Shulou(Shulou.com)06/01 Report--

This article mainly introduces "CentOS Linux firewall configuration and shutdown mode". In daily operation, I believe many people have doubts about CentOS Linux firewall configuration and shutdown mode. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "CentOS Linux firewall configuration and shutdown mode". Next, please follow the editor to study!

Accidentally see the firewall configuration operation instructions, feel good. Execute the "setup" command to start the text mode configuration utility, select "Firewall configuration" in "Select a tool", then select "run tool" button, the firewall configuration interface appears, set the "security level" to "disabled", and then select "OK".

Or use the command:

# / sbin/iptables-I INPUT-p tcp-dport 80-j ACCEPT

# / sbin/iptables-I INPUT-p tcp-dport 22-j ACCEPT

# / etc/rc.d/init.d/iptables save

After restarting the computer in this way, the firewall has opened ports 80 and 22 by default

It should be possible not to restart the computer here:

# / etc/init.d/iptables restart

If the firewall is turned off, just turn off its service:

View firewall information:

# / etc/init.d/iptables status

Turn off the firewall service:

# / etc/init.d/iptables stop

Permanently shut down? I don't know how to make it permanent:

# chkconfig-level 35 iptables off

After reading several pages, there are mistakes in the content. Here is the correct way to do it:

# / sbin/iptables-I INPUT-p tcp-- dport 80-j ACCEPT

# / sbin/iptables-I INPUT-p tcp-- dport 22-j ACCEPT

Then save:

# / etc/rc.d/init.d/iptables save

Then check to see if you already have:

[root@vcentos ~] # / etc/init.d/iptables status

Table: filter

Chain INPUT (policy ACCEPT)

Num target prot opt source destination

1 ACCEPT udp-- 0.0.0. 0. 0. 0. 0. 0. 0

2 ACCEPT tcp-- 0.0.0.0Universe 0 0.0.0.0Uniplex 0 tcp dpt:80

3 RH-Firewall-1-INPUT all--0.0.0.0Universe 0 0.0.0.0Universe 0

Chain FORWARD (policy ACCEPT)

Num target prot opt source destination

1 RH-Firewall-1-INPUT all--0.0.0.0Universe 0 0.0.0.0Universe 0

The server suffers from a large number of SYN_RECV,80 pin numbers, and the website cannot be opened.

There is no hard defense

Is there any way to solve it?

one

Sysctl-w net.ipv4.tcp_syncookies=1 # enable using syncookies

Sysctl-w net.ipv4.tcp_synack_retries=1 # reduces the number of syn retries

Sysctl-w net.ipv4.tcp_syn_retries=1 # reduces the number of syn retries

Sysctl-w net.ipv4.tcp_max_syn_backlog=6000 # maximum half connections

Sysctl-w net.ipv4.conf.all.send_redirects=0

Sysctl-w net.ipv4.conf.all.accept_redirects=0 # does not accept redirected icmp packets

Sysctl-w net.ipv4.tcp_fin_timeout=30

Sysctl-w net.ipv4.tcp_keepalive_time=60

Sysctl-w net.ipv4.tcp_window_scaling=1

Sysctl-w net.ipv4.icmp_echo_ignore_all=1 # prohibits ICMP

Sysctl-w net.ipv4.icmp_echo_ignore_broadcasts=1 # ICMP prohibits broadcasting

two。 Limit the number of connections per unit time

Such as

Iptables-N syn-flood

Iptables-A FORWARD-p tcp-- syn- j syn-flood

Iptables-An INPUT-p tcp-- syn- j syn-flood

Iptables-A syn-flood-p tcp-- syn- m limit--limit 3max s-- limit-burst 1-j ACCEP

Iptables-A syn-flood-j DROP

Iptables-An INPUT-I eth0-p tcp!-- syn-m state-- state NEW-j DROP

Iptables-An INPUT-p tcp-- syn-m state-- state NEW-j DROP

3 if it still fails

Iptables-An INPUT-p tcp-dport 80-m recent-- name BAD_HTTP_ACCESS-- update-- seconds 60-- hitcount 30-j REJECT

Iptables-An INPUT-p tcp-- dport 80-m recent-- name BAD_HTTP_ACCESS-- set-j ACCEP

If the traffic from the attack is greater than the traffic from your server, there is nothing you can do about it. If the traffic is not large, the above methods can temporarily guarantee that 80% of you can access.

If your kernel already supports the use of iptables connlimit, you can also use the iptables configuration section

Iptables-I FORWARD-p tcp-- syn-m connlimit--connlimit-above 5-j DROP

Or

Iptables-An INPUT-p tcp-- syn-- dport 80-m connlimit--connlimit-above 5-j REJECT

When it comes to SYN FLOOD, what really works is:

Sysctl-w net.ipv4.tcp_syncookies=1 # enable using syncookies

Sysctl-w net.ipv4.tcp_synack_retries=1 # reduces the number of syn retries

Other speed-limiting features of IPTABLES cannot be used against SYN FLOOD (do not prevent denial of service, but do prevent server CRASH).

At this point, the study on "CentOS Linux firewall configuration and shutdown mode" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.