We know that online access enters the host system through a TCP / IP package. In Linux, it generally wants to achieve the first level of protection with the IP filtering mechanism. If this level of protection is also checked, it is the function of TCP_WrapPers. Packet filtering (IP filter): Packing filter is the first firewall provided by Linux! But different core versions will have different packet filtering mechanisms! LINUX with 2.2.xx is mainly IPchains as a filter mechanism, as for the current new version 2.4.xx, use iptables as a mechanism! OK! Since our Red Hat 7.1, 7.2, 7.3 is Kernel 2.4.xx, so use iptables to make IP resistance! Then there is IP and port in the TCP package, so you must have the source IP or your own port, naturally it is easy to do! As long as IPTables can be analyzed by IPTables can be analyzed by TCP's packing table investment, for example: and with accompanying, it will discard it to prevent people who do not meet the rules from entering your computer. As for the work of resisting the package, you can let TCP_WrapPers to do it often to see / var / log / messages and / var / log / secure these two files! They are all login records, etc. To do the maintenance of the host, the first step is to establish a perfect password rule! Because this is often the first step in Cracker try invasion! You must create a host's password rule, you can try to make the / etc / passwd and / etc / shadow into an invisible file with Chattr! Safe! Several common work for security 1. Upgrade and fix the kit vulnerability, and remove the danger suite: 2. Safety setting items for each system service 3.Tcp_wrappers Basic fire setting 4.ipTables fire rule settings 5. Host Resource Detection System (MRTG) 6. Login Archive Analysis System: iptables: iptables is the main IP filtering mechanism for Linux Kernel 2.4.xx version! His biggest feature is that you can filter out of your don't have a TCP package! Of course, the function is still more than this, he can also be used to perform IP camouflage to achieve NAT host function! The direction of work of iptables, must be analyzed according to the order of rules, let's talk about several concepts of iptables: There are several Tables: Different places with previous versions of Ipchains, iptables can define some tables. new rule! Will be more convenient to manage the firewall rules! Basically, the original iptable has at least two tables, one is Filter (preset, not filled in Tables, it is Filter this table), one is a quite important NAT Table.
Among them, FILTER can manage the security of the host, as for NAT is used to process NAT's functionality! Clear rules: The ordering method for iptables is actually very simple, just use the instruction column to set it, his basic syntax is like this: [root @Test / root] # / sbin / iptables [ FXZ] Parameter Description: -f: Clear all the set rules; -x: Kill all users created CHAIN (Tables) 啰; -z: All Chain counts and traffic statistics Zero example: [root @Test / root] # / sbin / iptables -f [root @test / root] # / sbin / iptables -x [root @test / root] # / sbin / iptables -z Please note if At the time of the remote online, "these three instructions must be implemented in Scripts", otherwise, "will be sure" will let you be blocked by the host! "Policy": After clearing the rules, then the policy is to set the rules! This so-called policy refers to "When your packet is not within your rules, the pass or not of the package is set by policy, for example, you set ten rules, but there is a package When you come, this ten rules don't apply. This time this package will be based on Policy's provisions to decide whether you can pass the firewall. Usually this policy can be defined in Input, and Forward and Output can set up! [root @Test / root] # / sbin / iptables [-t Tables] [-p] [INPUT, OUTPUT, Forward | PREROUTING, OUTPUT, POSTROARD] [Accept, DROP] Parameter Description: -t: Defines TABLE! TABLES: TABLE name, such as NAT! -P: Define Policy (Policy). INPUT: Packing is the direction of the input host; OUTPUT: Packing is the direction of the output host; Forward: Packet is not transferred to the main unit; preording: Output before entering the route; Output: Packet is output host The direction; postrouting: works after entering the route.
Example: [root @Test / root] # / sbin / iptables -p input accept [root @test / root] # / sbin / iptables -p output accept [root @test / root] # / sbin / iptables -p forward accept [root @Test / root] # / sbin / iptables -t nat -p preording accept [root @Test / root] # / sbin / iptables -t nat -p output accept [root @test / root] # / sbin / iptables -t Nat -P PostRouting Accept is defined as a preset policy! Increase, insert rules: Next, you will define the rules! We first observe the perspective of the host. Can be set this! [root @Test / root] # / sbin / iptables [-ai] [INPUT, OUTPUT, Forward] [-io interface] [-p TCP, UDP] [-S ip / network] [--sport ports] [ D IP / Network] [--dport, DROP] -J [Accept, DROP] parameter description: -a: Add a rule, the rule increases in the last line; -i: Add in the first rule; Input: Packet For the direction of the input host; OUTPUT: Packet is the direction of the output host; Forward: Packing is the direction of the outgoing direction without entering the host; -i: inflowing NIC interface - O: out of the network card interface interface: network card interface For example, PPP0, Eth0, Eth1 .... -p: Please note that this is a lower case! Packaged protocol! TCP: Package package is a packet of TCP protocol; UDP: package is a packet of UDP protocol; -S: source packet IP or network (domain); --sport: source package PORT number; -D: target host IP Or Network (domain); --dport: target host's port number; -J: action, can be taken under the action; Accept: Accept the package Drop: Discard Packet Example: [Root @Test / root] # / sbin / iptables -a input -i lo -j accept All packets from the LO interface are accepted [root @Test / root] # / sbin / iptables -a input -i eth0 -p tcp -s 192.168.0.1 J Acccept from 192.168.0.1 package package is accepted [root @Test / root] # / sbin / iptables -a input -i eth0 -p tcp -s 192.168.1.0/24 -j acceptt from 192.168.1.0 this C Any computer of the Class's domain is accepted! [root @
