减小字体
增大字体- ·上一篇文章:如何应用多媒体信息资源系统开展多媒体网络教学
- ·下一篇文章:Linux系统kernel参数传递方式详细解析
Linux防火墙如何防止DDOS攻击和CC攻击
| |||||
3. 如果使用iptables
RH 8.0以上开始启用iptables替代ipchains,两者非常类似,也有差别的地方。
* 启用iptables
如果/etc/sysconfig/下没有iptables文件,可以创建:
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport ftp -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport ssh -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport http -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport smtp -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport pop3 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport mysql -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2001 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport domain -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport domain -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT
以上配置允许了ftp, ssh, http, smtp, pop3, mysql, 2001(Prim@Hosting ACA端口),domain端口。
* 启动iptables
/etc/init.d/iptables start
* 设置iptables为自动启动
chkconfig --level 2345 iptables on
* 用iptables屏蔽IP
iptables -I RH-Lokkit-0-50-INPUT 1 -p tcp -m tcp -s 213.8.166.227 --dport 80 --syn -j REJECT
注意到,和ipchains的区别是:
-I 后面跟的规则名称的参数和ipchains不同,不是统一的input,而是在/etc/sysconfig/iptables里定义的那个
多了-m tcp
指定端口的参数是--dport 80
多了--syn参数,可以自动检测sync攻击
使用iptables禁止ping:
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 6/min --limit-burst 2 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable
允许某ip连接
-I RH-Firewall-1-INPUT 1 -p tcp -m tcp -s 192.168.0.51 --syn -j ACCEPT