Shulou(Shulou.com)06/03 Report--

Under Linux, use ipteables to maintain the IP rule table. To block or unblock IP is to add the rules in the inbound part of the IP rule table.

To block an IP, use the following command:

Iptables-I INPUT-s * *.-j DROP

To unblock an IP, use the following command:

Iptables-D INPUT-s *. *-j DROP

The parameter-I is for Insert (add) and-D is for Delete (delete). This is followed by a rule. INPUT indicates inbound, and * *. * * indicates that the IP,DROP to be blocked indicates that the connection is abandoned.

In addition, you can view the current table of IP rules using the following command:

Iptables-list

For example, if you want to block the IP 123.44.55.66, type:

Iptables-I INPUT-s 123.44.55.66-j DROP

To unblock, replace-I with-D, as long as iptables already has this record. If you want to clear the sealed IP address, type:

Iptables-flush

To add an IP segment to the shutdown list, use the following command:

Iptables-I INPUT-s 121.0.0.0 iptables 8-j DROP

In fact, the IP part of a single IP is replaced with the IP segment expression of Linux. There are a lot of detailed explanations about IP paragraph expressions on the web, so I won't mention them here.

I believe that with the help of iptables, it is easy to solve the problem of small DDoS.

Attached: other commonly used commands

Edit the iptables file

Vi / etc/sysconfig/iptables

Turn off / turn on / restart the firewall

/ etc/init.d/iptables stop # start enable # restart restart

Verify that the rules are in effect:

Iptables-L

Save and restart iptables

/ etc/rc.d/init.d/iptables saveservice iptables restart

Some common commands for practical iptables sealing ip segment under Linux:

The command to seal a single IP is:

Iptables-I INPUT-s 211.1.0.0-j DROP

The command to seal the IP paragraph is:

Iptables-I INPUT-s 211.1.0.0 DROP 16-j DROPiptables-I INPUT-s 211.2.0.0 DROP 16-j DROPiptables-I INPUT-s 211.3.0.0

The order to seal the whole paragraph is:

Iptables-I INPUT-s 211.0.0.0 iptables 8-j DROP

The order to seal several paragraphs is:

Iptables-I INPUT-s 61.37.80.0 DROP 24-j DROPiptables-I INPUT-s 61.37.81.0

There are three ways to start self-running on the server:

1. Add it to / etc/rc.local

2. Iptables-save >; / etc/sysconfig/iptables can put your current iptables rules in / etc/sysconfig/iptables, which will be executed automatically when the system starts iptables.

3. Service iptables save can also put your current iptables rules in / etc/sysconfig/iptables, which will be executed automatically when the system starts iptables.

The latter two are better. Generally, iptables services are launched before network services, which is more secure.

If it is unsealed:

Iptables-D INPUT-s IP address-j REJECT

The iptables-F is all cleared.

How does the Linux Firewall Iptable set up to allow only one ip to access port 80 and only a specific ip to access a port? Referring to the following command, only 46.166.150.22 is allowed to access port 80 of the machine. If you want to set another ip or port, you can change it.

Iptables-I INPUT-p TCP-dport 80-j DROPiptables-I INPUT-s 46.166.150.22-p TCP-dport 80-j ACCEPT

Restart iptables, service iptables restart after executing the above two lines of commands under the root user

Check to see if iptables is valid:

[root@www.xxx.com] # iptables-LChain INPUT (policy ACCEPT) target prot opt source destinationACCEPT tcp-46.166.150.22 anywhere tcp dpt:httpDROP tcp-anywhere anywhere tcp dpt:http Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

The above command is to disable port 80 for the entire server (all ip). What if you only need to disable port 80 of an ip address on the server?

The following command allows only ip from 174.140.3.190 to access port 80 of 216.99.1.216 on the server

Iptables-A FORWARD-s 174.140.3.190-d 216.99.1.216-p tcp-m tcp-dport 80-j ACCEPTiptables-A FORWARD-d 216.99.1.216-p tcp-m tcp-dport 80-j DROP

More iptables reference commands are as follows:

1. Back up iptables first

# cp / etc/sysconfig/iptables / var/tmp

Need to open 80 ports, specify IP and LAN

The following three lines mean:

Close all ports 80 first.

Open the 80 ports of the 192.168.1.0 / 24 end of the ip segment

Open 80 ports of ip segment at the end of 211.123.16.123 / 24 of ip segment

# iptables-I INPUT-p tcp-dport 80-j DROP# iptables-I INPUT-s 192.168.1.0 INPUT 24-p tcp-dport 80-j ACCEPT# iptables-I INPUT-s 211.123.16.123 INPUT 24-p tcp-dport 80-j ACCEPT

The above are temporary settings.

two。 Then save the iptables

# service iptables save

3. Restart the firewall

# service iptables restart

= the following is reproduced =

Here are the ports. Seal them all and then open some IP.

Iptables-I INPUT-p tcp-dport 9889-j DROPiptables-I INPUT-s 192.168.1.0 take 24-p tcp-dport 9889-j ACCEPT

If NAT forwarding is used, remember to cooperate with the following to take effect.

Iptables-I FORWARD-p tcp-dport 80-j DROPiptables-I FORWARD-s 192.168.1.0 tcp 24-p tcp-dport 80-j ACCEPT

The common IPTABLES rules are as follows:

Can only send and receive email, everything else is closed.

Iptables-I Filter-m mac- mac-source 00:0F:EA:25:51:37-j DROPiptables-I Filter-m mac- mac-source 00:0F:EA:25:51:37-p udp-dport 53-j ACCEPTiptables-I Filter-m mac- mac-source 00:0F:EA:25:51:37-p tcp-dport 25-j ACCEPTiptables-I Filter-m mac- mac-source 00:0F:EA:25:51:37-p tcp-dport 110-j ACCEPT

IPSEC NAT strategy

Iptables-I PFWanPriv-d 192.168.100.2-j ACCEPTiptables-t nat-A PREROUTING-p tcp-dport 80-d $INTERNET_ADDR-j DNAT-to-destination 192.168.100.2 iptables 80 iptables-t nat-A PREROUTING-p tcp-dport 1723-d $INTERNET_ADDR-j DNAT-to-destination 192.168.100.2 purl 1723 iptables-t nat-A PREROUTING-p udp-dport 1723-d $INTERNET_ADDR-j DNAT-to-destination 192.168.100.2 pur1723 iptables-t Nat-A PREROUTING-p udp-dport 500-d $INTERNET_ADDR-j DNAT-to-destination 192.168.100.2 udp 500 iptables-t nat-A PREROUTING-p udp-dport 4500-d $INTERNET_ADDR-j DNAT-to-destination 192.168.100.2Vue 4500

NAT of the FTP server

Iptables-I PFWanPriv-p tcp-dport 21-d 192.168.1.22-j ACCEPTiptables-t nat-A PREROUTING-p tcp-dport 21-d $INTERNET_ADDR-j DNAT-to-destination 192.168.1.22

Only access to the specified URL is allowed

Iptables-A Filter-p udp-dport 53-j ACCEPTiptables-A Filter-p tcp-dport 53-j ACCEPTiptables-A Filter-d www.ctohome.com-j ACCEPTiptables-A Filter-d www.guowaivps.com-j ACCEPTiptables-A Filter-j DROP

Open some ports of an IP, others are closed

Iptables-A Filter-p tcp-dport 80-s 192.168.1.22-d www.pconline.com.cn-j ACCEPTiptables-A Filter-p tcp-dport 25-s 192.168.1.22-j ACCEPTiptables-A Filter-p tcp-dport 109-s 192.168.1.22-j ACCEPTiptables-A Filter-p tcp-dport 110-s 192.168.1.22-j ACCEPTiptables-A Filter-p tcp-dport 53-j ACCEPTiptables-A Filter-p udp-dport 53-j ACCEPTiptables-A Filter-j DROP

Multiple port

Iptables-A Filter-p tcp-m multiport-destination-port 22, 53 people 80110-s 192.168.20.3-j REJECT

Continuous port

Iptables-A Filter-p tcp-m multiport-source-port 22 50110-s 192.168.20.3-j REJECT iptables-A Filter-p tcp-source-port 2:80-s 192.168.20.3-j REJECT

Specify the time to surf the Internet

Iptables-A Filter-s 10.10.10.253-m time-timestart 6:00-timestop 11:00-days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j DROPiptables-A Filter-m time-timestart 12:00-timestop 13:00-days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j ACCEPTiptables-A Filter-m time-timestart 17:30-timestop 8:30-days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j ACCEPT

Disable multiple port services

Iptables-A Filter-m multiport-p tcp-dport 21, 23pm 80-j ACCEPT

NAT the WAN port to PC

Iptables-t nat-A PREROUTING-I $INTERNET_IF-d $INTERNET_ADDR-j DNAT-to-destination 192.168.0.1

NAT the WAN port 8000 to 192. one hundred and sixty eight. one hundred. Port 80 of 200

Iptables-t nat-A PREROUTING-p tcp-dport 8000-d $INTERNET_ADDR-j DNAT-to-destination 192.168.1.2280

The port to be transferred to the MAIL server

Iptables-t nat-A PREROUTING-p tcp-dport 110d $INTERNET_ADDR-j DNAT-to-destination 192.168.1.22:110iptables-t nat-A PREROUTING-p tcp-dport 25-d $INTERNET_ADDR-j DNAT-to-destination 192.168.1.22

Only PING 202is allowed. ninety-six. one hundred and thirty four. 133, all other services are prohibited

Iptables-A Filter-p icmp-s 192.168.1.22-d 202.96.134.133-j ACCEPTiptables-A Filter-j DROP

Disable BT configuration

Iptables-A Filter-p tcp-dport 6000 tcp 20000-j DROP

Disable QQ Firewall configuration

Iptables-A Filter-p udp-dport! 53-j DROPiptables-A Filter-d 218.17.209.0 Filter 24-j DROPiptables-A Filter-d 218.18.95.0 Filter-d 219.133.40.177-j DROP

Based on MAC, you can only send and receive email, and reject everything else.

Iptables-I Filter-m mac- mac-source 00:0A:EB:97:79:A1-j DROPiptables-I Filter-m mac- mac-source 00:0A:EB:97:79:A1-p tcp-dport 25-j ACCEPTiptables-I Filter-m mac- mac-source 00:0A:EB:97:79:A1-p tcp-dport 110-j ACCEPT

Disable MSN configuration

Iptables-A Filter-p udp-dport 9-j DROPiptables-A Filter-p tcp-dport 1863-j DROPiptables-A Filter-p tcp-dport 80-d 207.68.178.238-j DROPiptables-A Filter-p tcp-dport 80-d 207.46.110.0 Endo 24-j DROP

Only PING 202is allowed. ninety-six. one hundred and thirty four. 133 PING is not allowed in other public network IP

Iptables-A Filter-p icmp-s 192.168.1.22-d 202.96.134.133-j ACCEPTiptables-A Filter-p icmp-j DROP

Disable a MAC address from accessing internet:

Iptables-I Filter-m mac- mac-source 00:20:18:8F:72:F8-j DROP

Disable PING for an IP address:

Iptables-A Filter-p icmp-s 192.168.0.1-j DROP

Disable an IP address service:

Iptables-A Filter-p tcp-s 192.168.0.1-dport 80-j DROPiptables-A Filter-p udp-s 192.168.0.1-dport 53-j DROP

Only some services are allowed, others are denied (2 rules)

Iptables-A Filter-p tcp-s 192.168.0.1-dport 1000-j ACCEPTiptables-A Filter-j DROP

Disable a port service for a certain IP address

Iptables-A Filter-p tcp-s 10.10.10.253-dport 80-j ACCEPTiptables-A Filter-p tcp-s 10.10.10.253-dport 80-j DROP

Disable a port service for a certain MAC address

Iptables-I Filter-p tcp-m mac- mac-source 00:20:18:8F:72:F8-dport 80-j DROP

Disable a MAC address from accessing internet:

Iptables-I Filter-m mac- mac-source 0014 1122 1433 4415 55-j DROP

Disable PING for an IP address:

Iptables-A Filter-p icmp-s 192.168.0.1-j DROP

Http://blog.csdn.net/qjc_501165091/article/details/51225984

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.