参考:iptables
refer https://www.jianshu.com/p/ee4ee15d3658
iptables的规则表和链:
表(tables)提供特定的功能,iptables内置了4个表:
- filter
- 包过滤
- nat
- 网络地址转换
- mangle
- 包重构/修改
- raw
- 数据跟踪处理
Write rules for the following situations apply them to the firewall and check if they work
- Block all incoming network traffic.
iptables -A INPUT -j REJECT
- Block all incoming network traffic but allow HTTP traffic.
iptables -A INPUT -p tcp --dport www -j ACCEPT
iptables -A INPUT -j REJECT
- Block all incoming Telnet traffic but allow SSH.
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport telnet -j REJECT
iptables -A INPUT -j REJECT
- Block all incoming network traffic but allow HTTP and SSH access from the address range that the client machine is on.
iptables -A INPUT -p tcp -m multiport --dports www,ssh -j ACCEPT
iptables -A INPUT -j REJECT
- Block all incoming network traffic from the client PC but allow pings. (ICMP)
iptables -I INPUT -s 192.168.56.107 -j REJECT
iptables -I INPUT -s 192.168.56.107 -p icmp -j ACCEPT
- Block all incoming network traffic but allow FTP from the client (Hint you will need to allow more than 1 port)
iptables -I INPUT -j REJECT
iptables -I INPUT -s 192.168.56.102 -p tcp -m multiport --dports 21,20 -j ACCEPT
- There is a command which allows you to specify multiple ports in one rule, find it out.
-m multiport --dports
- Block all incoming network traffic but permit HTTP traffic from an established session
iptables -A INPUT -p tcp --dport www -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT
-
Set the default INPUT policy to REJECT but allow SSH.
-
Block all outgoing traffic but allow HTTP traffic to Google’s IP address.
sudo iptables -A FORWARD -j REJECT
sudo iptables -A OUTPUT -j REJECT
sudo iptables -I FORWARD -d 216.58.192.164 -p tcp --dport 80 -j ACCEPT
sudo iptables -I OUTPUT -d 216.58.192.164 -p tcp --dport 80 -j ACCEPT
- Block all outgoing HTTP traffic to Googles IP address but allow all other HTTP traffic.
sudo iptables -I FORWARD -d 216.58.192.164 -p tcp --dport 80 -j REJECT
sudo iptables -I OUTPUT -d 216.58.192.164 -p tcp --dport 80 -j REJECT
- Block all incoming and outgoing UDP traffic
sudo iptables -A INPUT -p udp -j REJECT
sudo iptables -A OUTPUT -p udp -j REJECT
sudo iptables -A FORWARD -p udp -j REJECT
Advanced
-
Block a brute force attack targeting SSH
-
Block a DOS attack targeting the HTTP server
-
MqSQL runs on port 3306 write a rule which will allow access to it from IP 87.65.43.21
-
Write a rule that would block someone using an internal IP to try to get into your network
-
Write a rule to block invalid packets
-
Write a rule that blocks outgoing pings
REJECT和 DROP的区别
1.、REJECT动作会返回一个拒绝(终止)数据包(TCP FIN或UDP-ICMP-PORT-UNREACHABLE),明确的拒绝对方的连接动作。
连接马上断开,Client会认为访问的主机不存在。
REJECT在IPTABLES里面有一些返回参数,参数如下:ICMP port-unreachable、ICMP echo-reply 或是 tcp-reset(这个封包会要求对方关闭联机),进行完此处理动作后,将不再比对其它规则,直接中断过滤程序。
2、DROP动作只是简单的直接丢弃数据,并不反馈任何回应。需要Client等待超时,Client容易发现自己被防火墙所阻挡。