簡單認識 iptables 防火牆防衛調件範立

最新推荐文章于 2021-08-17 17:00:29 发布
最新推荐文章于 2021-08-17 17:00:29 发布
阅读量171 收藏
点赞数
文章标签: 网络 python
原文链接:https://my.oschina.net/chuangpoyao/blog/62468
版权

2019独角兽企业重金招聘Python工程师标准>>> hot3.png

man iptables

man ip6tables

 

https://my.oschina.net/chuangpoyao/blog/72655

 

 

絶大部份調件來至 Troubleshooting Linux Firewalls SHINN

# Generated by iptables-save v1.4.8 on Mon Jul  9 16:16:57 2012
*raw
:PREROUTING ACCEPT [3872:1336157]
:OUTPUT ACCEPT [1385:198017]
COMMIT
# Completed on Mon Jul  9 16:16:57 2012
# Generated by iptables-save v1.4.8 on Mon Jul  9 16:16:57 2012
*nat
:PREROUTING ACCEPT [2471:387127]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [206:13023]
-A POSTROUTING -o eth0 -j MASQUERADE 
-A POSTROUTING -o eth+ -j SNAT --to-source 192.168.1.254 
COMMIT
# Completed on Mon Jul  9 16:16:57 2012
# Generated by iptables-save v1.4.8 on Mon Jul  9 16:16:57 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ANTI_SPOOF - [0:0]
:BAD_FLAGS - [0:0]
:BOGUS - [0:0]
:LOGGING - [0:0]
:MAC_SPOOF - [0:0]
:NOFRAGS - [0:0]
:ODDPORTS - [0:0]
:OFFENDER - [0:0]
:PORTSCAN - [0:0]
:SMALL - [0:0]
:STRINGS - [0:0]
:STRINGS2 - [0:0]
:forward_LOGGING - [0:0]
:syn-flood - [0:0]
-A INPUT -i all -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m recent --set --name DEFAULT --rsource -j PORTSCAN 
-A INPUT -i all -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m recent --set --name DEFAULT --rsource -j PORTSCAN 
-A INPUT -i all -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m recent --set --name DEFAULT --rsource -j PORTSCAN 
-A INPUT -i all -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m recent --set --name DEFAULT --rsource -j PORTSCAN 
-A INPUT -i all -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m recent --set --name DEFAULT --rsource -j PORTSCAN 
-A INPUT -i all -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m recent --set --name DEFAULT --rsource -j PORTSCAN 
-A INPUT -i all -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m recent --set --name DEFAULT --rsource -j PORTSCAN 
-A INPUT -p tcp -m tcp --tcp-option 64 -m recent --set --name DEFAULT --rsource -j BAD_FLAGS 
-A INPUT -p tcp -m tcp --tcp-option 128 -m recent --set --name DEFAULT --rsource -j BAD_FLAGS 
-A INPUT -p udp -m length --length 0:27 -m recent --set --name DEFAULT --rsource -j SMALL 
-A INPUT -p tcp -m length --length 0:39 -m recent --set --name DEFAULT --rsource -j SMALL 
-A INPUT -p icmp -m length --length 0:27 -m recent --set --name DEFAULT --rsource -j SMALL 
-A INPUT -p 30 -m length --length 0:31 -m recent --set --name DEFAULT --rsource -j SMALL 
-A INPUT -p gre -m length --length 0:39 -m recent --set --name DEFAULT --rsource -j SMALL 
-A INPUT -p esp -m length --length 0:49 -m recent --set --name DEFAULT --rsource -j SMALL 
-A INPUT -p ah -m length --length 0:35 -m recent --set --name DEFAULT --rsource -j SMALL 
-A INPUT -m length --length 0:19 -m recent --set --name DEFAULT --rsource -j SMALL 
-A INPUT -p tcp -m tcp --dport 22 -m string --string "\"Version_Mapper\"" --algo bm --to 65535 -j STRINGS 
-A INPUT -p tcp -m tcp --dport 22 -m string --string "\"/bin/sh\"" --algo bm --to 65535 -j STRINGS 
-A INPUT -p tcp -m tcp --dport 443 -m string --string "TERM=xterm" --algo bm --to 65535 -j STRINGS 
-A INPUT -p tcp -m tcp --dport 53 -m string --string "<<I .a" --algo bm --to 65535 -j LOG --log-prefix " SID303 " 
-A INPUT -m conntrack --ctstate INVALID -j BOGUS 
-A INPUT -f -j NOFRAGS 
-A INPUT -i eth+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood 
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j LOG --log-prefix "reset spoof TWH " 
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset 
-A INPUT -p udp -m udp --sport 2:21 -m recent --set --name DEFAULT --rsource -j ODDPORTS 
-A INPUT -p udp -m udp --dport 2:21 -m recent --set --name DEFAULT --rsource -j ODDPORTS 
-A INPUT -p tcp -m tcp --dport 0 -m recent --set --name DEFAULT --rsource -j ODDPORTS 
-A INPUT -p tcp -m tcp --sport 0 -m recent --set --name DEFAULT --rsource -j ODDPORTS 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn: " 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP 
-A INPUT -s 192.168.1.223/32 -i eth+ -j ANTI_SPOOF 
-A INPUT -i eth+ -m mac --mac-source 12:34:56:78:90:EE -j MAC_SPOOF 
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset 
-A INPUT -i eth+ -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT ! -i eth0 -m state --state NEW -j ACCEPT 
-A INPUT -m recent --rcheck --seconds 300 --name DEFAULT --rsource -j OFFENDER 
-A INPUT -j LOGGING 
-A FORWARD -i all -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m recent --set --name DEFAULT --rsource -j PORTSCAN 
-A FORWARD -i all -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m recent --set --name DEFAULT --rsource -j PORTSCAN 
-A FORWARD -i all -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m recent --set --name DEFAULT --rsource -j PORTSCAN 
-A FORWARD -i all -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m recent --set --name DEFAULT --rsource -j PORTSCAN 
-A FORWARD -i all -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m recent --set --name DEFAULT --rsource -j PORTSCAN 
