Archive for February 17, 2011

Firewall rules knowledge

1)Jump Intranet
-A PREROUTING -d 222.66.99.201 -p tcp -m tcp –dport 8800 -j DNAT –to-destination 192.168.84.46:3389
-A POSTROUTING -d 192.168.84.46 -p tcp -m tcp –dport 3389 -j SNAT –to-source 192.168.84.48
-A PREROUTING -p tcp -d external network IP –dport 8800 -j DNAT –to $ IP network:3389
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 8080 -j DNAT –to WINIP:3389
iptables -t nat -A POSTROUTING -o eth1 -j SNAT –to internal NIC IP
2)Port Jump example operation
-A PREROUTING -i eth1 -p tcp -m state –state NEW -m tcp –dport 80 -j REDIRECT –to-ports 8080
3)Examples of open port operations
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 6060 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 8080 -j ACCEPT
4)Continuous open ports
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 7070:7079 -j ACCEPT
The 80-port 8080 point to a file on the port IPTABLES
iptables -t nat -A PREROUTING -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 8080
iptables -A INPUT -p tcp -m state –state NEW –dport 80 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
iptables -t nat -A PREROUTING -p tcp -m tcp –dport 443 -j REDIRECT –to-ports 8443
iptables -A INPUT -p tcp -m state –state NEW –dport 443 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
Prevent the synchronization of packet flooding (Sync Flood)
# iptables -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
It was also writing
#iptables -A INPUT -p tcp –syn -m limit –limit 1/s -j ACCEPT
–limit 1/s
Limit the number of concurrent syn 1 per second,You can modify according to their needs
Prevent all kinds of port scanning
# iptables -A FORWARD -p tcp –tcp-flags SYN,ACK,END,RST RST -m limit –limit 1/s -j ACCEPT
Ping洪水攻击(Ping of Death)
# iptables -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
iptables shield single IP
iptables -I INPUT -s 203.231.1.191 -p tcp –dport 22 -j DROP
iptables -A FORWARD -d 218.241.156.95 -j DROP
iptables-save > /etc/sysconfig/iptables
iptables -A INPUT –dport 21 -s 219.142.192.187 -j ACCEPT // allows only one IP access
# Generated by iptables-save v1.2.8 on Tue Jan 23 14:49:09 2007
*nat
:PREROUTING ACCEPT [133:37589]
:POSTROUTING ACCEPT [26:2387]
:OUTPUT ACCEPT [26:2387]
-A PREROUTING -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 8080
COMMIT
# Completed on Tue Jan 23 14:49:09 2007
# Generated by iptables-save v1.2.8 on Tue Jan 23 14:49:09 2007
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [62834:18310016]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Jan 23 14:49:09 2007
# 211.93.113.33 address only allow users to access ftp server (port 21):
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m tcp –dport 21 -j ACCEPT
-A INPUT -s 211.93.113.33 i eth1 -p tcp -m tcp –dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 21 -j ACCEPT
Blocked QQGAME:iptables -I FORWARD -m string –something bm –string “qqgame” -j DROP
Block QQ Pet:iptables -I FORWARD -m string –something bm –string “qqpet” -j DROP
1)For complete blockade of all ports; iptables -I INPUT -s 65.55.44.100 -j DROP; (65.55.44.100 blocked access to all ports of the machine)
iptables -I OUTPUT -d 65.55.44.100 -j DROP; (Blockade native access to all ports 65.55.44.100)
2)Completely blocked for a specific protocol and port;iptables -I INPUT -p TCP –dport 25 -j DROP; (INPUT 25 port blockade,The unit will not receive messages)
iptables -I OUTPUT -p TCP –dport 25 -j DROP; (OUTPUT 25 port blockade,The unit will not send mail)
iptables -I INPUT -s 65.55.44.100 -p TCP –dport 25 -j DROP; (65.55.44.100 blocked access to the port of the machine 25)
3)Blocked for some specific protocols; #Ban all TCP connections,Allow only certain IP can access the machine via TCP:
iptables -I INPUT -p TCP -j DROP; (This machine prohibit all incoming connections through TCP protocol)
iptables -I INPUT -s 137.189.3.8 -p TCP -j ACCEPT; (137.189.3.8 allowed to enter the unit through a TCP protocol)
iptables -I INPUT -s ! 137.189.3.8 -p TCP -j DROP; (Only allowed to enter 137.189.3.8,Equivalent to a few words,But can only open one IP)
#Open all TCP connections,But prohibit certain IP can be accessed via TCP native:
iptables -I INPUT -p TCP -j ACCEPT; (Allow all protocols into the native TCP connection)
iptables -I INPUT -s 137.189.3.8 -p TCP -j DROP; (Prohibition 137.189.3.8 via TCP protocol into the native)
iptables -I INPUT -s ! 137.189.3.8 -p TCP -j ACCEPT; (It is equivalent to the first two sentences,But only one IP ban)
4)Blocked for some specific protocol and port; #Open TCP port 80 connections,However, the prohibition of certain IP access through TCP port 80:
iptables -I INPUT -p TCP –dport 80 -j ACCEPT; (Allow all IP access to the native port 80)
iptables -I INPUT -s 210.245.191.162 -p TCP –dport 80 -j DROP; (Prohibit access to 210.245.191.162 port 80)
iptables -I INPUT -s ! 210.245.191.162 -p TCP –dport 80 -j ACCEPT; (It is equivalent to the first two sentences,But only one IP ban)
#Prohibit TCP connections to port 80,Open only certain IP access through TCP port 80:
iptables -I INPUT -p TCP –dport 80 -j DROP; (Ban all IP access to port 80 of the machine)
iptables -I INPUT -s 210.245.191.162 -p TCP –dport 80 -j ACCEPT; (210.245.191.162 allow access to port 80)
iptables -I INPUT -s ! 210.245.191.162 -p TCP –dport 80 -j DROP; (It is equivalent to the first two sentences,But only one IP into the open)
#Prohibition native browser external websites through TCP port 80,203.194.162.10 sites only allow access:
iptables -I OUTPUT -p tcp –dport 80 -j DROP; (OUTPUT 80 port blockade,The machine will not be able Liu cable external sites)
iptables -I OUTPUT -p tcp -d 203.194.162.10 –dport 80 -j ACCEPT; (203.194.162.10 allows native access port 80)
iptables -I OUTPUT -p tcp -d ! 203.194.162.10 –dport 80 -j DROP; (It is equivalent to the first two sentences,But only allow access to one IP)
sysctl -w net.ipv4.icmp_echo_ignore_all=1(禁ping)
Open forward and mapping
echo “1” > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp –dport 2222 -j DNAT –to-destination 192.168.1.156:22
Remember the gateway machine to be forwarded to the specified forwarding machine
Manually add the gateway
route add default gw xxx.xxx.xxx.xXX

Comments