注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

itoedr的it学苑

记录从IT文盲学到专家的历程

 
 
 

日志

 
 

iptables应用案例与策略  

2014-02-11 13:51:49|  分类: nftables防火墙 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
::bash sample::

Pre-Defined Variables

INF='eth0' #interface
VPN='tun2' #OpenVPN
VPS='vboxnet0' #VirtualBox
BOX='192.168.0.1' #your-box
NET='192.168.0.1 192.168.0.2 192.168.0.3' #network
WEB='192.168.0.1 192.168.0.2 192.168.0.3' #webserver

Default Rules

iptables -F # Flush
iptables -X # Delete
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Localhost Connections

iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

Established Connections

iptables -A INPUT -i $INF -d $BOX -m conntrack \
  --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $INF -s $BOX -m conntrack \
  --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

OpenVPN Connections

iptables -A INPUT -i $VPN -d $BOX -m conntrack \
  --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $VPN -s $BOX -m conntrack \
  --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack \
  --ctstate RELATED,ESTABLISHED -j ACCEPT

VirtualBox Connections

iptables -A INPUT -i $VPS -d $BOX -m conntrack \
  --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $VPS -s $BOX -m conntrack \
  --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

Samba Server

for IP in $NET; do
  iptables -A INPUT -i $INF -p tcp -s $IP --sport 1024:65535 \
    -d $BOX --dport 137:139 -m state --state NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -o $INF -p tcp -s $BOX --sport 137:139 \
    -d $IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
  iptables -A INPUT -i $INF -p tcp -s $IP --sport 1024:65535 \
    -d $BOX --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -o $INF -p tcp -s $BOX --sport 445 \
    -d $IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
done #samba-network

Web Server

HTTP and HTTPS web server access only allows specific ip addresses defined in WEB, this rule is good for localhost web development.

for IP in $WEB; do

  ## Allow Incoming HTTP/80 Traffic
  iptables -A INPUT -p tcp -s $IP --sport 1024:65535 -d $BOX \
    --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp -s $BOX --sport 80 -d $IP \
    --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

  ## Allow Outgoing HTTP/80 Traffic
  iptables -A OUTPUT -p tcp -s $BOX --sport 1024:65535 -d $IP \
    --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  iptables -A INPUT -p tcp -s $IP --sport 80 -d $BOX \
    --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

  # Allow Incoming HTTPS/443 Traffic
  iptables -A INPUT -p tcp -s $IP --sport 1024:65535 \
  -d $BOX --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp -s $BOX --sport 443 -d $IP \
  --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

  # Allow Outgoing HTTPS/443 Traffic
  iptables -A OUTPUT -p tcp -s $BOX --sport 1024:65535 -d $IP \
  --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  iptables -A INPUT -p tcp -s $IP --sport 443 -d $BOX \
  --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
done #web-server

Block Spoofing Attacks

SPOOF='0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 192.168.1.0/16 224.0.0.0/3'
for SIP in $SPOOF; do
  iptables -A INPUT -s $SIP -j DROP
  iptables -A OUTPUT -s $SIP -j DROP
done #spoofed-addresses

Block Common Attacks

# Block ICMP/Ping
iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP

# Block Invalid Packets
iptables -A INPUT -m conntrack --ctstate INVALID,NEW -j DROP
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP

# Block Fragments Packets
iptables -A INPUT -f -j DROP

# Block NULL Packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Block SYN Packets
iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

# Block XMAS Packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

# Block Nmap Scans
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

Save IPTables Rules

iptables-save > /etc/iptables/iptables.rules

ArchWiki: https://wiki.archlinux.org/index.php/iptables

**********************************
另外一些常见iptables策略(收集测试)
**********************************
1,清空存在的策略

当你开始创建新的策略,你可能想清除所有的默认策略,和存在的策略,可以这么做:

iptables -F 或者iptables –flush

2,设置默认策略

默认链策略是ACCEPT,改变所有的链策略为DROP:

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

3,阻止一个指定的ip

BLOCK_THIS_IP=“x.x.x.x”

iptables -A INPUT -s ”$BLOCK_THIS_IP“ -j DROP

iptables -A INPUT -i eth0 -s “$BLOCK_THIS_IP” -j DROP

iptables -A INPUT -i eth0 -p tcp -s “$BLOCK_THIS_IP” -j DROP

4,允许SSH

允许所有通过eth0接口使用ssh协议连接本机:

iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

5,允许某个网段通过ssh连接

iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

6,允许http和https

允许所有进来的web流量:http协议的80端口

iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT

允许所有进来的web流量:https协议的443端口

iptables -A INPUT -i eth0 -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT

