标签:iptables
------------实践-----------------
1 iptables -L -v shows (note
the counts for INPUT and OUTPUT
2 iptables-save >/root/my.active.firewall.rules
iptables-restore </root/my.active.firewall.rules
3 删除一个
-L 显示当前的行号
-D 删除具体行数
iptabels -D INPUT -s 192.168.1.1/24 -j DROP
4 记录日志功能 iptables
5 阻断icmp包
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
6
The following only accepts limited type of ICMP requests:### ** assumed that default INPUT policy set to DROP ** #############
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
## ** all our server to respond to pings ** ##
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
7 开放一个范围的ip地址对apache访问
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
7 优化
Established Connections and Restaring The Firewall
When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:
IPTABLES_MODULES_UNLOAD = no
8
Help Iptables Flooding My Server Screen
Use the crit log level to send messages to a log file instead of console:iptables -A INPUT -s 1.2.3.4 -p tcp --destination-port 80 -j LOG --log-level crit
注意:如果var/log/message 中没有记录 可以重启一下rsyslog 服务器
9
Before we proceed further will other examples, if you want to block a specific ip-address, you should do that first as shown below. Change the “x.x.x.x” in the following example to the specific ip-address that you like to block.
BLOCK_THIS_IP="x.x.x.x"
iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
This is helpful when you find some strange activities from a specific ip-address in your log files, and you want to temporarily block that ip-address while you do further research.
10
The following rules allow all incoming web traffic. i.e HTTP traffic to port 80.
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
The following rules allow all incoming secure web traffic. i.e HTTPS traffic to port 443.
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
The following example allows all incoming SSH, HTTP and HTTPS traffic.
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
11 Allow Loopback Access
You should allow full loopback access on your servers. i.e access using 127.0.0.1iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
12 Allow MySQL connection only from a specific network
If you are running MySQL, typically you don’t want to allow direct connection from outside. In most cases, you might have web server running on the same server where the MySQL database runs.However DBA and developers might need to login directly to the MySQL from their laptop and desktop using MySQL client. In those case, you might want to allow your internal network to talk to the MySQL directly as shown below.iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
13
Prevent DoS AttackThe following iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver.iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
14
15
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 445 -j ACCEPT
/sbin/iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p all -m state --state INVALID,NEW -j DROP16 iptables 插入指定条目
# First get the iptables list with the line numbers enabled$ iptables -nL --line-numbers# Look up the line number you want to use (the exisitng rule will shift down) and insert your rule$ iptables -I INPUT {LINE_NUMBER} -i eth1 -p tcp --dport 21 -s 123.123.123.123 -j ACCEPT -m comment --comment "This rule is here for this reason"# Aftarwards i always save my rules to a file in etc so i can reload them at the next reboot$ iptables-save > /etc/iptables.local# (To do this, add the following rule to your /etc/rc.local file)/sbin/iptables-restore < /etc/iptables.local
16 iptables -I INPUT -p icmp --icmp-type ping -m limit --limit 3/s -j DROP
17 替换
iptables -R INPUT 1 -p icmp --icmp-type ping -m limit --limit 10/s -j DROP
标签:iptables
原文地址:http://1074963.blog.51cto.com/1064963/1657065
