练习一
练习:INPUT和OUTPUT默认策略为DROP;
iptables –P INPUT DROP
iptables –P OUTPUT DROP
iptables –A OUTPUT –p tcp –s 192.168.179.137 –m state ––state established,related –j ACCEPT
- 限制本地主机的web服务器在周一不允许访问;新请求的速率不能超过100个每秒;web服务器包含了admin字符串的页面不允许访问;web服务器仅允许响应报文离开本机;
iptables –N web
iptables –A web –m –time ––weekdays MON –j DROP
iptables –A web –m –string ––algo bm ––string’admin’ –j DROP
iptables –A web –m ––limit 100/second –j ACCEPT
iptables –A web –j RETURN
iptables –A INPUT –p tcp ––dport 80 –j web
- 在工作时间,即周一到周五的8:30–18:00,开放本机的ftp服务给16.0.0网络中的主机访问;数据下载请求的次数每分钟不得超过5个;
iptables –A INPUT –p tcp –s 192.168.179.0/24 ––dport 21 –m connlimit ! ––connlimit–above 5 –m time ––timestart 08:30 ––timestop 18:00 ––weekdays Mon,Tue,Wed,Thu,Fri –m state ––state NEW –j ACCEPT
要对应加载内核模块
modprobe nf_conntrack
modprobe nf_conntrack_ftp
- 开放本机的ssh服务给172.16.x.1–172.16.x.100中的主机,x为你的学号,新请求建立的速率一分钟不得超过2个;仅允许响应报文通过其服务端口离开本机;
iptables –A INPUT –p tcp ––dport 22 –m iprange ––src–range 172.16.7.1–172.16.7.100 –m connlimit ! ––connlimit–above 2 –j ACCEPT
- 拒绝TCP标志位全部为1及全部为0的报文访问本机;
iptables –A INPUT –p tcp ––tcp–flags all all –j DROP
iptables –A INPUT –p tcp ––tcp–flags all none –j DROP
- 允许本机ping别的主机;但不开放别的主机ping本机;
iptables –A INPUT –p icmp ––icmp–type 8 –j DROP
iptables –A OUTPUT –p icmp ––icmp–type 8 –j ACCEPT
iptables –A INPUT –p icmp ––icmp–type 0 –j ACCEPT
iptables –R OUTPUT 1 –p tcp –s 192.168.179.137 –m state ––state established,related –j ACCEPT
练习:判断下述规则的意义:
# iptables –N clean_in
创建一个clean_in链
# iptables –A clean_in –d 255.255.255.255 –p icmp –j DROP
拒绝0网段广播
# iptables –A clean_in –d 172.16.255.255 –p icmp –j DROP
拒绝172.16网段广播
# iptables –A clean_in –p tcp ! ––syn –m state ––state NEW –j DROP
拒绝无效连接建立请求
# iptables –A clean_in –p tcp ––tcp–flags ALL ALL –j DROP
拒绝tcp标志位为1的请求
# iptables –A clean_in –p tcp ––tcp–flags ALL NONE –j DROP
拒绝tcp标志位为0的请求
# iptables –A clean_in –d 172.16.100.7 –j RETURN
当以上没有匹配目标地址172.16.100.7的连接请求时返回主链
# iptables –A INPUT –d 172.16.100.7 –j clean_in
在172.16.100.7访问时使用clean_in链处理
# iptables –A INPUT –i lo –j ACCEPT
# iptables –A OUTPUT –o lo –j ACCEPT
放开对本机的回环接口的访问
# iptables –A INPUT –i eth0 –m multiport –p tcp ––dports 53,113,135,137,139,445 –j DROP
# iptables –A INPUT –i eth0 –m multiport –p udp ––dports 53,113,135,137,139,445 –j DROP
拒绝对本机DNS服务和samba服务的访问
# iptables –A INPUT –i eth0 –p udp ––dport 1026 –j DROP
拒绝对本机1026 udp端口的访问
# iptables –A INPUT –i eth0 –m multiport –p tcp ––dports 1433,4899 –j DROP
拒绝对本机sql server、远程管理的访问
# iptables –A INPUT –p icmp –m limit ––limit 10/second –j ACCEPT
限制对本机的ping,每秒不超过10个包
练习:利用iptables的recent模块来抵御SSH服务的DOS攻击,并且建立一个列表,保存有所有访问过指定的服务的客户端IP
有关SSH远程连接的安全,生产环境中经常装一个VPN,只允许VPN拨号后再通过SSH连接进来,SSH连接的端口号也要更改。这里主要使用主机防火墙来防范SSH的DDOS攻击
iptables –I INPUT –p tcp ––dport 22 –m connlimit ––connlimit–above 3 –j DROP
iptables –I INPUT –p tcp ––dport 22 –m state ––state NEW –m recent ––set ––name SSH
iptables –I INPUT –p tcp ––dport 22 –m state ––state NEW –m recent ––update ––seconds 300 ––hitcount 3 ––name SSH –j LOG ––log–prefix “SSH Attach: ”
iptables –I INPUT –p tcp ––dport 22 –m state ––state NEW –m recent ––update ––seconds 300 ––hitcount 3 ––name SSH –j DROP
第一句.利用connlimit模块将单IP的并发设置为3;但是会误杀使用NAT上网的用户,可以根据实际情况增大该值;
第二到四句.利用recent和state模块限制单IP在300s内只能与本机建立2个新连接。被限制五分钟后即可恢复访问。
第二句.记录访问tcp 22端口的新连接,记录名称为SSH
––set 记录数据包的来源IP,如果IP已经存在将更新已经存在的条目
第三句.iptables的访问记录在:/proc/net/xt_recent/SSH
第四句.指SSH记录中的IP,300s内发起超过3次连接则拒绝此IP的连接。
––update 是指每次建立连接都更新列表;
––seconds必须与––rcheck或者––update同时使用
––hitcount必须与––rcheck或者––update同时使用
也可以使用下面的这句记录日志:
iptables –A INPUT –p tcp ––dport 22 –m state ––state NEW –m recent ––update ––name SSH ––second 300 ––hitcount 3 –j LOG ––log–prefix “SSH Attack”
练习二
每小题默认状态 INPUT、OUTPUT、FORWARD为 ACCEPT
网段:192.168.179.0/24
本机:192.168.179.137
禁止192.168.179.100网段的主机ping本主机(192.168.179.137)
iptables –A INPUT –s 192.168.179.100 –d 192.168.179.137 –p icmp –j DROP
实时查看包统计
watch –n 1 ‘iptables –t filter –L –nxv ––line–numbers’
禁止192.168.179.100.访问本机网页 (192.168.179.137)
iptables –A INPUT –s 192.168.179.100 –d 192.168.179.137 –p tcp ––dport 80 –j DROP
查看和导出规则,监控包统计
iptables –L –n –v
iptables–save > /usr/local/iptables.txt
cat /usr/local/iptables.txt
watch –n 1 ‘iptables –t filter –L –nxv ––line–numbers’
清空filter表
iptables –F
iptables –Z
添加ssh远程访问规则(默认output和input为DROP)
iptables –A INPUT –s 192.168.179.100 –d 192.168.179.137 –p tcp ––dport 22 –j ACCEPT
iptables –A OUTPUT –s 192.168.179.137 –d 192.168.179.100 –p tcp ––sport 22 –j ACCEPT
添加filter表默认规则
iptables –P OUTPUT DROP
iptables –P INPUT DROP
iptables –P FORWARD DROP
更正规则ssh访问规则
iptables –A INPUT –s 192.168.179.100 –d 192.168.179.137 –p tcp ––dport 22 –j ACCEPT
iptables –A OUTPUT –s 192.168.179.137 –d 192.168.179.100 –p tcp ––sport 22 –j ACCEPT
添加回环接口访问
iptables –I INPUT 1 –i eht0 –j ACCEPT
iptables –I OUTPUT 1 –o eht0 –j ACCEPT
禁止用nmap扫描服务器端口