-A FORWARD -i all -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m recent --set --name DEFAULT --rsource -j PORTSCAN 
-A FORWARD -i all -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m recent --set --name DEFAULT --rsource -j PORTSCAN 
-A FORWARD -p tcp -m tcp --dport 22 -m string --string "\"Version_Mapper\"" --algo bm --to 65535 -j STRINGS 
-A FORWARD -p tcp -m tcp --dport 53 -m string --string "<<I .a" --algo bm --to 65535 -j LOG --log-prefix " SID303 " 
-A FORWARD -p tcp -m tcp --sport 22 -m string --string "\"*GOBBLE*\"" --algo bm --to 65535 -j STRINGS2 
-A FORWARD -p tcp -m tcp --sport 22 -m string --string "\"uname\"" --algo bm --to 65535 -j STRINGS2 
-A FORWARD -m conntrack --ctstate INVALID -j BOGUS 
-A FORWARD -f -j NOFRAGS 
-A FORWARD -i eth+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j LOG --log-prefix "reset spoof TWH " 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset 
-A FORWARD -p udp -m udp --sport 2:21 -m recent --set --name DEFAULT --rsource -j ODDPORTS 
-A FORWARD -p udp -m udp --sport 2:21 -m recent --set --name DEFAULT --rsource -j ODDPORTS 
-A FORWARD -p tcp -m tcp --dport 0 -m recent --set --name DEFAULT --rsource -j ODDPORTS 
-A FORWARD -p tcp -m tcp --sport 0 -m recent --set --name DEFAULT --rsource -j ODDPORTS 
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn: " 
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP 
-A FORWARD -i eth+ -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset 
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -m recent --rcheck --seconds 300 --name DEFAULT --rsource -j OFFENDER 
-A FORWARD -j forward_LOGGING 
-A OUTPUT -m iprange --dst-range 182.50.0.0-182.50.15.255 -j DROP 
-A OUTPUT -p tcp -m tcp --sport 22 -m string --string "\"*GOBBLE*\"" --algo bm --to 65535 -j STRINGS2 
-A OUTPUT -p tcp -m tcp --sport 22 -m string --string "\"uname\"" --algo bm --to 65535 -j STRINGS2 
-A OUTPUT -f -j NOFRAGS 
-A OUTPUT -o eth+ -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -m state --state INVALID,NEW,RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o eth0 -p tcp -m multiport --dports 31337,31335,27444,27665,20034,12345,12346,9704,137:139,1433,2049,5432,5999:6063 -j DROP 
-A OUTPUT -o eth0 -p tcp -m multiport --dports 5900:5910 -j DROP 
-A OUTPUT -o eth0 -p tcp -m multiport --sports 31337,31335,27444,27665,20034,12345,12346,9704,137:139,1433,2049,5432,5999:6063 -j DROP 
-A OUTPUT -o eth0 -p tcp -m multiport --sports 5900:5910 -j DROP 
-A ANTI_SPOOF -m limit --limit 1/sec -j LOG --log-prefix "Spoofing DENY: " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A ANTI_SPOOF -j DROP 
-A BAD_FLAGS -m limit --limit 1/sec -j LOG --log-prefix "BAD_FLAGs -- SHUN " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A BAD_FLAGS -j DROP 
-A BOGUS -m limit --limit 1/sec -j LOG --log-prefix "INVALID PACKET -- DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A BOGUS -j DROP 
-A LOGGING -m limit --limit 9/hour -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A LOGGING -j DROP 
-A MAC_SPOOF -m limit --limit 1/sec -j LOG --log-prefix "MAC Spoofing DENY: " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A MAC_SPOOF -j DROP 
-A NOFRAGS -m limit --limit 1/sec -j LOG --log-prefix "Fragment -- DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A NOFRAGS -j DROP 
-A ODDPORTS -m limit --limit 1/sec -j LOG --log-prefix "ODDPORTS -- SHUN " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A ODDPORTS -j DROP 
-A OFFENDER -m limit --limit 1/sec -j LOG --log-prefix "OFFENDER -- SHUN " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A OFFENDER -j DROP 
-A PORTSCAN -m limit --limit 1/sec -j LOG --log-prefix "PORTSCAN -- SHUN " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A PORTSCAN -j DROP 
-A SMALL -m limit --limit 1/sec -j LOG --log-prefix "SMALL -- SHUN " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A SMALL -j DROP 
-A STRINGS -m limit --limit 1/sec -j LOG --log-prefix "STRINGS -- SHUN " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A STRINGS -m recent --set --name DEFAULT --rsource -j DROP 
-A STRINGS2 -m limit --limit 1/sec -j LOG --log-prefix "STRINGS2 -- SHUN " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A STRINGS2 -m recent --set --name DEFAULT --rdest -j DROP 
-A forward_LOGGING -m limit --limit 9/hour -j LOG --log-prefix "forward LOGGING Dropped: " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A forward_LOGGING -j DROP 
-A syn-flood -m limit --limit 75/sec --limit-burst 100 -j LOG --log-prefix "SYN FLOOD 0 " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A syn-flood -m limit --limit 1/sec -j LOG --log-prefix "SYN FLOOD " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options 
-A syn-flood -j DROP 
COMMIT
# Completed on Mon Jul  9 16:16:57 2012
# Generated by iptables-save v1.4.8 on Mon Jul  9 16:16:57 2012
*mangle
:PREROUTING ACCEPT [3872:1336157]
:INPUT ACCEPT [3140:1183079]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1385:198017]
:POSTROUTING ACCEPT [1385:198017]
-A PREROUTING -p udp -m udp --dport 33434:33542 -j TTL --ttl-inc 1 
COMMIT
# Completed on Mon Jul  9 16:16:57 2012


raw(走法 raw-》mangle -》nat -》filter)

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

mangle

Chain PREROUTING (policy ACCEPT 21710 packets, 8757K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   416 TTL        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:33434:33542 TTL increment by 1 

Chain INPUT (policy ACCEPT 18182 packets, 8040K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 13770 packets, 1635K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 13770 packets, 1635K bytes)
 pkts bytes target     prot opt in     out     source               destination

nat(ip6table 還沒有 nat)

Chain PREROUTING (policy ACCEPT 1683 packets, 255K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 4265  268K MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 SNAT       all  --  *      eth+    0.0.0.0/0            0.0.0.0/0           to:123.123.1.123 

Chain OUTPUT (policy ACCEPT 54 packets, 3275 bytes)
 pkts bytes target     prot opt in     out     source               destination

filter

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 PORTSCAN   tcp  --  all    *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 recent: SET name: DEFAULT side: source 
    0     0 PORTSCAN   tcp  --  all    *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 recent: SET name: DEFAULT side: source 
    0     0 PORTSCAN   tcp  --  all    *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 recent: SET name: DEFAULT side: source 
    0     0 PORTSCAN   tcp  --  all    *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x01 recent: SET name: DEFAULT side: source 
    0     0 PORTSCAN   tcp  --  all    *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F recent: SET name: DEFAULT side: source 
    0     0 PORTSCAN   tcp  --  all    *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 recent: SET name: DEFAULT side: source 
    0     0 PORTSCAN   tcp  --  all    *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 recent: SET name: DEFAULT side: source 
    0     0 BAD_FLAGS  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp option=64 recent: SET name: DEFAULT side: source 
    0     0 BAD_FLAGS  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp option=128 recent: SET name: DEFAULT side: source 
    0     0 SMALL      udp  --  *      *       0.0.0.0/0            0.0.0.0/0           length 0:27 recent: SET name: DEFAULT side: source 
    0     0 SMALL      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           length 0:39 recent: SET name: DEFAULT side: source 
    0     0 SMALL      icmp --  *      *       0.0.0.0/0            0.0.0.0/0           length 0:27 recent: SET name: DEFAULT side: source 
    0     0 SMALL      30   --  *      *       0.0.0.0/0            0.0.0.0/0           length 0:31 recent: SET name: DEFAULT side: source 
    0     0 SMALL      47   --  *      *       0.0.0.0/0            0.0.0.0/0           length 0:39 recent: SET name: DEFAULT side: source 
    0     0 SMALL      esp  --  *      *       0.0.0.0/0            0.0.0.0/0           length 0:49 recent: SET name: DEFAULT side: source 
    0     0 SMALL      ah   --  *      *       0.0.0.0/0            0.0.0.0/0           length 0:35 recent: SET name: DEFAULT side: source 
    0     0 SMALL      all  --  *      *       0.0.0.0/0            0.0.0.0/0           length 0:19 recent: SET name: DEFAULT side: source 
    0     0 STRINGS    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 STRING match "\"Version_Mapper\"" ALGO name bm TO 65535 
    0     0 STRINGS    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 STRING match "\"/bin/sh\"" ALGO name bm TO 65535 
    0     0 STRINGS    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 STRING match "TERM=xterm" ALGO name bm TO 65535 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 STRING match "<<I .a" ALGO name bm TO 65535 LOG flags 0 level 4 prefix ` SID303 ' 
    2    80 BOGUS      all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID 
    0     0 NOFRAGS    all  -f  *      *       0.0.0.0/0            0.0.0.0/0           
    2   120 syn-flood  tcp  --  eth+   *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x12/0x12 ctstate NEW LOG flags 0 level 4 prefix `reset spoof TWH ' 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x12/0x12 ctstate NEW reject-with tcp-reset 
    0     0 ODDPORTS   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:2:21 recent: SET name: DEFAULT side: source 
    0     0 ODDPORTS   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:2:21 recent: SET name: DEFAULT side: source 
    0     0 ODDPORTS   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:0 recent: SET name: DEFAULT side: source 
    0     0 ODDPORTS   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:0 recent: SET name: DEFAULT side: source 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 ctstate NEW LOG flags 0 level 4 prefix `New not syn: ' 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 ctstate NEW 
