iptables 基本安全防护

1.记录到日志,rsyslog.conf配置增加一行

vim /etc/rsyslog.conf 
# iptables log
kern.info                                               /var/log/iptables.log


# 重启日志服务
/etc/init.d/rsyslog restart

2.iptables配置

# Drop limit
-A FORWARD -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT

# Drop sync limit 100 & DDOS
-A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 100 -j DROP
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop tcp 0 adn 1
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Drop sync
-A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

# Drop Fragments
-A INPUT -i eth0 -f -j DROP
-A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP

# Drop NULL packets
-A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " NULL Packets " --log-ip-options
-A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Drop XMAS
-A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " XMAS Packets " --log-ip-options
-A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Drop FIN packet scans
-A INPUT -i eth0 -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " Fin Packets Scan " --log-ip-options
-A INPUT -i eth0 -p tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Log and get rid of broadcast / multicast and invalid
-A INPUT -i eth1 -m pkttype --pkt-type broadcast -j LOG --log-prefix " Broadcast " --log-ip-options
-A INPUT -i eth1 -m pkttype --pkt-type broadcast -j DROP
-A INPUT -i eth1 -m pkttype --pkt-type multicast -j LOG --log-prefix " Multicast " --log-ip-options
-A INPUT -i eth1 -m pkttype --pkt-type multicast -j DROP
-A INPUT -i eth1 -m state --state INVALID -j LOG --log-prefix " Invalid " --log-ip-options
-A INPUT -i eth1 -m state --state INVALID -j DROP

 

https://help.aliyun.com/knowledge_detail/41274.html

 

posted @ 2017-06-02 16:24  sunmmi  阅读(444)  评论(0)    收藏  举报