iptables –A INPUT –p tcp ––tcp–flags ALL FIN,URG,PSH –j DROP
# NMAP FIN/URG/PSH
iptables –A INPUT –p tcp ––tcp–flags ALL ALL –j DROP
# Xmas Tree
iptables –A INPUT –p tcp ––tcp–flags ALL SYN,RST,ACK,FIN,URG –j DROP
# Another Xmas Tree
iptables –A INPUT –p tcp ––tcp–flags ALL NONE –j DROP
# Null Scan(possibly)
iptables –A INPUT –p tcp ––tcp–flags SYN,RST SYN,RST –j DROP
# SYN/RST
iptables –A INPUT –p tcp ––tcp–flags SYN,FIN SYN,FIN –j DROP
# SYN/FIN –– Scan(possibly)
放行ssh第一次握手,如果启用连接追踪功能,新写法更简洁
Iptables s –A INPUT –p tcp ––dport 22 ––syn –j ACCEPT
放行DNS查询
iptables –A OUTPUT –p udp –s 192.168.179.137 ––dport 53 –j ACCEPT
iptables –A INPUT –p udp –d 192.168.179.137 ––dport 53 –j ACCEPT
开放ping
iptables –A INPUT –p icmp –d 192.168.179.137 –j ACCEPT
iptables –AOUTPUT –p icmp –s 192.168.179.137 –j ACCEPT
只允许自己ping别人,不允许别人自己
iptables –A INPUT –p icmp ––icmp–type 0 –d 192.168.179.137 –j ACCEPT
iptables –A OUTPUT –p icmp ––icmp–type 8 –s 192.168.179.137 –j ACCEPT
同时只开放ssh和web访问
iptables –A INPUT –d 192.168.179.137 –p tcp –m multiport ––dports 22,80 –j ACCEPT
iptables –A OUTPUT –s 192.168.179.137 –p tcp –m multiport ––sports 22,80 –j ACCEPT
允许一批连续IP的主机对本机的telnet
iptebles –A INPUT –d 192.168.179.137 –p tcp –dport 23 –m iprange ––scr–range 192.168.179.1–192.168.179.100 –j ACCEPT
iptebles –A OUTPUT –s 192.168.179.137 –p tcp –sport 23 –m iprange ––dst–range 192.168.179.1–192.168.179.100 –j ACCEPT
禁止访问敏感网页,含sex字眼的
iptables –A OUTPUT –p tcp – –sport 80 –m string – –algo kmp – –string “sex” –j DROP
禁止周一、二、四、五的8:20到18:40访问web服务器
iptables –A INPUT –p tcp – –dport 80 –m time – –timestart 08:20 – –timestop 18:40 – –weekdays Mon,Tue,Thu,Fri –j DROP
访问本机ssh服务,每IP不能超过4个并发
iptables –A INPUT –p tcp – –dport 22 –m connlimit – –connlimit –above 4 –j DROP
限制外部每分钟发20个ping包(允许超出5个包)到本机
iptables –A INPUT –p icmp – –icmp –type 8 –m limit – –limit 20/minute – –limit –burst 5 –j ACCEPT
iptables –A OUTPUT –p icmp – –icmp –type 0 –j ACCEPT
使用连接追踪功能改写只允许ssh和http连接进来
iptables –A INPUT –p tcp –m multiport – –dports 22,80 –m state – –state NEW –j ACCEPT
iptables –I INPUT –m state – –state ESTABLISHED –j ACCEPT
iptables –I OUTPUT –m state – –state ESTABLISHED –j ACCEPT
iptables –P INPUT DROP
iptables –P OUTPUT DROP
使用连接追踪功能放行ping
iptables –A INPUT –d 192.168.179.137 –p icmp ––icmp–type 8 –m state ––state NEW,ESTABLISHED –j ACCEPT
iptables –A OUTPUT –s 192.168.179.137 –p icmp ––icmp–type 0 –m state ––state ESTABLISHED –j ACCEPT