7,多个策略联合一起

允许ssh,http,https:

iptables -A INPUT -i eth0 -p tcp -m multiport –dports 22,80,443 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -m multiport –sports 22,80,443 -m state –state ESTABLISHED -j ACCEPT

8,允许SSH连接其他主机

iptables -A OUTPUT -o eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

9,允许SSH连接指定的网段

iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

10,允许https出去

iptables -A OUTPUT -o eth0 -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT

11,对web请求做负载均衡(每三个包,均衡到指定服务器,需要扩展iptables)

iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 0 -j DNAT –to-destination 192.168.1.101:443

iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 1 -j DNAT –to-destination 192.168.1.102:443

iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 2 -j DNAT –to-destination 192.168.1.103:443

12,允许ping

iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT

iptables -A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT

13,允许ping远程

iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT

iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT

14,允许本地回环

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

15,允许内网访问外部网络

这个例子eth1 连接外部网络,eth0连接内部网络

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

16,允许DNS出去

iptables -A OUTPUT -p udp -o eth0 –dport 53 -j ACCEPT

iptables -A INPUT -p udp -i eth0 –sport 53 -j ACCEPT

17,允许NIS连接

NIS端口是动态的,当ypbind启动时它分配端口。

首先运行 rpcinfo -p 显示得到端口号,这个例子使用端口850,853。

iptables -A INPUT -p tcp –dport 111 -j ACCEPT

iptables -A INPUT -p udp –dport 111 -j ACCEPT

iptables -A INPUT -p tcp –dport 853 -j ACCEPT

iptables -A INPUT -p udp –dport 853 -j ACCEPT

iptables -A INPUT -p tcp –dport 850 -j ACCEPT

iptables -A INPUT -p udp –dport 850 -j ACCEPT

上面的例子当ypbind重新启动时将失效,有2种解决方案:

(1)分配nis服务静态ip(2) 使用精妙的脚本

18,允许指定网段连接Rsync

iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 –dport 873 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp –sport 873 -m state –state ESTABLISHED -j ACCEPT

19,允许mysql从指定的网段连接

iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 –dport 3306 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp –sport 3306 -m state –state ESTABLISHED -j ACCEPT

20,允许sendmail或者postfix

iptables -A INPUT -i eth0 -p tcp –dport 25 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp –sport 25 -m state –state ESTABLISHED -j ACCEPT

21,允许IMAP和IMAPS

IMAP:

iptables -A INPUT -i eth0 -p tcp –dport 143 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp –sport 143 -m state –state ESTABLISHED -j ACCEPT

IMAPS:

iptables -A INPUT -i eth0 -p tcp –dport 993 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp –sport 993 -m state –state ESTABLISHED -j ACCEPT

22,允许POP3和POP3S

POP3:

iptables -A INPUT -i eth0 -p tcp –dport 110 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp –sport 110 -m state –state ESTABLISHED -j ACCEPT

POP3S:

iptables -A INPUT -i eth0 -p tcp –dport 995 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp –sport 995 -m state –state ESTABLISHED -j ACCEPT

23,预防DOS攻击

iptables -A INPUT -p tcp –dport 80 -m limit –limit 25/minute –limit-burst 100 -j ACCEPT

-m : 使用iptables扩展

–limit 25/minute : 限制分钟连接请求数

–limit-burst:触发阀值,一次涌入数据包数量

24,端口转发

来自442的都转到22端口

iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 –dport 422 -j DNAT –to 192.168.102.37:22

你还必须明确允许442端口

iptables -A INPUT -i eth0 -p tcp –dport 422 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp –sport 422 -m state –state ESTABLISHED -j ACCEPT

25,包丢弃日志

你也许想查看所有丢弃包的日志。

首先创建一个新链叫 LOGGING

iptables -N LOGGING

确保所有的连接跳到LOGGING

iptables -A INPUT -j LOGGING

记录这些包通过自定义名字 “log-prefix”

iptables -A LOGGING -m limit –limit 2/min -j LOG –log-prefix “IPTables Packet Dropped:” –log-level 7

最后丢弃这些数据包

iptables -A LOGGING -j DROP

  评论这张
 
阅读(155)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017