10大最常用的iptables规则
来源:互联网 发布:自动领取红包软件 编辑:程序博客网 时间:2024/05/29 12:52
This is a desktop-centric rule that will do two things: First itwill allow you to actually work normally on your desktop. Allnetwork traffic going out of your machine will be allowed out, butall TCP/IP traffic coming into your machine will simply be dropped.This makes for a solid Linux desktop that does not need anyincoming traffic. What if you want to allow specific networkingtraffic in — for example, ssh for remote management? To do this,you’ll need to add an iptables rule for the service and make surethat service rule is run before rule to drop all incomingtraffic.
2: iptables -A INPUT -p tcp –syn –destination-port 22 -j ACCEPTLet’s build on our first command. To allow traffic to reachport 22 (secure shell), you will add this line. Understand thatthis line will allow any incoming traffic into port 22. This is notthe most secure setup alone. To make it more secure, you’ll wantto limit which machines can actually connect to port 22 on themachine. Fortunately, you can do this with iptables as well. If youknow the IP address of the source machine, you can add the -sSOURCE_ADDRESS option (Where SOURCE_ADDRESS is theactual address of the source machine) before the–destination-port portion of the line.
3: /sbin/iptables -A INPUT -m state –state ESTABLISHED,RELATED -jACCEPTThis will allow all previously initiated and accepted exchangesto bypass rule checking. The ESTABLISHED and RELATED argumentsbelong to the –state switch. The ESTABLISHED argumentsays, “Any packet that belongs to an existing connection,” andthe RELATED argument says, “Any packet that does not belong to analready existing connection but is related to an existingconnection.” The “state machine” of iptables is a means foriptables to track connections with the help of the kernel level“conntrack” module. By tracking connections, iptables knowswhat connections can be allowed and what can’t. This reduces theamount of work the administrator has to do.
Here’s how state works. If the local user initiates aconnection, that packet (to that connection) is set as NEW in theprerouting chain. When the local user gets a return packet, thestate is changed to ESTABLISHED in the prerouting chain. So when astate is set as ESTABLISHED, it can be allowed with the rightiptables rule.
4: iptables -N LOGDROPWith this handy chain, iptables will log all dropped packets. Ofcourse, this is only part of the chain. To complete it, you need toadd the follow two rules: iptables -A logdrop -J LOG andiptables -A logdrop -J DROP. Now all matching packets (inthis case, anything that has been dropped) will be added to thelogdrop chain which will log them and then drop them.
5: iptables -t nat -A PREROUTING -i WLAN_INTERFACE -p tcp–dportPORTNUMBERS -j DNAT –to-destination DESTINATION_IPWhen you need to route packets from external sources to specificports on specific internal machines, this is what you want to do.This rule takes advantage of network address translation to routepackets properly. To suit your needs, the WLAN_INTERFACE must bechanged to the WLAN interface that bridges the external network tothe internal network, the PORTNUMBERS must be changed, andDESTINATION_IP must be changed to match the IP address of thedestination machine.
6: iptables -A INPUT -p tcp –syn –dport 25 -j ACCEPTThis is the beginning of a SYN flood protection rule. Thisportion of the rule blocks DoS attacks on a mail server port. (Youcan change this to suit your mail server needs.) There are threemore portions of this rule set. The first is to add the same rulebut modify the port to whatever is being served up by whateverports you have open. The next portion is iptables -A INPUT -ptcp –syn -m limit –limit 1/s –limit-burst 4 -jACCEPT, which is the actual SYN flood protection. Finally,iptables -A INPUT -p tcp –syn -j DROP will drop all SYNflood packets.
7: iptables -A INPUT -p tcp -m tcp -s MALICIOUS_ADDRESS -j DROPThis is where you can take care of malicious source IPaddresses. For this to work properly, you must make sure you knowthe offending source IP address and that, in fact, it’s one youwant to block. The biggest problem with this occurs when theoffending address has been spoofed. If that’s the case, you canwind up blocking legitimate traffic from reaching your network. Doyour research on this address.
8: iptables -N port-scanThis is the beginning of a rule to block furtive port scanning.A furtive port scan is a scan that detects closed ports to deduceopen ports. Two more lines are needed to complete this rule:
iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RSTRST -m limit --limit 1/s -j RETURN
iptables -A port-scan -j DROP
Notice that the above rule set is adding a new chain called“port-scan”. You don’t have to name it such; it’s justeasier to keep things organized. You can also add timeouts to theabove rule set like so:
iptables -A specific-rule-set -p tcp --syn -jsyn-flood
iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RSTRST -j port-scan
What you see here is a chain making use of the multiportargument, which will allow you to set up multiple ports. Using themultiport argument lets you write one chain instead of multiplechains. This single rule saves you from writing out four separaterules, one each for ssh, smtp, http, and https. Naturally, you canapply this to ACCEPT, DENY, REJECT.
10: iptables -A PREROUTING -i eth0 -p tcp –dport 80 -m state–state NEW -m nth –counter 0 –every 4 –packet 0 -j DNAT–to-destination 192.168.1.10:80If you’re looking to load balance between multiple mirroredservers (in the example case, load balancing a Web server at192.168.1.10), this rule is what you want. At the heart of thisrule is the nth extension, which tells iptables to act on every“nth” packet. In the example, iptables uses counter 0 and actsupon every 4th packet. You can extend this to balance out yourmirrored sites this way. Say you have four mirrored servers up andyou want to balance the load between them. You could have one linefor each server like so:
iptables -A PREROUTING -i eth0 -p tcp --dport 80 -mstate --state NEW -m nth --counter 0 --every 4 --packet 0 -j DNAT--to-destination 192.168.1.10:80
iptables -APREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth--counter 0 --every 4 --packet 1 -j DNAT --to-destination192.168.1.20:80iptables -A PREROUTING -i eth0 -ptcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4--packet 2 -j DNAT --to-destination192.168.1.30:80iptables -A PREROUTING -i eth0 -ptcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4--packet 3 -j DNAT --to-destination 192.168.1.40:80As you can see the server on .10 will be routed every 0 packet,the server on .20 will be routed every 1st packet, the server on.30 will be routed every 2nd packet, and the server on .40 will berouted every 3rd packet.
- 10大最常用的iptables规则
- 常用的IPTABLES规则
- iptables常用的一些规则
- 常用的 Linux iptables 规则
- 常用的IPTABLES规则 --更详细的
- 25 个常用的 Linux iptables 规则
- 25个常用的Linux iptables规则
- 25个常用的Linux iptables规则
- iptables常用规则设置
- WEB常用iptables规则
- 25个最常用的iptables策略
- iptables常用规则 - 未完待续
- linux总结08-25 个常用的 Linux iptables 规则
- Linux中常用的 iptables 规则有哪些?
- Iptables的规则语法
- iptables 规则的删除
- Iptables的规则语法
- iptables规则的关系
- Linux Platform Device and Driver
- Linux上Platform device and drive…
- 最大子段和的求解
- Linux 网络栈剖析--从 socket 到设…
- Linux下PCI设备驱动程序开发 (转…
- 10大最常用的iptables规则
- linux select使用(转)
- Linux下 fcntl 函数用法说明 (转…
- SystemV消息队列的学习笔记与一个奇怪的问题
- Linux下 fcntl 函数用法说明 (转…
- mmap 应用
- Select函数实现原理分析 (转)
- linux notification chain (转)
- 内核的等待队列 (转)