iptables work common case

Copyright: https://blog.csdn.net/zhydream77/article/details/89180922

Iptables role in the enterprise?

Linux firewall actually refers to the Netfilter / Iptables under Linux; Iptables in the enterprise is still very wide range of applications. Well, it actually used in what areas?

1) Many small and medium enterprises and Internet companies to make use iptables NAT router, the router for the traditional internal staff online.

2) IDC server room can be used as a hardware firewall Iptables host of protective measures, due to the large investment required to deploy a hardware firewall, it seldom room to deploy a hardware firewall. King of Henan private Internet data centers, self-built Zhengzhou BGP room to deploy four proud shield DDOS firewall do cluster.

3) iptables can be combined with squid as a transparent proxy internal commerce.

4) When the iptables NAT router as a business, we can use iptables extension module shield P2P traffic, may also prohibit illegal web page.

5) iptables may also be used inwardly external IP network IP mapping. We can assume that there is a park ISP to provide Internet access services, in order to facilitate the management of the user's ISP assigned to the park are within the network ip address IP, but some users required to build their own web server released information. We can be bound to the external network adapter on the firewall more valid IP addresses, which then package one IP address is forwarded to the internal Web server to the user by mapping the IP, so that the internal Web server can provide services outside the .

6) iptables can prevent the lightweight DOS attack. Such as ping attacks and SYN flood attacks, we use iptables to do the relevant security policy is still very effective.

 

Specific details of the case:

Block specified IP address

Example: discarding the packet from the IP addresses xxxx

1. iptables -A INPUT -s x.x.x.x -j DROP
2. 注：当你在log里发现来自某ip地址的异常记录，可以通过此命令暂时阻止该地址的访问以做更深入分析

Example: blocking packet from the IP addresses xxxx eth0 tcp

1. iptables -A INPUT -i eth0 -s x.x.x.x -j DROP
2. iptables -A INPUT -i eth0 -p tcp -s x.x.x.x -j DROP

SSH allows the connection request of all

Example: SSH allows all connection requests from the outside, that is only allowed to enter the interface eth0, and the destination port of the packet 22

1. iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
2. iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Using a plurality of rules to combine multiport

Allows multiple ports connected to the outside world from, in addition to each port to write a separate rule, we can combine it into one rule with multiport. As follows: Example: allow all ssh, http, https traffic to the

1. iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
2. iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

Load balancing incoming network traffic

Use iptables can achieve load balancing incoming web traffic, we can load balancing incoming web traffic using iptables firewall rules. Example: Use iptables nth traffic load balancing to an HTTPS three different ip address.

1. iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
2. iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
3. iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443

It allows the external host ping internal hosts

1. iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
2. iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Ping external hosts allow internal hosts

1. iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
2. iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

 

MySQL allows connection request from the designated network

In many cases, MySQL database and web services running on the same server. Sometimes we only want to DBA and database developers to log in directly from the internal network (192.168.100.0/24), try the following command:

1. iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
2. iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Prevent DoS attacks

1. iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
2. 上述例子中：
3. -m limit: 启用limit扩展
4. –limit 25/minute: 允许最多每分钟25个连接（根据需求更改）。
5. –limit-burst 100: 只有当连接达到limit-burst水平(此例为100)时才启用上述limit/minute限制。

Port Forwarding

Example: all traffic from port 422 to port 22. This means that we not only can be connected via ssh port 22 through port 422. DNAT is enabled forwarding.

1. iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22

In addition, the need to allow the port 422 to request a connection

1. iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
2. iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEP