Shulou(Shulou.com)06/01 Report--

Iptables composition: four tables + five chains + rules

Four tables: filter, nat, mangle, raw

Five chains: INPUT OUTPUT FORWARD PREROUTING (DNAT) POSTROUTING (SNAT)

Nat table: Nat table is mainly used for network address translation. Modify the IP address of the network packet according to each rule in the table. The package in the stream traverses the Nat table only once. For example, if a packet that passes through an interface is decorated (the IP address is modified), the remaining packets in the stream will no longer traverse the table. Filtering in this table is generally not recommended, and the chains supported by NAT tables are called PREROUTING chains, POSTROUTING chains, and OUTPUT chains.

Mangle table: this table is used to correct network packets. It is used to mark and modify the header and TTL,TOS,MARK of a special package. The Mangle table cannot be used for address masquerading. Supported chains include PREROUTING chain, OUTPUT chain, Forward chain, input chain and POSTROUTING chain

Filter table: if no rules are defined, the Filter table is treated as the default table and filtered based on it. It is used for access control, rule matching, and filtering network packets. Supported chains are INPUT chain, OUTPUT chain, FORWARD chain.

Raw table: used when we want to configure packages that were previously exempted. It supports PREROUTING chain and OUTPUT chain

Packet rules:

Packet access control: ACCEPT (receive, reply pass), REJECT (receive, reply reject), DROP (discard)

Packet rewriting: SNAT (source address rewriting), DNAT (destination address rewriting)

Information record: LOG

-I eth0: data inflow from this network card

Inflows are generally used on INPUT and PREROUTING

-o eth0: data outflow from this network card

Outflow is usually on OUTPUT and POSTROUTING.

*

I.

Rule 1: open local access to port 25110 of tcp 80 to 10.10.188.233

Iptables-I INPUT-I eth2-p tcp-s 10.10.188.233-m multiport-- dports 80 25110-j ACCEPT

Rule 2: open access to the native tcp port (22pursshmai 10-21 (10:21)) to all addresses

Iptables-I INPUT-p tcp-- dport 22-j ACCEPT

Iptables-I INPUT-p tcp-- dport 10:21-j ACCEPT

Rule 3: allow native icmp-based packet access to all addresses

Iptables-I INPUT-p icmp-j ACCEPT

Rule 4: access to other unallowed ports is prohibited

Iptables-An INPUT-j REJECT (iptables-P INPUT DROP)

Second, configuration is required by default

Rule 1: allow all packets coming through the lo network card

Iptables-I INPUT-I lo-j ACCEPT

Rule 2: allow a local initiative to initiate a request to get a reply

Iptables-I INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

III. Expansion

1. Set that I can ping others, but others can't ping me (on the contrary, echo-reply)

Iptables-An INPUT-p icmp- s 192.168.1.0 Universe 24-m icmp--icmp-type echo-request-j DROP

two。 Limit the maximum number of concurrency per client to no more than 3 (xshell terminals)

Iptables-An INPUT-p tcp-- dport 22-s 192.168.1.0 DROP 24-m connlimt-connlimit-above 2-j DROP

3. Limit speed (- m limit-- limit matching rate |-- number of burst buffers)

Iptables-An INPUT-d 192.168.1.63-m limit-- limit 5Universe s-- burst 100Murj ACCEPT (no speed limit in 100 packets, only 5 packets per second in excess of 100 packets limit)

Iptables-An INPUT-d 192.168.1.63-j DROP

For example, icmp flood * (multi-host ping packets occupy full memory)

Iptables-An INPUT-d 192.168.1.63-m icmp--icmp-type echo-request-m limit-limit 5max s-j ACCEPT (limited to 20 packets per second)

Iptables-An INPUT-d 192.168.1.63-m icmp--icmp-type echo-request-j DROP

*

Allow ftp rule mode

(actively) join the release rule of port 21

Iptables-I INPUT-p tcp-- dport 21-j ACCEPT

(passive)

1. Add the range of virtual ports visited by vsftpd in the vsftpd server configuration file

Vim / etc/vsftpd/vsftpd.conf

# listen_port=21

# pasv_enable=YES

# pasv_min_port=50000

# pasv_max_port=60000

Add Iptables-I INPUT-p tcp-- dport 50000 tcp 60000-j ACCEPT

two。 Add the connection tracking module to the kernel

Modprobe nf_conntrack_ftp

Modprobe ip_nat_ftp

Check the kernel module: modprobe-l | grep ftp (lsmod | grep nat_ftp)

Permanent modification: IPTABLES_MODULES= "nf_conntrack_ftp * employees within the company (10.10.155) .0But 24) can access any service on the server Allow everyone to access port 1723. Allow the public network to access the portal (port 80) iptables-P INPUT DROP iptables-I INPUT-p tcp-I lo-j ACCEPT iptables-I INPUT-m state-- state ESTABLISHED RELATED-j ACCEPT iptables-I INPUT-p icmp-j ACCEPT iptables-An INPUT-p tcp-s 10.10.155.0 j ACCEPT iptables-An INPUT-p tcp-s 10.10.188.0 take 24-j ACCEPT iptables-An INPUT-p tcp-- dport 80-j ACCEPT iptables-An INPUT-p tcp-dport 1723-j ACCEPT * * * Ip address translation SNAT (used when multiple clients access a web server The source address can be a network segment, and the kernel parameter ip_forward needs to be enabled) iptables-t nat-A POSTROUTING-p tcp-s 10.10.177.0 Ip 24-j SNAT-- to 10.10.188.232 Ip address translation DNAT (used when a client accesses multiple web servers, the destination address can be the network segment) iptables-t nat-A PREROUTING-p tcp-d 10.10.188.232 DNAT 24-- dport 80-j DNAT-to 10.10.177.23280

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.