iptables 练习题

练习一

练习:INPUT和OUTPUT默认策略为DROP;

iptables –P INPUT DROP

iptables –P OUTPUT DROP

iptables –A OUTPUT –p tcp –s 192.168.179.137 –m state ––state established,related –j ACCEPT

 

  • 限制本地主机的web服务器在周一不允许访问;新请求的速率不能超过100个每秒;web服务器包含了admin字符串的页面不允许访问;web服务器仅允许响应报文离开本机;

iptables –N web

iptables –A web –m –time ––weekdays MON –j DROP

iptables –A web –m –string ––algo bm ––string’admin’ –j DROP

iptables –A web –m ––limit 100/second –j ACCEPT

iptables –A web –j RETURN

iptables –A INPUT –p tcp ––dport 80 –j web

 

  • 在工作时间,即周一到周五的8:30–18:00,开放本机的ftp服务给16.0.0网络中的主机访问;数据下载请求的次数每分钟不得超过5个;

iptables –A INPUT –p tcp –s 192.168.179.0/24 ––dport 21 –m connlimit ! ––connlimit–above 5 –m time ––timestart 08:30 ––timestop 18:00 ––weekdays Mon,Tue,Wed,Thu,Fri –m state ––state NEW –j ACCEPT

要对应加载内核模块

modprobe nf_conntrack

modprobe nf_conntrack_ftp

 

  • 开放本机的ssh服务给172.16.x.1–172.16.x.100中的主机,x为你的学号,新请求建立的速率一分钟不得超过2个;仅允许响应报文通过其服务端口离开本机;

iptables –A INPUT –p tcp ––dport 22 –m iprange ––src–range 172.16.7.1–172.16.7.100 –m connlimit ! ––connlimit–above 2 –j ACCEPT

 

  • 拒绝TCP标志位全部为1及全部为0的报文访问本机;

iptables –A INPUT –p tcp ––tcp–flags all all –j DROP

iptables –A INPUT –p tcp ––tcp–flags all none –j DROP

 

  • 允许本机ping别的主机;但不开放别的主机ping本机;

iptables –A INPUT –p icmp ––icmp–type 8 –j DROP

iptables –A OUTPUT –p icmp ––icmp–type 8 –j ACCEPT

iptables –A INPUT –p icmp ––icmp–type 0 –j ACCEPT

iptables –R OUTPUT 1 –p tcp –s 192.168.179.137 –m state ––state established,related –j ACCEPT

 

 

 

 

练习:判断下述规则的意义:

# iptables –N clean_in

创建一个clean_in链

# iptables –A clean_in –d 255.255.255.255 –p icmp –j DROP

拒绝0网段广播

# iptables –A clean_in –d 172.16.255.255 –p icmp –j DROP

拒绝172.16网段广播

# iptables –A clean_in –p tcp ! ––syn –m state ––state NEW –j DROP

拒绝无效连接建立请求

# iptables –A clean_in –p tcp ––tcp–flags ALL ALL –j DROP

拒绝tcp标志位为1的请求

# iptables –A clean_in –p tcp ––tcp–flags ALL NONE –j DROP

拒绝tcp标志位为0的请求

# iptables –A clean_in –d 172.16.100.7 –j RETURN

当以上没有匹配目标地址172.16.100.7的连接请求时返回主链

# iptables –A INPUT –d 172.16.100.7 –j clean_in

在172.16.100.7访问时使用clean_in链处理

# iptables –A INPUT  –i lo –j ACCEPT

# iptables –A OUTPUT –o lo –j ACCEPT

放开对本机的回环接口的访问

# iptables –A INPUT  –i eth0 –m multiport –p tcp ––dports 53,113,135,137,139,445 –j DROP

# iptables –A INPUT  –i eth0 –m multiport –p udp ––dports 53,113,135,137,139,445 –j DROP

拒绝对本机DNS服务和samba服务的访问

# iptables –A INPUT  –i eth0 –p udp ––dport 1026 –j DROP

拒绝对本机1026 udp端口的访问

# iptables –A INPUT  –i eth0 –m multiport –p tcp ––dports 1433,4899 –j DROP

拒绝对本机sql server、远程管理的访问

# iptables –A INPUT  –p icmp –m limit ––limit 10/second –j ACCEPT

限制对本机的ping,每秒不超过10个包

 

