Web host iptables firewall security script

The default policy of the system is INPUT by DROP,OUTPUT、FORWARD Chain is ACCEPT,DROP It is set loosely , Because we know that the outgoing packets are more secure ; To verify the versatility of the script , I specially checked The server Kernel and iptables edition , The command is as follows ：

uname-a iptables -V

If you want to use iptables As a host firewall , Suggest using CentOS5.6 x86_64 Or later , Otherwise, the system will have the following error messages ：

iptables: Unknown error 18446744073709551615 iptables:Invalid argument stay tail-f /var/log/messages You can send the following error prompt ip_tables: connlimit match: invalid size 32 != 16 ip_tables: connlimit match: invalid size 32 != 24

in addition , Debug in production environment iptables Before script , It is strongly recommended that crontab Mission , Every time 5 Close every minute iptalbes Script , Prevent SSH The client is locked out , The command is as follows ：

*/5* * * * root /etc/init.d/iptablesstop

The script code is as follows ：

#!/bin/bash iptables -F iptables -F -t nat iptables -X iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT #load connection-tracking modules modprobe iptable_nat modprobe ip_conntrack_ftp modprobe ip_nat_ftp iptables -A INPUT -f -m limit --limit 100/sec--limit-burst 100 -j ACCEPT iptables -A INPUT -p icmp --icmp-typeecho-request -m limit --limit 1/s--limit-burst 10 -j ACCEPT iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec--limit-burst 200 -j ACCEPT iptables -A INPUT -s 122.70.x.x -j ACCEPT iptables -A INPUT -s 122.70.x.x -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -m multiport --dport 80,22 -j ACCEPT

There's a special case here , Because of this Web The server Is placed behind the load balancer , So the connection with the load balancer is still very frequent ; So we need to allow packets with the data source address of the load balancer to pass ; in addition , Many of my are based on LNMP The script is also deployed on the small website of , namely Web Service and MySQL The database is installed on one machine at the same time , Nor is it open 3306 port , Shit Web call PHP Program implementation access .

After successfully running this script, the system should not report an error , The order is as follows ：

iptables -nv –L

This command displays the following results

Chain INPUT (policy DROP 610 packets, 50967 bytes) pkts bytes target    prot opt inout    sourcedestination      0    0 ACCEPT    all  -f  *      *      0.0.0.0/00.0.0.0/0limit: avg 100/secburst 100 6100  314K ACCEPT    tcp  --  *      *      0.0.0.0/00.0.0.0/0tcp flags:0x16/0x02limit: avg 20/secburst 200 1052 67637 ACCEPT    all  --  *      *      122.70.x.x        0.0.0.0/0 986 58112 ACCEPT    all  --  *      *      122.70.x.x        0.0.0.0/0 918  131K ACCEPT    all  --  lo    *      0.0.0.0/00.0.0.0/0 97056  12M ACCEPT    all  --  *      *      0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED 4325  218K ACCEPT    tcp  --  *      *      0.0.0.0/00.0.0.0/0multiport dports 80,22 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target    prot opt inout    sourcedestination      0    0 ACCEPT    icmp --  *      *      0.0.0.0/00.0.0.0/0icmp type8 limit: avg 1/secburst 10 Chain OUTPUT (policy ACCEPT 144K packets, 155M bytes) pkts bytes target    prot opt inout    sourcedestination      956  134K ACCEPT    all  --  *      lo      0.0.0.0/00.0.0.0/0

Let me explain this script in some detail ： We have configured some security measures for the protection of the host , To prevent external ping and SYN Flood attack , And considering that the external crazy port scanning software may affect The server Portal bandwidth , Therefore, restrictions are also made here . The command is as follows ：

iptables -A INPUT -p tcp --syn -m limit --limit 100/s--limit-burst 100 -j  ACCEPT

The above command allows a maximum of per second 100 New connections , Note that the new connection here refers to state by New Data packets of , Later, we also configured the allowed status as ESTABLISHED and RELATED The data from ; in addition ,100 This threshold is based on The server Adjust according to the actual situation , If the concurrency is small The server This value should be reduced , If it is a server with a very large number of accesses and a large number of concurrency , This value needs to be increased .

iptables -A INPUT -p icmp --icmp-typeecho-request -m limit --limit 1/s–limit-burst 10 -j ACCEPT This is to prevent ping Flood attack , Limit per second ping The package does not exceed 10 individual . iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec--limit-burst 200 -j ACCEPT

The above command prevents various port scans , take SYN And ACK SYN Limit to no more than... Per second 200 individual , So as not to exhaust the bandwidth of the data server .

iptables After the firewall is running , We can run nmap Tools to scan , The order is as follows ：

nmap -P0 -sS 211.143.6.x

The execution result of this command is as follows ：

Starting Nmap 4.11 ( http://www.insecure.org/nmap/) at 2009-03-29 16:21 CST Interesting ports on 211.143.6.X: Not shown: 1668 closed ports PORT    STATE SERVICE 22/tcpopenssh 25/tcpopensmtp 80/tcpopenhttp 110/tcpopenpop3 111/tcpopenrpcbind 143/tcpopenimap 443/tcpopenhttps 465/tcpopensmtps 587/tcpopensubmission 993/tcpopenimaps 995/tcpopenpop3s 1014/tcpopenunknown

ad locum , We found a 1014 The client is opened by a process , use lsof -i:1014 Check and find that rpc.statd The open , This service uses different ports each time ！ I wanted to ignore it , But if rpc.statd Can't handle SIGPID The signal , A remote attacker can use this vulnerability to shut down a process , A denial of service attack , So we still have to find a way to solve it , We found that rpc.statd It's the service nfslock Open , Further query shows that it is an optional process , It allows the NFS The client locks the file on the server . This process corresponds to nfslock service , So we shut down the service , The command is as follows ：

service nfslock stop chkconfig nfslock off

Without hardware firewall protection , in IDC The computer room has a public network Web The server is still very useful iptables The necessity of protection , If we find that someone uses tools to maliciously and frequently connect to our Web The server , We can call recent Modules to block them .

-A INPUT -p tcp --syn -m limit --limit 12/s --limit-burst 24 -j ACCEPT  prevent DDOS Of SYN