariaDB [(none)] > exit [root@localhost ~] # vim / etc/my.cnf.d/server.cnf [mysqld] skip_name_resolve= on [root @ localhost ~] # systemctl restart mariadb.service# opens port 3306 [root@localhost ~] # iptables-I INPUT-s 192.168.186.0 to designated cloud servers and clients 24-d 192.168.186.131-p tcp-dport 3306-j ACCEPT [root@localhost ~] # iptables-I OUTPUT-d 192 .168.186.0 / 24-s 192.168.1186.131-p tcp-- sport 3306-j ACCEPT# restrict inflow messages The same IP cannot connect to the database concurrently more than 2 [root@localhost ~] # iptables-R INPUT 1-s 192.168.10.10 connlimit-upto 24-d 192.168.10.10-p tcp-- dport 3306-m connlimit--connlimit-upto 2-j ACCEPT

(6) rate matching (packet sending rate limit)

# process a request every 3 seconds (can be tested by other hosts using ping) [root@localhost] # iptables-I INPUT-d 192.168.186.131-p icmp--icmp-type 8-m limit--limit-burst 5-limit 20/minute-j ACCEPT [root@localhost ~] # iptables-I OUTPUT-s 192.168.186.131-p icmp--icmp-type 0-j ACCEPT

(7) message status matching

The five states of the message:

NEW: new connection request; ESTABLISHED: established connection; INVALID: unrecognized connection; RELATED: associated connection, where the current connection is a new request but attached to an existing connection; UNTRACKED: untracked connection # allow NEW to request [root@localhost ~] # iptables-I INPUT-d 192.168.186.131-p tcp-m multiport-- dports 22186.131-p tcp-m multiport-- dports 2214 2380 1380 Magi 13810 3306-m state-- state NEW-j ACCEPT# allows ESTABLISHED request [root@localhost ~] # iptables-I INPUT-d 192.168.186.131-m state-- state ESTABLISHED-j ACCEPT# allows ESTABLISHED request [root@localhost ~] # iptables-I OUTPUT-s 192.168.186.131-m state-state ESTABLISHED-j ACCEPT

3. Examples are given to realize the application of SNAT source address modification, DNAT destination address modification and PNAT port modification of iptables.

I. modification of snat source address

After the router (POSTROUTING), modify the ip address of the internal network to the ip address of the external network card.

# iptables-t nat-I POSTROUTING-o public network card-s internal network segment-j SNAT-- to-source public network ip address # suitable for public network ip address fixed scenario [root@localhost g513452987] # iptables-t nat-A POSTROUTING-s 172.16.0.0x16-o ens32-j SNAT-- to-source 10.23.15.57

II. Modification of DNAT destination address

Before routing (PREROUTING), modify the destination ip and port from the public network access gateway public network ip and the corresponding port to the ip and port of the internal CVM

# iptables-t nat-I PREROUTING-I public network card-d public network ip tcp-- Port issued by dport-j DNAT-- to-destination intranet service ip: Port [root@localhost g513452987] # iptables-t nat A PREROUING-d 172.16.0.254-p tcp-- dport 80-j DNAT-- to-destination 10.23.12.235

III. PNAT port modification

REDIRECT: Port mapping

Iptables-A PREROUTING-t nat-d private network ip-p service-- Port published by doprt-- Port of j REDIRECT-- to-ports mapping

[root@localhost g513452987] # iptables-A PREROUTING-t nat-d 10.23.12.235-p tcp-- dport 80-j REDIRECT-- to-ports8080 # 80 is mapped to port 8080

Is there anything you don't understand about the implementation of vsftp virtual users and iptables usage in the above mysql? Or if you want to know more about it, you can continue to follow our industry information section.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.