    0     0 ANTI_SPOOF  all  --  eth+   *       192.168.1.223        0.0.0.0/0           
    0     0 MAC_SPOOF  all  --  eth+   *       0.0.0.0/0            0.0.0.0/0           MAC 12:34:56:78:90:EE 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 reject-with tcp-reset 
    0     0 ACCEPT     tcp  --  eth+   *       0.0.0.0/0            0.0.0.0/0           tcp spt:22 state ESTABLISHED 
 2079 1652K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  !eth0  *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 OFFENDER   all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: CHECK seconds: 300 name: DEFAULT side: source 
 2026  279K LOGGING    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 PORTSCAN   tcp  --  all    *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 recent: SET name: DEFAULT side: source 
    0     0 PORTSCAN   tcp  --  all    *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 recent: SET name: DEFAULT side: source 
    0     0 PORTSCAN   tcp  --  all    *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 recent: SET name: DEFAULT side: source 
    0     0 PORTSCAN   tcp  --  all    *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x01 recent: SET name: DEFAULT side: source 
    0     0 PORTSCAN   tcp  --  all    *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F recent: SET name: DEFAULT side: source 
    0     0 PORTSCAN   tcp  --  all    *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 recent: SET name: DEFAULT side: source 
    0     0 PORTSCAN   tcp  --  all    *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 recent: SET name: DEFAULT side: source 
    0     0 STRINGS    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 STRING match "\"Version_Mapper\"" ALGO name bm TO 65535 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 STRING match "<<I .a" ALGO name bm TO 65535 LOG flags 0 level 4 prefix ` SID303 ' 
    0     0 STRINGS2   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:22 STRING match "\"*GOBBLE*\"" ALGO name bm TO 65535 
    0     0 STRINGS2   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:22 STRING match "\"uname\"" ALGO name bm TO 65535 
    0     0 BOGUS      all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID 
    0     0 NOFRAGS    all  -f  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 syn-flood  tcp  --  eth+   *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x12/0x12 ctstate NEW LOG flags 0 level 4 prefix `reset spoof TWH ' 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x12/0x12 ctstate NEW reject-with tcp-reset 
    0     0 ODDPORTS   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:2:21 recent: SET name: DEFAULT side: source 
    0     0 ODDPORTS   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spts:2:21 recent: SET name: DEFAULT side: source 
    0     0 ODDPORTS   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:0 recent: SET name: DEFAULT side: source 
    0     0 ODDPORTS   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:0 recent: SET name: DEFAULT side: source 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 ctstate NEW LOG flags 0 level 4 prefix `New not syn: ' 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 ctstate NEW 
    0     0 REJECT     tcp  --  eth+   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 reject-with tcp-reset 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 OFFENDER   all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: CHECK seconds: 300 name: DEFAULT side: source 
    0     0 forward_LOGGING  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    7   420 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           destination IP range 182.50.0.0-182.50.15.255 
    0     0 STRINGS2   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:22 STRING match "\"*GOBBLE*\"" ALGO name bm TO 65535 
    0     0 STRINGS2   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:22 STRING match "\"uname\"" ALGO name bm TO 65535 
    0     0 NOFRAGS    all  -f  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      eth+    0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW,ESTABLISHED 
 1784  320K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
  356 22501 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW,RELATED,ESTABLISHED 
    0     0 DROP       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           multiport dports 31337,31335,27444,27665,20034,12345,12346,9704,137:139,1433,2049,5432,5999:6063 
    0     0 DROP       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           multiport dports 5900:5910 
    0     0 DROP       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           multiport sports 31337,31335,27444,27665,20034,12345,12346,9704,137:139,1433,2049,5432,5999:6063 
    0     0 DROP       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           multiport sports 5900:5910 

