[英]2 iptables rules I don't understand
Could anyone explain the following rules:任何人都可以解释以下规则:
-A default-INPUT -p tcp -m tcp --sport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A default-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
I think I added them to prevent SYN flood but I'm not sure.我想我添加它们是为了防止 SYN 泛滥,但我不确定。
-A default-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Now for the next command:现在执行下一个命令:
-A default-INPUT -p tcp -m tcp --sport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
SYN ACK FIN RST URG PSH ALL NONE
.SYN ACK FIN RST URG PSH ALL NONE
。iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
SYN
flag set, and the ACK, FIN and RST
flags unset.SYN
标志并且未设置ACK, FIN and RST
标志的数据包。FIN,RST,ACK
flags are set and SYN
is unset;FIN,RST,ACK
标志被设置并且SYN
未设置时匹配; which is the reverse matching of SYN set and FIN,RST,ACK
are unset.FIN,RST,ACK
都没有设置。 In order to understand this modules usage you need to have a little understanding of the TCP segment and its 3 way handshake.为了理解这个模块的用法,你需要对 TCP 段和它的 3 次握手有一点了解。
Here is the 3 way handshake:这是3次握手:
(source: cisco.com ) (来源: cisco.com )
. .
So the TCP segments have flags which control the state of the connection.因此 TCP 段具有控制连接状态的标志。
TCP segment: TCP段:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
I don't think this prevents SYN
floods mainly because i haven't tried it yet.我认为这不能防止
SYN
泛滥,主要是因为我还没有尝试过。 Though this one will limit SYN
floods:虽然这将限制
SYN
泛滥:
# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
Taken from: http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html摘自: http : //www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html
The 2nd line is to protect against invalid packets.第二行是防止无效数据包。
-A default-INPUT -p tcp -m tcp --sport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
Rejects all inbound packets that has a SYN bit and any other flag set.拒绝所有具有 SYN 位和任何其他标志设置的入站数据包。 This makes sense if this is a server.
如果这是服务器,这是有道理的。
Any legitimate inbound connection will send an initial packet with the SYN bit set, but none of the others.任何合法的入站连接都将发送一个带有 SYN 位设置的初始数据包,但不会发送其他任何数据包。 Using multiple flags is an attack vector on the tcp stack and need to be dropped.
使用多个标志是 tcp 堆栈上的攻击向量,需要删除。
Two other attacks are NULL, where none of the flags are set and the Christmas Tree, where all flags are set.另外两种攻击是NULL,其中没有设置任何标志,以及圣诞树,其中设置了所有标志。 To protect against those, use
为了防止这些,请使用
# Protect against common attacks
# Block tcp packets that have no tcp flags set.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Block tcp packets that have all tcp flags set.
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.