练习:利用iptables的recent模块来抵御SSH服务的DOS攻击,并且建立一个列表,保存有所有访问过指定的服务的客户端IP

 

有关SSH远程连接的安全,生产环境中经常装一个VPN,只允许VPN拨号后再通过SSH连接进来,SSH连接的端口号也要更改。这里主要使用主机防火墙来防范SSH的DDOS攻击

 

iptables –I INPUT –p tcp ––dport 22 –m connlimit ––connlimit–above 3 –j DROP

iptables –I INPUT  –p tcp ––dport 22 –m state ––state NEW –m recent ––set ––name SSH

iptables –I INPUT  –p tcp ––dport 22 –m state ––state NEW –m recent ––update ––seconds 300 ––hitcount 3 ––name SSH –j LOG ––log–prefix “SSH Attach: ”

iptables –I INPUT  –p tcp ––dport 22 –m state ––state NEW –m recent ––update ––seconds 300 ––hitcount 3 ––name SSH –j DROP

 

第一句.利用connlimit模块将单IP的并发设置为3;但是会误杀使用NAT上网的用户,可以根据实际情况增大该值;

第二到四句.利用recent和state模块限制单IP在300s内只能与本机建立2个新连接。被限制五分钟后即可恢复访问。

 

第二句.记录访问tcp 22端口的新连接,记录名称为SSH

––set 记录数据包的来源IP,如果IP已经存在将更新已经存在的条目

第三句.iptables的访问记录在:/proc/net/xt_recent/SSH

第四句.指SSH记录中的IP,300s内发起超过3次连接则拒绝此IP的连接。

––update 是指每次建立连接都更新列表;

––seconds必须与––rcheck或者––update同时使用

––hitcount必须与––rcheck或者––update同时使用

 

也可以使用下面的这句记录日志:

iptables –A INPUT –p tcp ––dport 22 –m state ––state NEW –m recent ––update ––name SSH ––second 300 ––hitcount 3 –j LOG ––log–prefix “SSH Attack”

 

练习二

每小题默认状态 INPUT、OUTPUT、FORWARD为 ACCEPT

网段:192.168.179.0/24

本机:192.168.179.137

禁止192.168.179.100网段的主机ping本主机(192.168.179.137)

iptables –A INPUT –s 192.168.179.100 –d 192.168.179.137 –p icmp –j DROP

 

实时查看包统计

watch –n 1 ‘iptables –t filter –L –nxv ––line–numbers’

 

禁止192.168.179.100.访问本机网页 (192.168.179.137)

iptables –A INPUT –s 192.168.179.100 –d 192.168.179.137 –p tcp ––dport 80 –j DROP

 

查看和导出规则,监控包统计

iptables –L –n –v

iptables–save > /usr/local/iptables.txt

cat /usr/local/iptables.txt

watch –n 1 ‘iptables –t filter –L –nxv ––line–numbers’

 

清空filter表

iptables –F

iptables –Z

 

添加ssh远程访问规则(默认output和input为DROP)

iptables –A INPUT –s 192.168.179.100 –d 192.168.179.137 –p tcp ––dport 22 –j ACCEPT

iptables –A OUTPUT –s 192.168.179.137 –d 192.168.179.100 –p tcp ––sport 22 –j ACCEPT

 

添加filter表默认规则

iptables –P OUTPUT DROP

iptables –P INPUT DROP

iptables –P FORWARD DROP

 

 

更正规则ssh访问规则

iptables –A INPUT –s 192.168.179.100 –d 192.168.179.137 –p tcp ––dport 22 –j ACCEPT

iptables –A OUTPUT –s 192.168.179.137 –d 192.168.179.100 –p tcp ––sport 22 –j ACCEPT

 

添加回环接口访问

iptables –I INPUT 1 –i eht0 –j ACCEPT

iptables –I OUTPUT 1 –o eht0 –j ACCEPT

 

 