Chain ANTI_SPOOF (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 7 prefix `Spoofing DENY: ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain BAD_FLAGS (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 7 prefix `BAD_FLAGs -- SHUN ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain BOGUS (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2    80 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 7 prefix `INVALID PACKET -- DROP ' 
    2    80 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOGGING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   34  5100 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 9/hour burst 5 LOG flags 7 level 7 prefix `IPTables Packet Dropped: ' 
 2026  279K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain MAC_SPOOF (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 7 prefix `MAC Spoofing DENY: ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain NOFRAGS (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 7 prefix `Fragment -- DROP ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ODDPORTS (8 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 7 prefix `ODDPORTS -- SHUN ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OFFENDER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 7 prefix `OFFENDER -- SHUN ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain PORTSCAN (14 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 7 prefix `PORTSCAN -- SHUN ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain SMALL (8 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 7 prefix `SMALL -- SHUN ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain STRINGS (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 7 prefix `STRINGS -- SHUN ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: SET name: DEFAULT side: source 

Chain STRINGS2 (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 7 prefix `STRINGS2 -- SHUN ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: SET name: DEFAULT side: dest 

Chain forward_LOGGING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 9/hour burst 5 LOG flags 7 level 7 prefix `forward LOGGING Dropped: ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain syn-flood (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   120 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 75/sec burst 100 LOG flags 7 level 7 prefix `SYN FLOOD 0 ' 
    2   120 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 7 level 7 prefix `SYN FLOOD ' 
    2   120 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

转载于:https://my.oschina.net/chuangpoyao/blog/62468

weixin_34361881
关注
Linux 守门员:防火iptables
qq_35479765的博客
06-20 528
文章目录前言一、pandas是什么?二、使用步骤1.引入库2.读入数据总结 前言 提示:这里可以添加本文要记录的大概内容: 例如:随着人工智能的不断发展,机器学习这门技术也越来越重要,很多人都开启了学习机器学习,本文就介绍了机器学习的基础内容。 提示:以下是本篇文章正文内容,下面案例可供参考 一、pandas是什么? 示例:pandas 是基于NumPy 的一种工具,该工具是为了解决数据分析任务而创建的。 二、使用步骤 1.引入库 代码如下(示例): import numpy as np import
Linux防火墙------iptables(基础概述)
下雨天的放羊娃的博客
05-25 730
目录一.iptables概述1.netfilter/iptables关系2.四表五链2.1 四表2.2 五链2.3 表链结构示意图2.4 规则链之间的匹配顺序3.数据包过滤的匹配流程二.iptables的配置1.iptables的安装2.iptables防火墙的配置方法3.iptables命令行4.常用的控制类型5.常用管理选项5.1 添加新的规则5.2 查看规则列表5.3 设置默认策略5.4 删除规则5.5 清空规则:6.规则的匹配6.1 通用匹配6.2 隐含匹配6.3 显式匹配 一.iptables概述
存在很多oracle 会话,大量会话处于CSS initialization等待
weixin_35853083的博客
04-03 729
接到一个问题,客户的某个系统突然CPU冲高,一个小时内CPU从5%冲到60%以上,在数据库中发现大量的会话在等待CSS initialization。该系统是非RAC非ASM的系统,一般来说,不会出现CSS(cluster synchronization service)的等待,只有在访问voting disk或ocr的时候才会有这个等待,但是为什么在一个非RAC非ASM系统中出现了这个等待呢?进...
TCP 协议中 FLAG 的含义
有理论,有实验,有结论,可为一篇文章
08-17 3981
文章目录TCP FLAG 标记TCP连接的三次握手TCP断开的四次挥手连接复位无效的TCP标记RST攻击RST攻击的防御 TCP FLAG 标记 TCP标记和他们的意义如下所列: F:FIN - 结束;结束会话 S:SYN - 同步;表示开始会话请求 R:RST - 复位;中断一个连接 P:PUSH - 推送;数据包立即发送 A:ACK - 应答 U:URG - 紧急 E:ECE - 显式拥塞提醒回应 W:CWR - 拥塞窗口减少 TCP连接的三次握手 一个虚拟连接的建立是通过三次握手来实现的,具体步骤
22端口限制 git_正在搭 git 服务, iptables 允许 22 端口,然而策略并没有生效
weixin_39827775的博客
12-20 297
稍微遇到看上去有些奇怪的 bug 了。前几天自己用 docker 搭了个 gogs 服务给团队里的人用,安装时过程顺利,如下是 docker 容器的端口转发:[emailprotected]:~$ sudo docker container port ydcgit22/tcp -> 0.0.0.0:223000/tcp -> 0.0.0.0:60003其中 22 端口是用于 ssh ...
Kylin-Iptables防火墙配置方法
最新发布
11-09
Kylin_Iptables防火墙配置方法
iptables防火墙.doc
09-29
·防火墙的功能:保护、隔离 安装iptables服务 [root@master~]#yum-yinstalliptables-services [root@master~]# systemctl start iptables
一键配置CentOS iptables防火墙的Shell脚本分享
09-15
### 一键配置CentOS iptables防火墙Shell脚本解析 #### 概述 本文将详细介绍一个用于一键配置CentOS系统中的iptables防火墙的Shell脚本。该脚本可以帮助用户简化新装系统的iptables配置过程,使其更加高效且易于...
CentOS 7.0关闭默认防火墙启用iptables防火墙的设置方法
09-15
主要介绍了CentOS 7.0关闭默认防火墙启用iptables防火墙的设置方法,需要的朋友可以参考下
linux iptables防火墙黑名单(封IP) Connection reset by peer
01-11
linux iptables防火墙黑名单(封IP) Connection reset by peer
linux的防火墙功能IP tables详解之一
北雨南萍
