1. Reject all hosts to ping the current host
iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
2. This machine can access the HTTP service of other machines, but other machines cannot access this machine
iptables -A INPUT -p tcp --syn --dport 80 -j REJECT
3. When we find that there is a malicious ip ***, we can control it by setting rules on the firewall. So we can add the connlimit module to achieve maximum concurrency control. Please write the steps
# 限制每IP所能够发起并发连接数为8
iptables -A INPUT -m connlimit --connlimit-above 8 -j REJECT
4. Practice questions
Hosts on the Internet:
[root@centos6 ~]$hostname -I
192.168.1.128
[root@centos6 ~]$route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 192.168.1.129 0.0.0.0 UG 0 0 0 eth0
Firewall:
[root@centos8 ~]$hostname -I
10.0.0.8 192.168.1.129
[root@centos8 ~]$route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.2 0.0.0.0 UG 100 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
[root@centos8 ~]$cat /proc/sys/net/ipv4/ip_forward
1
LAN server:
[root@centos7 ~]$hostname -I
10.0.0.18
[root@centos7 ~]$route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.8 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0