IPTABLES เป็น Firewall พื้นฐานของ Linux เกือบทุก Distro และให้ประสิทธิภาพที่สูงมากในการ Filtering Traffic และ การป้องกันการ Attack ต่างๆ โดยที่จะมีตัวอย่างพอสังเขป ดังนี้
เปิดการใช้งาน IP Forward ป้องกัน Syn Flood และ อนุญาติให้มีการใช้งานแบบ Dynamic IP (ต่อเนต DSL ทั่วไป)
[root@localhost]#echo 1 > /proc/sys/net/ipv4/ip_forward
[root@localhost]#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
[root@localhost]#echo 1 > /proc/sys/net/ipv4/ip_dynaddr
[root@localhost]#echo 1 > /proc/sys/net/ipv4/ip_forward
[root@localhost]#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
[root@localhost]#echo 1 > /proc/sys/net/ipv4/ip_dynaddr
Drop Packet ก่อนหน้านี้ทั้งหมด[root@localhost]#iptables -F INPUT
[root@localhost]#iptables -F FORWARD
[root@localhost]#iptables -F OUTPUT
[root@localhost]#iptables -P INPUT DROP
[root@localhost]#iptables -P FORWARD DROP
[root@localhost]#iptables -P OUTPUT ACCEPT
[root@localhost]#iptables -A INPUT -i lo -j ACCEPT
[root@localhost]#iptables -F FORWARD
[root@localhost]#iptables -F OUTPUT
[root@localhost]#iptables -P INPUT DROP
[root@localhost]#iptables -P FORWARD DROP
[root@localhost]#iptables -P OUTPUT ACCEPT
[root@localhost]#iptables -A INPUT -i lo -j ACCEPT
อนุญาติเฉพาะ SSH, SMTP, DNS, Web Services, SSL และ POP3 ให้ผ่านเข้าออก
[root@localhost]#iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@localhost]#iptables -A INPUT -p tcp --dport 22 --syn -j ACCEPT
[root@localhost]#iptables -A INPUT -p tcp --dport 25 --syn -j ACCEPT
[root@localhost]#iptables -A INPUT -p tcp --dport 53 --syn -j ACCEPT
[root@localhost]#iptables -A INPUT -p udp --dport 53 --syn -j ACCEPT
[root@localhost]#iptables -A INPUT -p tcp --dport 80 --syn -j ACCEPT
[root@localhost]#iptables -A INPUT -p tcp --dport 443 --syn -j ACCEPT
[root@localhost]#iptables -A INPUT -p tcp --dport 110 --syn -j ACCEPT
[root@localhost]#iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@localhost]#iptables -A INPUT -p tcp --dport 22 --syn -j ACCEPT
[root@localhost]#iptables -A INPUT -p tcp --dport 25 --syn -j ACCEPT
[root@localhost]#iptables -A INPUT -p tcp --dport 53 --syn -j ACCEPT
[root@localhost]#iptables -A INPUT -p udp --dport 53 --syn -j ACCEPT
[root@localhost]#iptables -A INPUT -p tcp --dport 80 --syn -j ACCEPT
[root@localhost]#iptables -A INPUT -p tcp --dport 443 --syn -j ACCEPT
[root@localhost]#iptables -A INPUT -p tcp --dport 110 --syn -j ACCEPT
ป้องกันการ scan ports
[root@localhost]#iptables -N check-flags
[root@localhost]#iptables -F check-flags
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP:"
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
[root@localhost]#iptables -N check-flags
[root@localhost]#iptables -F check-flags
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP:"
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
[root@localhost]#iptables -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
ป้องกันการ flood SSH (SSH Brute Force)
[root@localhost]#iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
[root@localhost]#iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 -j DROP
[root@localhost]#iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
[root@localhost]#iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 -j DROP
ห้าม ping[root@localhost]#iptables -A INPUT -p ICMP -i eth0 --icmp-type 8 -j DROP
ห้าม traceroute[root@localhost]#iptables -A INPUT -p ICMP -i eth0 --icmp-type 11 -j DROP
Protect Syn Flood
[root@localhost]#iptables-N syn-flood
[root@localhost]#iptables -A syn-flood -i ppp0 -m limit --limit 75/s --limit-burst 100 -j RETURN
[root@localhost]#iptables -A syn-flood -j LOG --log-prefix "SYN-FLOOD: "
[root@localhost]#iptables -A syn-flood -j DROP
[root@localhost]#iptables-N syn-flood
[root@localhost]#iptables -A syn-flood -i ppp0 -m limit --limit 75/s --limit-burst 100 -j RETURN
[root@localhost]#iptables -A syn-flood -j LOG --log-prefix "SYN-FLOOD: "
[root@localhost]#iptables -A syn-flood -j DROP
REDIRECT PORT 10080 to 80[root@localhost]#iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.xxx.xxx:10080
[root@localhost]#iptables -A FORWARD -p tcp -i ppp0 -d 192.168.xxx.xxx --dport 80 -j ACCEPT (192.168.xxx.xxx = ip ของเรา)
[root@localhost]#iptables -A FORWARD -p tcp -i ppp0 -d 192.168.xxx.xxx --sport 80 -j ACCEPT
[root@localhost]#iptables -A FORWARD -p tcp -i ppp0 -d 192.168.xxx.xxx --dport 80 -j ACCEPT (192.168.xxx.xxx = ip ของเรา)
[root@localhost]#iptables -A FORWARD -p tcp -i ppp0 -d 192.168.xxx.xxx --sport 80 -j ACCEPT
Transparent Proxy
[root@localhost]#iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT -to-ports 3128
[root@localhost]#iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT -to-ports 3128
No comments:
Post a Comment