堆栈内存溢出
  简体   繁体   English

2 iptables 规则我不明白

[英]2 iptables rules I don't understand

 原文  2013-11-14 16:31:31       linux/ iptables

问题描述

Could anyone explain the following rules:任何人都可以解释以下规则:

-A default-INPUT -p tcp -m tcp --sport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A default-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

I think I added them to prevent SYN flood but I'm not sure.我想我添加它们是为了防止 SYN 泛滥,但我不确定。

2 个解决方案

解决方案1
 23 已采纳  2013-11-19 21:34:22

-A default-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  • -A INPUT -A 输入
    • append rule to the INPUT chain将规则附加到 INPUT 链
  • -m state -m 状态
    • load the state module加载状态模块
  • --state RELATE,ESTABLISHED --state RELATE,ESTABLISHED
    • using the state module to match on related or established connections使用状态模块匹配相关或已建立的连接
  • -j ACCEPT -j 接受
    • is a jump to the ACCEPT chain which mean the traffic for related or previously establish connection is accepted and allowed through the firewall.是跳转到 ACCEPT 链,这意味着相关或先前建立的连接的流量被接受并允许通过防火墙。

Now for the next command:现在执行下一个命令:

-A default-INPUT -p tcp -m tcp --sport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
  • -p tcp -p tcp
    • matches the rule on only tcp protocol仅匹配 tcp 协议的规则
  • -m tcp -m tcp
    • loading the tcp module (also known as "match extensions" in the documentation)加载 tcp 模块(在文档中也称为“匹配扩展”)
  • --sport 0:1023 --体育 0:1023
    • matches on source ports range 0-1023匹配源端口范围 0-1023
  • ! --tcp-flags FIN,SYN,RST,ACK SYN --tcp-flags FIN,SYN,RST,ACK SYN
    • [!] to invert the sense of the match [!] 反转匹配感
    • [!] --tcp-flags mask comp [!] --tcp-flags 掩码合成
    • Match when the TCP flags are as specified.当 TCP 标志符合指定时匹配。 The first argument mask is the flags which we should examine, written as a comma-separated list, and the second argument comp is a comma-separated list of flags which must be set.第一个参数掩码是我们应该检查的标志,写为逗号分隔的列表,第二个参数 comp 是必须设置的逗号分隔的标志列表。 Flags are: SYN ACK FIN RST URG PSH ALL NONE .标志是: SYN ACK FIN RST URG PSH ALL NONE
    • Hence the command: iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN因此命令: iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
    • will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.只会匹配设置了SYN标志并且未设置ACK, FIN and RST标志的数据包。
    • So i believe this rule matches when FIN,RST,ACK flags are set and SYN is unset;所以我相信这个规则在FIN,RST,ACK标志被设置并且SYN未设置时匹配; which is the reverse matching of SYN set and FIN,RST,ACK are unset.这是SYN set的反向匹配, FIN,RST,ACK都没有设置。

In order to understand this modules usage you need to have a little understanding of the TCP segment and its 3 way handshake.为了理解这个模块的用法,你需要对 TCP 段和它的 3 次握手有一点了解。

Here is the 3 way handshake:这是3次握手:

3次TCP握手
(source: cisco.com ) (来源: cisco.com
. .

So the TCP segments have flags which control the state of the connection.因此 TCP 段具有控制连接状态的标志。

  • URG (1 bit) – indicates that the Urgent pointer field is significant URG(1 位)——表示紧急指针字段是重要的
  • ACK (1 bit) – indicates that the Acknowledgment field is significant. ACK(1 位)——表示确认字段是重要的。 All packets after the initial SYN packet sent by the client should have this flag set.客户端发送的初始 SYN 数据包之后的所有数据包都应设置此标志。
  • PSH (1 bit) – Push function. PSH(1 位)——推送功能。 Asks to push the buffered data to the receiving application.请求将缓冲的数据推送到接收应用程序。
  • RST (1 bit) – Reset the connection RST (1 位) – 重置连接
  • SYN (1 bit) – Synchronize sequence numbers. SYN(1 位)——同步序列号。 Only the first packet sent from each end should have this flag set.只有从每一端发送的第一个数据包才应该设置这个标志。 Some other flags change meaning based on this flag, and some are only valid for when it is set, and others when it is clear.其他一些标志根据此标志更改含义,有些仅在设置时有效,而其他则在清除时有效。
  • FIN (1 bit) – No more data from sender FIN (1 bit) – 没有来自发送方的数据

TCP segment: TCP段:

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|          Source Port          |       Destination Port        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Sequence Number                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Acknowledgment Number                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Data |           |U|A|P|R|S|F|                               |
| Offset| Reserved  |R|C|S|S|Y|I|            Window             |
|       |           |G|K|H|T|N|N|                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Checksum            |         Urgent Pointer        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options                    |    Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                             data                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I don't think this prevents SYN floods mainly because i haven't tried it yet.我认为这不能防止SYN泛滥,主要是因为我还没有尝试过。 Though this one will limit SYN floods:虽然这将限制SYN泛滥:

# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
  • --limit 1/s: Maximum average matching rate in seconds --limit 1/s:以秒为单位的最大平均匹配率
  • --limit-burst 3: Maximum initial number of packets to match --limit-burst 3:要匹配的最大初始数据包数

Taken from: http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html摘自: http : //www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html

解决方案2
 5  2016-07-26 15:19:06

The 2nd line is to protect against invalid packets.第二行是防止无效数据包。

-A default-INPUT -p tcp -m tcp --sport 0:1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

Rejects all inbound packets that has a SYN bit and any other flag set.拒绝所有具有 SYN 位和任何其他标志设置的入站数据包。 This makes sense if this is a server.如果这是服务器,这是有道理的。

Any legitimate inbound connection will send an initial packet with the SYN bit set, but none of the others.任何合法的入站连接都将发送一个带有 SYN 位设置的初始数据包,但不会发送其他任何数据包。 Using multiple flags is an attack vector on the tcp stack and need to be dropped.使用多个标志是 tcp 堆栈上的攻击向量,需要删除。

Two other attacks are NULL, where none of the flags are set and the Christmas Tree, where all flags are set.另外两种攻击是NULL,其中没有设置任何标志,以及圣诞树,其中设置了所有标志。 To protect against those, use为了防止这些,请使用

# Protect against common attacks
# Block tcp packets that have no tcp flags set.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Block tcp packets that have all tcp flags set.
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我不理解的Linux排序顺序 - linux sort order that I don't understand 我不明白为什么这个程序不能编译 - I don't understand why this program don't compile 我不明白 ls [aDt]*t?t 的含义 - I don't understand the meaning of ls [aDt]*t?t 无法将规则添加到iptables,什么也没有提交 - Can't add rules to iptables, nothing gets committed 我不明白这个参数扩展:$ {p // [0-9] /} - I don't understand this parameter expansion: ${p//[0-9]/} 我不明白 Bash 脚本中“$x*”中的 * 是什么 - I don't understand what the * in "$x*" in my Bash Script 我不明白的默认构造函数 - something about the default constructor I don't understand 我不明白为什么编译器给我这个代码的错误 - I don't understand why compiler is giving me error with this code 我可以使用iptables --delete命令删除多个匹配规则 - Can I remove multiple matching rules with the iptables --delete command 如何从 iptables 中删除特定规则? - How can I remove specific rules from iptables?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM