Shulou(Shulou.com)06/02 Report--

This article mainly explains "what are the knowledge points of Linux firewall". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Next, let the editor take you to learn "what are the knowledge points of Linux firewall"?

1. Iptables firewall cannot prevent DDOS attacks. It is recommended to purchase a hardware firewall in the implementation of the project, which is placed in front of the whole system to prevent DDOS attacks and port mapping. If there are special requirements for security, you can add application-level firewalls, such as Tiantai firewall, which are powerful like this: ① Tiantai WEB application firewall verifies WEB application client input based on the complete detection of Datagram header and payload, thus providing comprehensive protection against all kinds of known and emerging WEB application threats, such as SQL injection, cross-site scripts, worms, hacker scanning and attacks, etc. ② Tiantai WEB application firewall provides protection against DDOS attacks that are rampant in China. Bandwidth-and resource-exhausted DDOS attacks against WEB applications can be easily addressed. In particular, it provides fine-grained protection against DDOS attacks at the application layer. Other advantages are not described here.

Second, in the implementation of the project, it is recommended to turn off the iptables firewall of the Linux server or the ipfw of the FreeBSD, in order to better improve the network performance of the back-end server; ② facilitates the flow of data streams within the whole business system, and the security work is undertaken by the hardware firewall.

Third, at present, I mainly use iptables as an internal NAT firewall, and its performance and ease of management are really strong. Through Thunderbolt tests, it can be found that the company's internal 10m bandwidth can be fully utilized. The more commonly used software router in Wuhan is Sea Spider, which is actually the secondary development of iptables. The router that deployed the Internet bar for my friend's Internet bar two years ago, I strongly recommend that iptables be routed and forwarded by NAT, which has proved to be very effective.

4. The L of iptables is a command, and-v and-n are only options. They cannot be combined. For example, if-Lvn; wants to list detailed firewall rules, you can use iptables-nv-L.

Fifth, if you are using remote to debug the iptables firewall, it is best to set the crontab job to stop the firewall regularly in case you are locked, stop iptables every 5 minutes, and then close the crontab job after the whole script is completely stable.

6. If you use the default prohibition policy, you should immediately use the loopback interface lo (because everything is prohibited, including lo); Note: loopback interface lo in the Linux system is used to provide local, network-based services of the dedicated network interface, do not send the local data flow through the network interface driver, but take the operating system through the loopback interface to send, take shortcuts, greatly improve the performance.

7. If it is a server hosted by China Telecom or a two-line computer room, in the absence of a front-end hardware firewall, the Linux host must turn on the iptables firewall, and the windows2003 host must open its own system firewall and disable ping.

8. If the price of the necklace is affordable, the front-end hardware firewall should also be used as dual-computer redundancy to prevent problems with a single firewall, which will lead to the crash of the entire website. Firewalls, like people, will always be unable to withstand the pressure; if there are dual computers, the chances of website problems will be much smaller.

At this point, I believe you have a deeper understanding of "what are the knowledge points of Linux firewall?" you might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.