02-18 2605
一、iptables简介 Linux的2.4版内核引入了一种全新的包过滤引擎,称为Netfilter。 控制Netfilter的工具iptables是Linux 2.2版内核中比较老的命令ipchains的兄弟。 iptables把有次序的规则"链(chains)"应用到网络包上。 链的集合就构成了"表(tables)",用于处理特殊类型的流量。 例如,默认的iptables表名叫"
图文并茂理解iptables
06-20 315
原文地址:http://www.zsythink.net/archives/1199 以下是转载内容: iptables详解:图文并茂理解iptables | 朱双印博客 这篇文章会尽量以通俗易懂的方式描述iptables的相关概念,请耐心的读完它。 防火墙相关概念 此处先描述一些相关概念。 从逻辑上讲。防火墙可以大体分为主机防火墙和网络防火墙。 主机...
iptables总结
weixin_34279184的博客
08-26 167
自己写了一个iptables,不知道如何?因为有bind服务,加上ftp服务,加上samba服务,加上httpd服务器端口是允许的。网友们多多提一下意见! #!/bin/sh # this is command for NAT service iptables restart #start ip_forward echo 1 >/proc/sys/net/ip...
7.1 iptables防火
ZZULI_Miriam的博客
07-03 607
防火墙(FireWall)    隔离功能,工作在网络或主机边缘,对进出网络或主机的数据包基于一定的规则检查,并在匹配某规则时由规则定义的行为进行处理的一组功能的组件,基本上的实现都是默认情况下关闭所有的通过型访问,只开放允许访问的策略。    防火墙的分类主机防火墙:服务范围为当前主机网络防火墙:服务范围为防火墙一侧的局域网硬件防火墙:在专用硬件级别实现部分功能的防火墙;另一个部分功能基于软件实...
TCP的几个状态 SYN, FIN, ACK, PSH, RST, URG
weixin_34361881的博客
03-15 4025
2019独角兽企业重金招聘Python工程师标准>>> ...
功能强大且抗DDoS的iptables脚本
zzjiwang的博客
09-17 1625
#!/bin/bash # Description: This script applies to both RHEL and CentOS systems.This is  # a powerful firewall, anti DDOS attacks, and not limitedto this, you can # make your Linux server as router,
sip server 的 Qos 实现实例
Vinco's special column
05-24 1870
There are three types of traffic - RTP, Signalling and Others. Now, the Bandwidth proportion for the three types of traffic are fixed. Qos 默认没开启: # tc qdisc ls dev eth2 qdisc pfifo_fast 0: ro
linux做源ip地址限制,linux – 使用IPTables限制每个源IP的ICMP
weixin_33417904的博客
05-06 595
我错误地认为限制模块是每个源IP,但它似乎是基于所有请求:577 36987 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 3/sec burst 546 3478 LOG icmp -- * * 0.0.0...
阿里云ecs配置frps后,本地服务器frpc无法连接修复
晴空's Blog
07-13 3048
0. ecs上面配置如下设置,发现本地电脑连接超时timeout; 1. ecs上面执行端口检查命令, 可通: $ telnet XXX 7000 Trying XXX... Connected to XXX. Escape character is '^]'. 2. 本地电脑执行同样命令不通. 3. 检查ecs安全组安全配置已放行7000端口. 4. ecs防火墙已关闭,如下: $ ...
iptables防火墙配置与规则管理详解
iptables防火墙是Linux系统中一个强大的网络包过滤工具,其主要功能包括网络安全保护和网络流量隔离。它通过配置规则来控制进出系统的网络数据包,确保系统的安全性。本文档将详细介绍iptables的安装与配置过程,...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值