This is the 8th day of my participation in Gwen Challenge

Iptable is a set of firewall services on Linux, which actually calls the Netfilter kernel module. Netfilter is a packet processing module in the core layer of Linux operating system.
  • Netfilter function
    • Network address translation
    • Packet Content modification
    • Packet filtering firewall function

Differences between iptables and Firewalld
1. Iptables allows access to services or data packets by default. For example, you can set specific rules to block access to certain data packets. 2. Firewalld denies access to all packets by default. Only when a packet is allowed to meet a certain rule can the corresponding setting be performed. 3. Firewalld uses the concept of zones for data security management, which is divided into many zones for security management, while Iptables does not partition and directly sets rules.Copy the code

Iptables security rules

Table 4
  • Filter table: the default table for filtering data packets
  • NAT table: Used for network address translation (IP address, port)
  • Mangle table: used to modify the service type and TTL of data packets, and configure routes to achieve QOS
  • Raw: Used to determine whether a packet is processed by the status tracing mechanism
Article 5 the chain
  • INPUT chain: Incoming packets apply the rules in this rule chain
  • OUTPUT chain: Outgoing packets apply the rules in this rule chain
  • FORWARD: forwards packets to apply the rules in the rule chain
  • PREROUTING chain: The rules in this chain apply before routing packets
  • POSTROUTING chain: The rules in this chain are applied after routing packets
Common Parameter Options
  • -A adds one or more new rules to the specified chain
  • -d Deletes one or more rules from the specified chain
  • -n Creates a user-defined chain
  • -f specifies the policies in the rule chain or all rule chains, usually at table initialization
  • -x deletes the specified user-defined link (the link policy must be cleared first).
  • -p Specifies the packets of certain protocols, such as TCP, UDP, and ICMP
  • -s specifies the source address of the IP address [/ mask]
  • -d specifies the destination IP address of the IP address [/ mask]
  • -i Specifies the interface through which packets are sent. If multiple network adapters are used, you may need to specify the interface
Iptables -f Clears rules By default, there are three rule chains: INPUT, OUTPUT, and FORWARDCopy the code
In some cases
Iptables -A INPUT -I lo -j ACCEPT if ["$LOCAL_NET" if ["$LOCAL_NET" ]; Then iptables -A INPUT -p TCP -s $LOCAL_NET -j ACCEPT fi ALLOW_HOSTS=(# X.X.X.X "" X.X.X.X") if [ "${ALLOW_HOSTS}" ]; then for allow_host in ${ALLOW_HOSTS[@]} do iptables -A INPUT -p tcp -s $allow_host -j ACCEPT done fiCopy the code
If ["${DENY_HOSTS}"] then for deny_host in =(# drop list "xxx.xxx.xxx.xxx" "XXX.xxx.xxx" ${DENY_HOSTS[@]} do iptables -A INPUT -s $deny_host -m limit --limit 1/s -j LOG --log-prefix "deny_host: " iptables -A INPUT -s $deny_host -j DROP done fiCopy the code
Iptables -n SYN_FLOOD iptables -a SYN_FLOOD -p TCP -- SYN \ -m hashlimit \ --hashlimit 200/s \ # Maximum of 200 connections per second --hashlimit-burst # If the number of connections exceeds the above limit three times in a row, there will be a limit. --hashlimit-htable-expire 300000 \ # Manage the expiration of entries in the table (unit: Ms) --hashlimit-mode srcip # number of requests managed by source address --hashlimit-name t_SYN_FLOOD # hash table names stored in /proc/net/ipt_hashlimit -j RETURN iptables -A SYN_FLOOD -j LOG --log-prefix "syn_flood_attack: " iptables -A SYN_FLOOD -j DROP iptables -A INPUT -p tcp --syn -j SYN_FLOODCopy the code
Iptables -a PING_OF_DEATH -p icmp --icmp-type echo-request \ -m hashlimit  \ --hashlimit 1/s \ --hashlimit-burst 10 \ --hashlimit-htable-expire 300000 \ --hashlimit-mode srcip \ --hashlimit-name  t_PING_OF_DEATH \ -j RETURN iptables -A PING_OF_DEATH -j LOG --log-prefix "ping_of_death_attack: " iptables -A PING_OF_DEATH -j DROP iptables -A INPUT -p icmp --icmp-type echo-request -j PING_OF_DEATHCopy the code
HTTP is also based on a layer 4 policy, which is based on TCP. It is not set based on the cookie session of layer 7 sessions. This is a TCP connection, but only a specific service port is specified to access, so that the frequency limit. iptables -N HTTP_DOS iptables -A HTTP_DOS -p tcp -m multiport --dports $HTTP \ -m hashlimit \ --hashlimit 1/s \ --hashlimit-burst 100 \ --hashlimit-htable-expire 300000 \ --hashlimit-mode srcip \ --hashlimit-name t_HTTP_DOS \ Ipt_hashlimit -j RETURN iptables -A HTTP_DOS -j LOG --log-prefix "http_dos_attack: " iptables -A HTTP_DOS -j DROP iptables -A INPUT -p tcp -m multiport --dports $HTTP -j HTTP_DOSCopy the code
Iptables -A INPUT -p TCP -m multiport --dports $HTTP -j ACCEPT iptables -A INPUT -p TCP -m multiport --dports $HTTP -j ACCEPT LIMITED_LOCAL_NET="xxx.xxx.xxx.xxx/xx" if [ "$LIMITED_LOCAL_NET" ] then # SSH iptables -A INPUT -p tcp -s $LIMITED_LOCAL_NET -m multiport --dports $SSH -j ACCEPT # LIMITED_LOCAL_NET -> SELF # FTP iptables -A INPUT -p tcp -s $LIMITED_LOCAL_NET -m multiport --dports $FTP -j ACCEPT # LIMITED_LOCAL_NET -> SELF # MySQL iptables -A INPUT -p tcp -s $LIMITED_LOCAL_NET -m multiport --dports $MYSQL -j ACCEPT # LIMITED_LOCAL_NET -> SELF fi ZABBIX_IP="xxx.xxx.xxx.xxx" if [ "$ZABBIX_IP" ] then iptables -A INPUT -p tcp -s $ZABBIX_IP --dport 10050 -j ACCEPT fiCopy the code