禁止用nmap扫描服务器端口

iptables –A INPUT –p tcp ––tcp–flags ALL FIN,URG,PSH –j DROP

# NMAP FIN/URG/PSH

iptables –A INPUT –p tcp ––tcp–flags ALL ALL –j DROP

# Xmas Tree

iptables –A INPUT –p tcp ––tcp–flags ALL SYN,RST,ACK,FIN,URG –j DROP

# Another Xmas Tree

iptables –A INPUT –p tcp ––tcp–flags ALL NONE –j DROP

# Null Scan(possibly)

iptables –A INPUT –p tcp ––tcp–flags SYN,RST SYN,RST –j DROP

# SYN/RST

iptables –A INPUT –p tcp ––tcp–flags SYN,FIN SYN,FIN –j DROP

# SYN/FIN –– Scan(possibly)

 

放行ssh第一次握手,如果启用连接追踪功能,新写法更简洁

Iptables s –A INPUT –p tcp ––dport 22 ––syn  –j ACCEPT

 

放行DNS查询

iptables –A OUTPUT –p udp –s 192.168.179.137 ––dport 53 –j ACCEPT

iptables –A INPUT –p udp –d 192.168.179.137 ––dport 53 –j ACCEPT

 

 

开放ping

iptables –A INPUT  –p icmp –d 192.168.179.137 –j ACCEPT

iptables –AOUTPUT –p icmp –s 192.168.179.137 –j ACCEPT

 

只允许自己ping别人,不允许别人自己

iptables –A INPUT –p icmp ––icmp–type 0 –d 192.168.179.137 –j ACCEPT

iptables –A OUTPUT –p icmp ––icmp–type 8 –s 192.168.179.137 –j ACCEPT

 

 

同时只开放ssh和web访问

iptables –A INPUT –d 192.168.179.137 –p tcp –m multiport ––dports 22,80  –j ACCEPT

iptables –A OUTPUT –s 192.168.179.137 –p tcp –m multiport ––sports 22,80 –j ACCEPT

 

 

允许一批连续IP的主机对本机的telnet

iptebles –A INPUT –d 192.168.179.137 –p tcp –dport 23 –m iprange ––scr–range 192.168.179.1–192.168.179.100 –j ACCEPT

iptebles –A OUTPUT –s 192.168.179.137 –p tcp –sport 23 –m iprange ––dst–range 192.168.179.1–192.168.179.100 –j ACCEPT

 

 

禁止访问敏感网页,含sex字眼的

iptables  –A OUTPUT  –p tcp  – –sport 80  –m string  – –algo kmp  – –string “sex”  –j DROP

 

禁止周一、二、四、五的8:20到18:40访问web服务器

iptables  –A INPUT  –p tcp  – –dport 80  –m time  – –timestart 08:20  – –timestop 18:40  – –weekdays Mon,Tue,Thu,Fri  –j DROP

 

访问本机ssh服务,每IP不能超过4个并发

iptables  –A INPUT  –p tcp  – –dport 22  –m connlimit  – –connlimit –above 4  –j DROP

 

限制外部每分钟发20个ping包(允许超出5个包)到本机

iptables  –A INPUT  –p icmp  – –icmp –type 8  –m limit  – –limit 20/minute  – –limit –burst 5  –j ACCEPT

iptables  –A OUTPUT  –p icmp  – –icmp –type 0  –j ACCEPT

 

 

使用连接追踪功能改写只允许ssh和http连接进来

iptables  –A INPUT  –p tcp  –m multiport  – –dports 22,80  –m state  – –state NEW  –j ACCEPT

iptables  –I INPUT  –m state  – –state ESTABLISHED  –j ACCEPT

iptables  –I OUTPUT  –m state  – –state ESTABLISHED  –j ACCEPT

iptables  –P INPUT DROP

iptables  –P OUTPUT DROP

 

使用连接追踪功能放行ping

iptables –A INPUT –d 192.168.179.137 –p icmp ––icmp–type 8 –m state ––state NEW,ESTABLISHED –j ACCEPT

iptables –A OUTPUT –s 192.168.179.137 –p icmp ––icmp–type 0 –m state ––state ESTABLISHED –j ACCEPT