prologue
The origin of iptables, the working principle of the development firewall, etc. We will not repeat it here. Here we mainly record the commands, parameters and practical application of iptables in the daily operation and maintenance process.
link management commands
iptables -F clears the rules of all rule chains in the preset table filter
iptables -X clears the rules in the user-defined chain in the default table filter
iptables -P : set the default policy
iptables -Z: clear the chain, and the counters of the default rules in the chain
iptables -N:NEW allows users to create a new chain
iptables -L -n View rules
Linked list rule management commands
-A: Append, add a new rule at the end of the current chain
-I num : Insert, insert the current rule as the number one.
-I 3 :插入为第三条
-o Specifies the network interface from which the packet is to be sent. Often works with OUTPUT chains
-p specifies the protocol used by the rule
常用 tcp,udp,icmp,all
-s specifies the source ip or network, which can be an entire segment or a single ip
例如 192.168.31.0/24 192.168.31.2
规则前加 !表示取反 例如:
iptables -A INPUT -i eth0 -p tcp --dport=80 -s 192.168.31.0/24 -j ACCEPT
这表示允许192.168.31.0网段的机器通过eth0网卡访问本机80端口
iptables -A INPUT -i eth0 -p tcp --dport=80 -s !192.168.31.0/24 -j ACCEPT
这就表示不允许了 因为!取反
-d is similar to -s
-j Action to perform
主要有ACCEPT,DROP,REJECT,REDIRECT
-i specifies which network card the packet enters.
如 eth0,lo 此参数一般配合INPUT链使用
-m specifies the module to use
例如: multiport(启用多端口扩展)
state(状态监测)
limit(限制)
mac(网卡物理地址)
.......
-R num: Replays replace/modify the first few rules
格式:iptables -R 3 …………
-D num: delete, explicitly specify which rules to delete
Set preset rules
-P specifies the chain policy
-t specifies the linked list
e.g. allow all data to flow out
iptables -P OUTPUT ACCEPT (不指定-t 默认为filter表)
--sport and --dport
–sport restricts the source port number
tcp connection is actually two ports to establish a connection.
So the source port number is the port number when someone accesses your service.
--dport is the exact opposite. That is, the port number of your service. So we basically use dport
Status detection
-m state –state <state>
has several states, the states are:
- INVALID: invalid packets, such as packet status with damaged data
- ESTABLISHED: connection status that has been successfully connected;
- NEW: packet status that wants to establish a new connection;
- RELATED: Indicates that this packet is related to the packet sent by our host, which may be a response packet or a transmission packet after the connection is successful! This state is often set, because after it is set, as long as the future packets sent by the local machine, even if we do not set the INPUT rules for the packets, the related packets can still enter our host, which can simplify a lot. Set rules.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
Generally, when we need to establish some temporary rules, we usually add these three sentences at the beginning
This works:
Does not affect existing incoming data. And don't worry about opening up previously denied ports
Does not affect outgoing data
Does not affect local Lo loop data (access to local 127.0.0.1)
Commonly used rule configuration:
Allow 192.168.31.0 network segment to access port 80
iptables -A INPUT -p tcp --dport 80 -s 192.168.31.0/24 -j ACCEPT
not allowed
iptables -A INPUT -p tcp --dport 80 -s !192.168.31.0/24 -j ACCEPT
或
iptables -A INPUT -p tcp --dport 80 -s 192.168.31.0/24 -j DROP
Only allow machines whose mac address is aa:bb:cc:dd:ee:ff to access the local ssh port
iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -p tcp --dport 22 -j ACCEPT
Redirect port 80 to port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
443 port current limit, up to 150 connections per second (anti-ddos)
iptables -A INPUT -i eth0 -p tcp --dport 443 -m limit --limit 150/s --limit-burst 150 -j ACCEPT
SYN_FLOOD
iptables -N syn-flood (新建一条链)
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -A syn-flood -p tcp -m limit --limit 2/s --limit-burst 50 -j RETURN
iptables -A syn-flood -j DROP
The maximum concurrent number of a single ip is 50
iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j REJECT
Restrict access to the 22 port of the machine, each ip can only connect 5 times per hour, if the connection is exceeded, the number of times will be recalculated in 1 hour
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSHPOOL --rcheck --seconds 3600 --hitcount 5 -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSHPOOL --set -j ACCEPT
(上面recent规则只适用于默认规则为DROP中,如果要适用默认ACCEPT的规则,需要--set放前面 并且无-j ACCEPT)
prevent cc attack
tcpdump -tnn dst port 80 -c 100 | awk -F"." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -n -r |head -20
查找发包最多的ip
iptables -I INPUT -s ip -j REJECT
封掉